heroui logo

Potential CommandLine Path Traversal Via Cmd.EXE

Sigma Rules

View Source
Summary
This detection rule targets potential path traversal attempts via the command-line interface of Windows systems (cmd.exe). Path traversal vulnerabilities occur when an attacker manipulates command arguments to access files or directories that are outside the designated path. The rule focuses on detecting abnormal command line usage patterns that suggest command or argument confusion or hijacking could take place. It specifically monitors for processes initiated by cmd.exe (either as a parent or the image itself) and checks for the use of command flags such as '/c', '/k', or '/r', which are frequently leveraged in scripting and execution scenarios. The presence of patterns indicating attempts to navigate upwards in the directory structure (e.g., through the sequence '/../../') is a key indicator of a potential attack arc. This rule also includes a filter to control for false positives generated from legitimate Java tool commands that may inadvertently trigger alerts due to their similar syntax. Overall, it plays a crucial role in enhancing the security posture of Windows environments against command-line based attacks, particularly those leveraging path traversal techniques.
Categories
  • Windows
  • Endpoint
Data Sources
  • Process
Created: 2020-06-11