WMI Execution with Command Line Redirection¶
Identifies command execution via WMI with redirected output. WMI provides a method to execute a process on a local or remote host, but does not expose a way to read any console output. To get around this restriction, some administrators or attackers will execute cmd.exe
with output redirection to a file. Then the file can be retrieved to read program output.
id: | 7c7f3114-7bdd-4477-a4e0-b5105b6babd8 |
---|---|
categories: | detect |
confidence: | medium |
os: | windows |
created: | 12/04/2019 |
updated: | 12/04/2019 |
MITRE ATT&CK™ Mapping¶
tactics: | Collection |
---|---|
techniques: | T1074 Data Staged |
Query¶
sequence by unique_pid with maxspan=5s
[process where subtype.create and process_name == "cmd.exe" and command_line == "*>*" and
descendant of [process where process_name == "wmiprvse.exe"]]
[file where subtype.create and wildcard(file_name, "*.txt", "*.log")]