Use Short Name Path in Image

 1title: Use Short Name Path in Image
 2id: a96970af-f126-420d-90e1-d37bf25e50e1
 3related:
 4    - id: 349d891d-fef0-4fe4-bc53-eee623a15969
 5      type: similar
 6status: test
 7description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image detection
 8references:
 9    - https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/
10    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)
11    - https://twitter.com/frack113/status/1555830623633375232
12author: frack113, Nasreddine Bencherchali
13date: 2022-08-07
14modified: 2025-10-20
15tags:
16    - attack.defense-evasion
17    - attack.t1564.004
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection:
23        Image|contains:
24            - '~1\'
25            - '~2\'
26    filter_main_system_process:
27        ParentImage:
28            - 'C:\Windows\System32\Dism.exe'
29            - 'C:\Windows\System32\cleanmgr.exe'  # Spawns DismHost.exe with a shortened username (if too long)
30    filter_main_installers:
31        - Image|contains|all:
32              - '\AppData\'
33              - '\Temp\'
34        - Image|endswith:
35              - '~1\unzip.exe'
36              - '~1\7zG.exe'
37    filter_optional_webex:
38        ParentImage|endswith: '\WebEx\WebexHost.exe' # Spawns a shortened version of the CLI and Image processes
39    filter_optional_thor:
40        ParentImage|endswith: '\thor\thor64.exe'
41    filter_optional_installshield:
42        - Product: 'InstallShield (R)'
43        - Description: 'InstallShield (R) Setup Engine'
44        - Company: 'InstallShield Software Corporation'
45    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
46falsepositives:
47    - Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process.
48level: medium

References

• Windows Short (8.3) Filenames - A Security Nightmare? | Acunetix

  

  Each time you create a new file on Windows, the operating system also generates an MS-DOS-compatible short file name in 8.3 format, to allow MS-DOS-based or 16-bit Windows-based programs to access files which have a long name. You can see these MS-DOS-compatible short file names by...Read more

  
  Read More

• NtfsDisable8dot3NameCreation

  

  Note Access to this page requires authorization. You can try signing in or changing directories. Access to this page requires authorization. You can try changing directories. NtfsDisable8dot3NameCr...

  
  Read More

• 

  Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.

  
  Read More

Related rules

• Suspicious File Download From File Sharing Websites - File Stream
• Unusual File Download From File Sharing Websites - File Stream
• Insensitive Subfolder Search Via Findstr.EXE
• Remote File Download Via Findstr.EXE
• Hidden Flag Set On File/Directory Via Chflags - MacOS