← Back to Explore
sigmahighHunting
Potential CommandLine Path Traversal Via Cmd.EXE
Detects potential path traversal attempt via cmd.exe. Could indicate possible command/argument confusion/hijacking
Detection Query
selection_img:
- ParentImage|endswith: \cmd.exe
- Image|endswith: \cmd.exe
- OriginalFileName: cmd.exe
selection_flags:
- ParentCommandLine|contains:
- /c
- /k
- /r
- CommandLine|contains:
- /c
- /k
- /r
selection_path_traversal:
- ParentCommandLine: /../../
- CommandLine|contains: /../../
filter_java:
CommandLine|contains: \Tasktop\keycloak\bin\/../../jre\bin\java
condition: all of selection_* and not 1 of filter_*
Author
xknow @xknow_infosec, Tim Shelton
Created
2020-06-11
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.executionattack.t1059.003
Raw Content
title: Potential CommandLine Path Traversal Via Cmd.EXE
id: 087790e3-3287-436c-bccf-cbd0184a7db1
status: test
description: Detects potential path traversal attempt via cmd.exe. Could indicate possible command/argument confusion/hijacking
references:
- https://hackingiscool.pl/cmdhijack-command-argument-confusion-with-path-traversal-in-cmd-exe/
- https://twitter.com/Oddvarmoe/status/1270633613449723905
author: xknow @xknow_infosec, Tim Shelton
date: 2020-06-11
modified: 2023-03-06
tags:
- attack.execution
- attack.t1059.003
logsource:
category: process_creation
product: windows
detection:
selection_img:
- ParentImage|endswith: '\cmd.exe'
- Image|endswith: '\cmd.exe'
- OriginalFileName: 'cmd.exe'
selection_flags:
- ParentCommandLine|contains:
- '/c'
- '/k'
- '/r'
- CommandLine|contains:
- '/c'
- '/k'
- '/r'
selection_path_traversal:
- ParentCommandLine: '/../../'
- CommandLine|contains: '/../../'
filter_java:
CommandLine|contains: '\Tasktop\keycloak\bin\/../../jre\bin\java'
condition: all of selection_* and not 1 of filter_*
falsepositives:
- Java tools are known to produce false-positive when loading libraries
level: high