Use Short Name Path in Command Line

calendar Oct 18, 2023 · attack.defense_evasion attack.t1564.004  ·
Share on: linkedin copy

Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection

Sigma rule (View on GitHub)

 1title: Use Short Name Path in Command Line
 2id: 349d891d-fef0-4fe4-bc53-eee623a15969
 3related:
 4    - id: a96970af-f126-420d-90e1-d37bf25e50e1
 5      type: similar
 6status: test
 7description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection
 8references:
 9    - https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/
10    - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN
11    - https://twitter.com/frack113/status/1555830623633375232
12author: frack113, Nasreddine Bencherchali
13date: 2022/08/07
14modified: 2022/10/26
15tags:
16    - attack.defense_evasion
17    - attack.t1564.004
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection:
23        CommandLine|contains:
24            - '~1\'
25            - '~2\'
26    filter:
27        - ParentImage:
28              - 'C:\Windows\System32\Dism.exe'
29              - 'C:\Windows\System32\cleanmgr.exe'
30              - 'C:\Program Files\GPSoftware\Directory Opus\dopus.exe'
31        - ParentImage|endswith:
32              - '\WebEx\WebexHost.exe'
33              - '\thor\thor64.exe'
34              - '\veam.backup.shell.exe'
35              - '\winget.exe'
36              - '\Everything\Everything.exe'
37        - ParentImage|contains: '\AppData\Local\Temp\WinGet\'
38        - CommandLine|contains:
39              - '\appdata\local\webex\webex64\meetings\wbxreport.exe'
40              - 'C:\Program Files\Git\post-install.bat'
41              - 'C:\Program Files\Git\cmd\scalar.exe'
42    condition: selection and not filter
43falsepositives:
44    - Applications could use this notation occasionally which might generate some false positives. In that case investigate the parent and child process.
45level: medium

References

  • Windows Short (8.3) Filenames - A Security Nightmare? | Acunetix

    Each time you create a new file on Windows, the operating system also generates an MS-DOS-compatible short file name in 8.3 format, to allow MS-DOS-based or 16-bit Windows-based programs to access files which have a long name. You can see these MS-DOS-compatible short file names by...Read more


    Read More

  • NtfsDisable8dot3NameCreation

    NtfsDisable8dot3NameCreation Article 03/04/2010 HKLM\SYSTEM\CurrentControlSet\Control\FileSystem Description Determines whether NTFS generates a short name in the 8.3 naming convention for long fil...


    Read More

  • Something went wrong, but don’t fret — let’s give it another shot.


    Read More

Related rules

to-top