Detection of redirection (>) in windows process creation command lines

[L015H4CK]

Hello everyone,

there are several windows process creation rules that try to detect different usages of redirections. Examples are:

• proc_creation_win_hktl_meterpreter_getsystem:
  • Detects: CommandLine|contains|all: '/c', 'echo', '\pipe\'
  • Example: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a
• proc_creation_win_malware_dtrack:
  • Detects: CommandLine|contains|all: 'ping -n ', ' echo EEEE > '
  • Example: cmd.exe /c ping -n 3 127.0.0.1 >NUL & echo EEEE > ""

I tried to generate event logs using Sysmon that would trigger these rules. Unfortunately, I was not able to do so.
When executing the above examples, only the command line before the > character is logged. The character itself and everything that comes behind it is not captured and cannot be seen in the Sysmon logs. Example logs that were captured are:

• proc_creation_win_hktl_meterpreter_getsystem: cmd.exe /c echo 559891bb017
• proc_creation_win_malware_dtrack: cmd.exe /c ping -n 3 127.0.0.1

My question now is if I made a mistake during the setup or if Sysmon is simply not capable of generating the expected command line logs. If Sysmon is not capable, I wonder if there are other ways to log process creation command lines that do catch the >-part successfully. If not, I think the rules do not work as expected since such command line logs cannot be generated.

Thanks in advance for any answers and suggestions!
Louis

[nasbench]

Both 4688 and Sysmon EID1 aren't capable of catching those CLI for the simple purpose that the > character is considered as a pipe character and actually is piping results from one command to another. The detection using it are focusing on the usage of the "/c" flag before hand. For example.

cmd /c "whoami /all > C:\Temp\whoami.txt" will be logged as a single command.

[L015H4CK]

Thank you for the answer. I was able to capture the log as described by you above by adding the double quotes to the command after cmd /c.