EXPLORE
Sign In
← Back to Explore
sigmalowHunting

Potential File Override/Append Via SET Command

Detects the use of the "SET" internal command of Cmd.EXE with the /p flag followed directly by an "=" sign. Attackers used this technique along with an append redirection operator ">>" in order to update the content of a file indirectly. Ex: cmd /c >> example.txt set /p="test data". This will append "test data" to contents of "example.txt". The typical use case of the "set /p=" command is to prompt the user for input.

Detection Query

selection_img:
  - Image|endswith: \cmd.exe
  - OriginalFileName: Cmd.Exe
selection_cli:
  CommandLine|contains:
    - /c set /p=
    - '"set /p='
    - ">>*set /p="
condition: all of selection_*

Author

Nasreddine Bencherchali (Nextron Systems), MahirAli Khan (in/mahiralikhan)

Created

2024-08-22

Data Sources

windowsProcess Creation Events

Platforms

windows

References

Tags

attack.executionattack.defense-evasiondetection.threat-hunting
Raw Content
title: Potential File Override/Append Via SET Command
id: 65e4c134-ee52-4099-9e35-5e17a4b45c62
status: test
description: |
    Detects the use of the "SET" internal command of Cmd.EXE with the /p flag followed directly by an "=" sign.
    Attackers used this technique along with an append redirection operator ">>" in order to update the content of a file indirectly.
    Ex: cmd /c >> example.txt set /p="test data". This will append "test data" to contents of "example.txt".
    The typical use case of the "set /p=" command is to prompt the user for input.
references:
    - https://news.sophos.com/en-us/2024/08/07/sophos-mdr-hunt-tracks-mimic-ransomware-campaign-against-organizations-in-india/
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/set_1
    - https://ss64.com/nt/set.html
author: Nasreddine Bencherchali (Nextron Systems), MahirAli Khan (in/mahiralikhan)
date: 2024-08-22
tags:
    - attack.execution
    - attack.defense-evasion
    - detection.threat-hunting
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\cmd.exe'
        - OriginalFileName: 'Cmd.Exe'
    selection_cli:
        CommandLine|contains:
            - '/c set /p='
            - '"set /p='
            - '>>*set /p=' # To catch edge cases where the attacker passes it via a "cmd /c"
    condition: all of selection_*
falsepositives:
    - Legitimate use of the SET with the "/p" flag for user prompting. command in administrative scripts or user-generated scripts.
level: low