← Back to Explore
sigmalowHunting
CMD Shell Output Redirect
Detects the use of the redirection character ">" to redirect information on the command line. This technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as "hostname" and "dir" to files for future exfiltration.
Detection Query
selection_cmd:
- OriginalFileName: Cmd.Exe
- Image|endswith: \cmd.exe
selection_cli:
CommandLine|contains: ">"
filter_optional_idm_extension:
CommandLine|contains:
- C:\Program Files (x86)\Internet Download Manager\IDMMsgHost.exe
- chrome-extension://
- \\.\pipe\chrome.nativeMessaging
condition: all of selection_* and not 1 of filter_optional_*
Author
frack113
Created
2022-01-22
Data Sources
windowsProcess Creation Events
Platforms
windows
Tags
attack.discoveryattack.t1082detection.threat-hunting
Raw Content
title: CMD Shell Output Redirect
id: 4f4eaa9f-5ad4-410c-a4be-bc6132b0175a
related:
- id: 8e0bb260-d4b2-4fff-bb8d-3f82118e6892
type: similar
status: test
description: |
Detects the use of the redirection character ">" to redirect information on the command line.
This technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as "hostname" and "dir" to files for future exfiltration.
references:
- https://ss64.com/nt/syntax-redirection.html
author: frack113
date: 2022-01-22
modified: 2024-03-19
tags:
- attack.discovery
- attack.t1082
- detection.threat-hunting
logsource:
category: process_creation
product: windows
detection:
selection_cmd:
- OriginalFileName: 'Cmd.Exe'
- Image|endswith: '\cmd.exe'
selection_cli:
CommandLine|contains: '>'
filter_optional_idm_extension:
CommandLine|contains:
- 'C:\Program Files (x86)\Internet Download Manager\IDMMsgHost.exe'
- 'chrome-extension://'
- '\\.\pipe\chrome.nativeMessaging'
condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
- Internet Download Manager extensions use named pipes and redirection via CLI. Filter it out if you use it in your environment
level: low