Automated Collection Command Prompt

Severity: medium
Author: frack113
Source: upstream

Once established within a system or network, an adversary may use automated techniques for collecting internal data.

MITRE ATT&CK coverage

Tactic	Techniques
Credential Access	`T1552.001` Unsecured Credentials: Credentials In Files
Collection	`T1119` Automated Collection

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation

Stages and Predicates

Stage 1: `selection_ext`

or:
CommandLine|contains: .doc
CommandLine|contains: .docx
CommandLine|contains: .pdf
CommandLine|contains: .ppt
CommandLine|contains: .pptx
CommandLine|contains: .rtf
CommandLine|contains: .txt
CommandLine|contains: .xls
CommandLine|contains: .xlsx

Stage 2: `1 of selection_other_dir`

CommandLine|contains: ' /b '
CommandLine|contains: ' /s '
CommandLine|contains: 'dir '

Stage 3: `1 of selection_other_findstr`

or:
CommandLine|contains: ' /e '
CommandLine|contains: ' /si '
OriginalFileName: FINDSTR.EXE

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`CommandLine`	match	`/b` `/e` `/s` corpus 3 (sigma 3) `/si` `.doc` corpus 4 (sigma 4) `.docx` `.pdf` corpus 3 (sigma 3) `.ppt` corpus 4 (sigma 4) `.pptx` `.rtf` corpus 2 (sigma 2) `.txt` corpus 7 (sigma 7) `.xls` corpus 4 (sigma 4) `.xlsx` `dir` corpus 4 (sigma 4)
`OriginalFileName`	eq	`FINDSTR.EXE` corpus 10 (sigma 10)