KQL Search

Query Details

HomeAI ToolsDevice Query

Getsystemelevation C Smetasploit

Query

# Rule : Detection of cmd.exe Echo Pipe Commands

## Description
This detection rule identifies suspicious usage of the `cmd.exe` process executing commands that involve `echo` combined with a pipe (`|`). Attackers often use such techniques during post-exploitation to gain elevated privileges or to manipulate data streams on compromised systems. This method is associated with various offensive security activities, including the well-known `getsystem` technique for privilege escalation.

Monitoring command-line activities that combine `echo` and piping is important for detecting attempts to modify or redirect output, potentially aiding in data exfiltration or system tampering.

- [Red Canary: Detecting Getsystem and Offensive Security Techniques](https://redcanary.com/blog/threat-detection/getsystem-offsec/)

## Detection Logic
- Monitors `DeviceProcessEvents` for events where:
  - The `FileName` is `cmd.exe`, and
  - The `ProcessCommandLine` contains both `"echo"` and `"pipe"` operations.

## Tags
- cmd.exe Monitoring
- Privilege Escalation
- Offensive Security Tools
- Suspicious Command-Line Activity
- Threat Detection

## Search Query
```kql
DeviceProcessEvents
| where FileName == @"cmd.exe" and ProcessCommandLine has_all("echo", "pipe")

Explanation

Summary of the Query

Purpose:

The query is designed to detect suspicious activities involving the cmd.exe process, specifically when it executes commands that use echo combined with a pipe (|). This pattern is often used by attackers during post-exploitation to escalate privileges or manipulate data streams on compromised systems.

Key Points:

  • Target Process: cmd.exe
  • Suspicious Command: Usage of echo with a pipe (|)
  • Why It's Important: Such command-line activities can indicate attempts to modify or redirect output, which may be part of data exfiltration or system tampering efforts.

Detection Logic:

  • The query monitors DeviceProcessEvents for:
    • Events where the FileName is cmd.exe
    • The ProcessCommandLine includes both "echo" and "pipe"

Tags:

  • Monitoring of cmd.exe
  • Detecting privilege escalation attempts
  • Identifying the use of offensive security tools
  • Flagging suspicious command-line activities
  • Enhancing threat detection capabilities

Search Query in KQL:

DeviceProcessEvents
| where FileName == @"cmd.exe" and ProcessCommandLine has_all("echo", "pipe")

This query helps in identifying potentially malicious activities by focusing on specific command-line patterns that are commonly used in attacks.

Details

Ali Hussein profile picture

Ali Hussein

Released: August 27, 2024

Tables

DeviceProcessEvents

Keywords

Devices

Operators

|where==@andhas_all

Actions