/
proc_creation_win_susp_ntfs_short_name_path_use_image.yml
46 lines (46 loc) · 1.76 KB
/
proc_creation_win_susp_ntfs_short_name_path_use_image.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
title: Use Short Name Path in Image
id: a96970af-f126-420d-90e1-d37bf25e50e1
related:
- id: 349d891d-fef0-4fe4-bc53-eee623a15969
type: similar
status: test
description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image detection
references:
- https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN
- https://twitter.com/frack113/status/1555830623633375232
author: frack113, Nasreddine Bencherchali
date: 2022/08/07
modified: 2023/03/21
tags:
- attack.defense_evasion
- attack.t1564.004
logsource:
category: process_creation
product: windows
detection:
selection:
Image|contains:
- '~1\'
- '~2\'
filter1:
- ParentImage:
- C:\Windows\System32\Dism.exe
- C:\Windows\System32\cleanmgr.exe # Spawns DismHost.exe with a shortened username (if too long)
- ParentImage|endswith:
- '\WebEx\WebexHost.exe' # Spawns a shortened version of the CLI and Image processes
- '\thor\thor64.exe'
- Product: 'InstallShield (R)'
- Description: 'InstallShield (R) Setup Engine'
- Company: 'InstallShield Software Corporation'
filter_installers:
- Image|contains|all:
- '\AppData\'
- '\Temp\'
- Image|endswith:
- '~1\unzip.exe'
- '~1\7zG.exe'
condition: selection and not 1 of filter*
falsepositives:
- Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process.
level: medium