Cmd.Exe Execution With Uncommon Flag

Rule Info

Name
Cmd.Exe Execution With Uncommon Flag
Author
Nasreddine Bencherchali
Description
Detect use of "/R" flag which is the same as "/C". This flag is often used for obfsucation and should be investigated
Reference
https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md
Date
2022-11-18 00:00:00
Modified
2022-12-09 00:00:00
Id
491adfaf-173b-4e26-b6d8-0b0aa25cb4b6
Tags
attack.execution attack.t1059.003
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022