Potential Command Line Path Traversal Evasion Attempt
Detects potential evasion or obfuscation attempts using bogus path traversal via the commandline
Sigma rule (View on GitHub)
1title: Potential Command Line Path Traversal Evasion Attempt
2id: 1327381e-6ab0-4f38-b583-4c1b8346a56b
3status: test
4description: Detects potential evasion or obfuscation attempts using bogus path traversal via the commandline
5references:
6 - https://twitter.com/hexacorn/status/1448037865435320323
7 - https://twitter.com/Gal_B1t/status/1062971006078345217
8author: Christian Burkard (Nextron Systems)
9date: 2021-10-26
10modified: 2023-03-29
11tags:
12 - attack.defense-evasion
13 - attack.t1036
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection_1:
19 Image|contains: '\Windows\'
20 CommandLine|contains:
21 - '\..\Windows\'
22 - '\..\System32\'
23 - '\..\..\'
24 selection_2:
25 CommandLine|contains: '.exe\..\'
26 filter_optional_google_drive:
27 CommandLine|contains: '\Google\Drive\googledrivesync.exe\..\'
28 filter_optional_citrix:
29 CommandLine|contains: '\Citrix\Virtual Smart Card\Citrix.Authentication.VirtualSmartcard.Launcher.exe\..\'
30 condition: 1 of selection_* and not 1 of filter_optional_*
31falsepositives:
32 - Google Drive
33 - Citrix
34level: medium
References
Related rules
- CreateDump Process Dump
- DumpMinitool Execution
- Explorer Process Tree Break
- Findstr Launching .lnk File
- HackTool - XORDump Execution