Query Details

Rule : Detection of cmd.exe Echo Pipe Commands

Getsystemelevation C Smetasploit

Query

DeviceProcessEvents
| where FileName == @"cmd.exe" and ProcessCommandLine has_all("echo", "pipe")

About this query

Rule : Detection of cmd.exe Echo Pipe Commands

Description

This detection rule identifies suspicious usage of the cmd.exe process executing commands that involve echo combined with a pipe (|). Attackers often use such techniques during post-exploitation to gain elevated privileges or to manipulate data streams on compromised systems. This method is associated with various offensive security activities, including the well-known getsystem technique for privilege escalation.

Monitoring command-line activities that combine echo and piping is important for detecting attempts to modify or redirect output, potentially aiding in data exfiltration or system tampering.

Detection Logic

  • Monitors DeviceProcessEvents for events where:
    • The FileName is cmd.exe, and
    • The ProcessCommandLine contains both "echo" and "pipe" operations.

Tags

  • cmd.exe Monitoring
  • Privilege Escalation
  • Offensive Security Tools
  • Suspicious Command-Line Activity
  • Threat Detection

Search Query

Explanation

Summary of the Query

Purpose:

The query is designed to detect suspicious activities involving the cmd.exe process, specifically when it executes commands that use echo combined with a pipe (|). This pattern is often used by attackers during post-exploitation to escalate privileges or manipulate data streams on compromised systems.

Key Points:

  • Target Process: cmd.exe
  • Suspicious Command: Usage of echo with a pipe (|)
  • Why It's Important: Such command-line activities can indicate attempts to modify or redirect output, which may be part of data exfiltration or system tampering efforts.

Detection Logic:

  • The query monitors DeviceProcessEvents for:
    • Events where the FileName is cmd.exe
    • The ProcessCommandLine includes both "echo" and "pipe"

Tags:

  • Monitoring of cmd.exe
  • Detecting privilege escalation attempts
  • Identifying the use of offensive security tools
  • Flagging suspicious command-line activities
  • Enhancing threat detection capabilities

Search Query in KQL:

DeviceProcessEvents
| where FileName == @"cmd.exe" and ProcessCommandLine has_all("echo", "pipe")

This query helps in identifying potentially malicious activities by focusing on specific command-line patterns that are commonly used in attacks.

Details

Ali Hussein profile picture

Ali Hussein

Released: August 27, 2024

Tables

DeviceProcessEvents

Keywords

Devices

Operators

|where==@andhas_all

Actions

GitHub