Use Short Name Path in Command Line
Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection
Sigma rule (View on GitHub)
1title: Use Short Name Path in Command Line
2id: 349d891d-fef0-4fe4-bc53-eee623a15969
3related:
4 - id: a96970af-f126-420d-90e1-d37bf25e50e1
5 type: similar
6status: test
7description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection
8references:
9 - https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/
10 - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)
11 - https://twitter.com/frack113/status/1555830623633375232
12author: frack113, Nasreddine Bencherchali
13date: 2022-08-07
14modified: 2022-10-26
15tags:
16 - attack.defense-evasion
17 - attack.t1564.004
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection:
23 CommandLine|contains:
24 - '~1\'
25 - '~2\'
26 filter:
27 - ParentImage:
28 - 'C:\Windows\System32\Dism.exe'
29 - 'C:\Windows\System32\cleanmgr.exe'
30 - 'C:\Program Files\GPSoftware\Directory Opus\dopus.exe'
31 - ParentImage|endswith:
32 - '\WebEx\WebexHost.exe'
33 - '\thor\thor64.exe'
34 - '\veam.backup.shell.exe'
35 - '\winget.exe'
36 - '\Everything\Everything.exe'
37 - ParentImage|contains: '\AppData\Local\Temp\WinGet\'
38 - CommandLine|contains:
39 - '\appdata\local\webex\webex64\meetings\wbxreport.exe'
40 - 'C:\Program Files\Git\post-install.bat'
41 - 'C:\Program Files\Git\cmd\scalar.exe'
42 condition: selection and not filter
43falsepositives:
44 - Applications could use this notation occasionally which might generate some false positives. In that case investigate the parent and child process.
45level: medium
References
Related rules
- Execute From Alternate Data Streams
- Exports Registry Key To an Alternate Data Stream
- Hidden Executable In NTFS Alternate Data Stream
- Insensitive Subfolder Search Via Findstr.EXE
- NTFS Alternate Data Stream