Use NTFS Short Name in Command Line

Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection

Sigma rule (View on GitHub)

 1title: Use NTFS Short Name in Command Line
 2id: dd6b39d9-d9be-4a3b-8fe0-fe3c6a5c1795
 3related:
 4    - id: 3ef5605c-9eb9-47b0-9a71-b727e6aa5c3b
 5      type: similar
 6status: test
 7description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection
 8references:
 9    - https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/
10    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)
11    - https://twitter.com/jonasLyk/status/1555914501802921984
12author: frack113, Nasreddine Bencherchali (Nextron Systems)
13date: 2022/08/05
14modified: 2022/09/21
15tags:
16    - attack.defense_evasion
17    - attack.t1564.004
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection:
23        CommandLine|contains:
24            - '~1.exe'
25            - '~1.bat'
26            - '~1.msi'
27            - '~1.vbe'
28            - '~1.vbs'
29            - '~1.dll'
30            - '~1.ps1'
31            - '~1.js'
32            - '~1.hta'
33            - '~2.exe'
34            - '~2.bat'
35            - '~2.msi'
36            - '~2.vbe'
37            - '~2.vbs'
38            - '~2.dll'
39            - '~2.ps1'
40            - '~2.js'
41            - '~2.hta'
42    filter:
43        - ParentImage|endswith:
44              - '\WebEx\WebexHost.exe'
45              - '\thor\thor64.exe'
46        - CommandLine|contains: 'C:\xampp\vcredist\VCREDI~1.EXE'
47    condition: selection and not filter
48falsepositives:
49    - Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process.
50level: medium

References

Related rules

to-top