Use NTFS Short Name in Image

 1title: Use NTFS Short Name in Image
 2id: 3ef5605c-9eb9-47b0-9a71-b727e6aa5c3b
 3related:
 4    - id: dd6b39d9-d9be-4a3b-8fe0-fe3c6a5c1795
 5      type: similar
 6status: experimental
 7description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image based detection
 8references:
 9    - https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/
10    - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN
11    - https://twitter.com/jonasLyk/status/1555914501802921984
12author: frack113, Nasreddine Bencherchali (Nextron Systems)
13date: 2022/08/06
14modified: 2023/07/20
15tags:
16    - attack.defense_evasion
17    - attack.t1564.004
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection:
23        Image|contains:
24            - '~1.bat'
25            - '~1.dll'
26            - '~1.exe'
27            - '~1.hta'
28            - '~1.js'
29            - '~1.msi'
30            - '~1.ps1'
31            - '~1.tmp'
32            - '~1.vbe'
33            - '~1.vbs'
34            - '~2.bat'
35            - '~2.dll'
36            - '~2.exe'
37            - '~2.hta'
38            - '~2.js'
39            - '~2.msi'
40            - '~2.ps1'
41            - '~2.tmp'
42            - '~2.vbe'
43            - '~2.vbs'
44    filter_main_generic_parent:
45        ParentImage: 'C:\Windows\explorer.exe'
46    filter_optional_webex:
47        ParentImage|endswith: '\WebEx\WebexHost.exe'
48    filter_optional_thor:
49        ParentImage|endswith: '\thor\thor64.exe'
50    filter_optional_winzip:
51        Image: 'C:\PROGRA~1\WinZip\WZPREL~1.EXE'
52    filter_optional_vcred:
53        Image|endswith: '\VCREDI~1.EXE'
54    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
55falsepositives:
56    - Software Installers
57level: medium

References

• Windows Short (8.3) Filenames - A Security Nightmare? | Acunetix

  

  Each time you create a new file on Windows, the operating system also generates an MS-DOS-compatible short file name in 8.3 format, to allow MS-DOS-based or 16-bit Windows-based programs to access files which have a long name. You can see these MS-DOS-compatible short file names by...Read more

  
  Read More

• NtfsDisable8dot3NameCreation

  

  NtfsDisable8dot3NameCreation Article 03/04/2010 HKLM\SYSTEM\CurrentControlSet\Control\FileSystem Description Determines whether NTFS generates a short name in the 8.3 naming convention for long fil...

  
  Read More

• Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

Related rules

• Hidden Executable In NTFS Alternate Data Stream
• Execute From Alternate Data Streams
• Run PowerShell Script from ADS
• NTFS Alternate Data Stream
• Powershell Store File In Alternate Data Stream