Potential Command Line Path Traversal Evasion Attempt

calendar Aug 12, 2024 · attack.defense-evasion attack.t1036  ·
Share on: linkedin copy

Detects potential evasion or obfuscation attempts using bogus path traversal via the commandline

Sigma rule (View on GitHub)

 1title: Potential Command Line Path Traversal Evasion Attempt
 2id: 1327381e-6ab0-4f38-b583-4c1b8346a56b
 3status: test
 4description: Detects potential evasion or obfuscation attempts using bogus path traversal via the commandline
 5references:
 6    - https://twitter.com/hexacorn/status/1448037865435320323
 7    - https://twitter.com/Gal_B1t/status/1062971006078345217
 8author: Christian Burkard (Nextron Systems)
 9date: 2021-10-26
10modified: 2023-03-29
11tags:
12    - attack.defense-evasion
13    - attack.t1036
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection_1:
19        Image|contains: '\Windows\'
20        CommandLine|contains:
21            - '\..\Windows\'
22            - '\..\System32\'
23            - '\..\..\'
24    selection_2:
25        CommandLine|contains: '.exe\..\'
26    filter_optional_google_drive:
27        CommandLine|contains: '\Google\Drive\googledrivesync.exe\..\'
28    filter_optional_citrix:
29        CommandLine|contains: '\Citrix\Virtual Smart Card\Citrix.Authentication.VirtualSmartcard.Launcher.exe\..\'
30    condition: 1 of selection_* and not 1 of filter_optional_*
31falsepositives:
32    - Google Drive
33    - Citrix
34level: medium

References

Related rules

to-top