Use NTFS Short Name in Command Line
Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection
Sigma rule (View on GitHub)
1title: Use NTFS Short Name in Command Line
2id: dd6b39d9-d9be-4a3b-8fe0-fe3c6a5c1795
3related:
4 - id: 3ef5605c-9eb9-47b0-9a71-b727e6aa5c3b
5 type: similar
6status: test
7description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection
8references:
9 - https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/
10 - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN
11 - https://twitter.com/jonasLyk/status/1555914501802921984
12author: frack113, Nasreddine Bencherchali (Nextron Systems)
13date: 2022/08/05
14modified: 2022/09/21
15tags:
16 - attack.defense_evasion
17 - attack.t1564.004
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection:
23 CommandLine|contains:
24 - '~1.exe'
25 - '~1.bat'
26 - '~1.msi'
27 - '~1.vbe'
28 - '~1.vbs'
29 - '~1.dll'
30 - '~1.ps1'
31 - '~1.js'
32 - '~1.hta'
33 - '~2.exe'
34 - '~2.bat'
35 - '~2.msi'
36 - '~2.vbe'
37 - '~2.vbs'
38 - '~2.dll'
39 - '~2.ps1'
40 - '~2.js'
41 - '~2.hta'
42 filter:
43 - ParentImage|endswith:
44 - '\WebEx\WebexHost.exe'
45 - '\thor\thor64.exe'
46 - CommandLine|contains: 'C:\xampp\vcredist\VCREDI~1.EXE'
47 condition: selection and not filter
48falsepositives:
49 - Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process.
50level: medium
References
Related rules
- Use Short Name Path in Command Line
- PrintBrm ZIP Creation of Extraction
- Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream
- Use NTFS Short Name in Image
- Hidden Executable In NTFS Alternate Data Stream