Detectionmediumtest
Use NTFS Short Name in Command Line
Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
François Hubaut, Nasreddine Bencherchali (Nextron Systems)Created Fri Aug 05Updated Wed Sep 21dd6b39d9-d9be-4a3b-8fe0-fe3c6a5c1795windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic2 selectors
detection:
selection:
CommandLine|contains:
- '~1.exe'
- '~1.bat'
- '~1.msi'
- '~1.vbe'
- '~1.vbs'
- '~1.dll'
- '~1.ps1'
- '~1.js'
- '~1.hta'
- '~2.exe'
- '~2.bat'
- '~2.msi'
- '~2.vbe'
- '~2.vbs'
- '~2.dll'
- '~2.ps1'
- '~2.js'
- '~2.hta'
filter:
- ParentImage|endswith:
- '\WebEx\WebexHost.exe'
- '\thor\thor64.exe'
- CommandLine|contains: 'C:\xampp\vcredist\VCREDI~1.EXE'
condition: selection and not filterFalse Positives
Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process.
MITRE ATT&CK
Tactics
Sub-techniques
Rule Metadata
Rule ID
dd6b39d9-d9be-4a3b-8fe0-fe3c6a5c1795
Status
test
Level
medium
Type
Detection
Created
Fri Aug 05
Modified
Wed Sep 21
Path
rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_cli.yml
Raw Tags
attack.defense-evasionattack.t1564.004