Phoenix
Sigma IntelligenceBeta
Back to Rules
Threat Huntmediumtest

Use Short Name Path in Command Line

Detects the use of short name paths (8.3 format) in command lines, which can be used to obfuscate paths or access restricted locations. Windows creates short 8.3 filenames (like PROGRA~1) for compatibility with MS-DOS-based or 16-bit Windows programs. When investigating, examine: - Commands using short paths to access sensitive directories or files - Web servers on Windows (especially Apache) where short filenames could bypass security controls - Correlation with other suspicious behaviors - baseline of short name usage in your environment and look for deviations

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
François Hubaut, Nasreddine Bencherchali (Nextron Systems)Created Sun Aug 07Updated Wed Oct 22349d891d-fef0-4fe4-bc53-eee623a15969windows
Hunting Hypothesis
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic12 selectors
detection:
    selection:
        CommandLine|contains:
            - '~1\'
            - '~2\'
    filter_main_system_process:
        ParentImage:
            - 'C:\Windows\System32\Dism.exe'
            - 'C:\Windows\System32\cleanmgr.exe'
    filter_main_winget:
        - ParentImage|endswith: '\winget.exe'
        - ParentImage|contains: '\AppData\Local\Temp\WinGet\'
    filter_main_csc:
        ParentImage|startswith: 'C:\Windows\Microsoft.NET\Framework64\v'
        ParentImage|endswith: '\csc.exe'
    filter_main_installers:
        - Image|contains|all:
              - '\AppData\'
              - '\Temp\'
        - CommandLine|contains: '\AppData\Local\Temp\' # sometimes installers spawn other installers from temp folder
    filter_optional_dopus:
        ParentImage: 'C:\Program Files\GPSoftware\Directory Opus\dopus.exe'
    filter_optional_aurora:
        ParentImage|endswith:
            - '\aurora-agent-64.exe'
            - '\aurora-agent.exe'
    filter_optional_thor:
        ParentImage|endswith: '\thor\thor64.exe'
    filter_optional_git:
        CommandLine|contains:
            - 'C:\Program Files\Git\post-install.bat'
            - 'C:\Program Files\Git\cmd\scalar.exe'
    filter_optional_webex:
        - ParentImage|endswith: '\WebEx\webexhost.exe'
        - CommandLine|contains: '\appdata\local\webex\webex64\meetings\wbxreport.exe'
    filter_optional_veeam:
        ParentImage|endswith: '\veeam.backup.shell.exe'
    filter_optional_everything:
        ParentImage|endswith: '\Everything\Everything.exe'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
False Positives

Applications could use this notation occasionally which might generate some false positives. In that case investigate the parent and child process.

References
1
Resolving title…
acunetix.com
2
Resolving title…
learn.microsoft.com
3
Resolving title…
twitter.com
MITRE ATT&CK

Other

detection.threat-hunting
Related Rules
SimilarDetectionmedium

Use Short Name Path in Image

Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image detection

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata
Rule ID
349d891d-fef0-4fe4-bc53-eee623a15969
Status
test
Level
medium
Type
Threat Hunt
Created
Sun Aug 07
Modified
Wed Oct 22
Author
François Hubaut, Nasreddine Bencherchali (Nextron Systems)
Path
rules-threat-hunting/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml
Raw Tags
attack.defense-evasionattack.t1564.004detection.threat-hunting
View on GitHub