Date: 08/23/2024
Severity: Medium
Summary
The "Potential File Override/Append Via SET Command" vulnerability typically involves a scenario where a system or application allows users to set or modify file paths through a command or configuration option. If this command is not properly validated or sanitized, it can lead to unintended file modifications. For instance, a user might be able to override or append data to files they shouldn't have access to, potentially leading to security issues like unauthorized data exposure or corruption. This type of vulnerability often occurs in applications that use the `SET` command or similar functionality to configure file locations or paths. Proper input validation and access controls are essential to mitigate such risks.
Indicators of Compromise (IOC) List
Image | '\cmd.exe' |
OriginalFileName | 'Cmd.Exe' |
CommandLine | '/c set /p=' '"set /p=' '>>*set /p=' |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | ((((Resourcename in ("Sysmon") AND eventtype = "1") AND image = "\cmd.exe") AND originalfilename = "Cmd.Exe") AND commandline in ("/c set /p=","set /p=",">>*set /p=")) |
Detection Query 2 | ((((Technologygroup = "EDR" ) AND image = "\cmd.exe") AND originalfilename = "Cmd.Exe") AND commandline in ("/c set /p=","set /p=",">>*set /p=")) |
Reference:
https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_cmd_set_prompt_abuse.yml