Use NTFS Short Name in Image
Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image based detection
Sigma rule (View on GitHub)
1title: Use NTFS Short Name in Image
2id: 3ef5605c-9eb9-47b0-9a71-b727e6aa5c3b
3related:
4 - id: dd6b39d9-d9be-4a3b-8fe0-fe3c6a5c1795
5 type: similar
6status: test
7description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image based detection
8references:
9 - https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/
10 - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)
11 - https://twitter.com/jonasLyk/status/1555914501802921984
12author: frack113, Nasreddine Bencherchali (Nextron Systems)
13date: 2022-08-06
14modified: 2023-07-20
15tags:
16 - attack.defense-evasion
17 - attack.t1564.004
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection:
23 Image|contains:
24 - '~1.bat'
25 - '~1.dll'
26 - '~1.exe'
27 - '~1.hta'
28 - '~1.js'
29 - '~1.msi'
30 - '~1.ps1'
31 - '~1.tmp'
32 - '~1.vbe'
33 - '~1.vbs'
34 - '~2.bat'
35 - '~2.dll'
36 - '~2.exe'
37 - '~2.hta'
38 - '~2.js'
39 - '~2.msi'
40 - '~2.ps1'
41 - '~2.tmp'
42 - '~2.vbe'
43 - '~2.vbs'
44 filter_main_generic_parent:
45 ParentImage: 'C:\Windows\explorer.exe'
46 filter_optional_webex:
47 ParentImage|endswith: '\WebEx\WebexHost.exe'
48 filter_optional_thor:
49 ParentImage|endswith: '\thor\thor64.exe'
50 filter_optional_winzip:
51 Image: 'C:\PROGRA~1\WinZip\WZPREL~1.EXE'
52 filter_optional_vcred:
53 Image|endswith: '\VCREDI~1.EXE'
54 condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
55falsepositives:
56 - Software Installers
57level: medium
References
Related rules
- Execute From Alternate Data Streams
- Exports Registry Key To an Alternate Data Stream
- HackTool Named File Stream Created
- Hidden Executable In NTFS Alternate Data Stream
- Insensitive Subfolder Search Via Findstr.EXE