Merge pull request #3333 from frack113/short_path

Use short name path

.github/workflows/known-FPs.csv

@@ -29,3 +29,9 @@ cfeed607-6aa4-4bbd-9627-b637deb723c8;New or Renamed User Account with '$' in Att
 7b449a5e-1db5-4dd0-a2dc-4e3a67282538;Hidden Local User Creation;HomeGroupUser\$
 1f2b5353-573f-4880-8e33-7d04dcf97744;Sysmon Configuration Modification;Computer: evtx-PC
 734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8;Remote PowerShell Session Host Process (WinRM);WIN-FPV0DSIC9O6
+a96970af-f126-420d-90e1-d37bf25e50e1;Use Short Name Path in Image;Ninite\.exe
+349d891d-fef0-4fe4-bc53-eee623a15969;Use Short Name Path in Command Line;Ninite\.exe
+a96970af-f126-420d-90e1-d37bf25e50e1;Use Short Name Path in Image;target\.exe
+349d891d-fef0-4fe4-bc53-eee623a15969;Use Short Name Path in Command Line;target\.exe
+a96970af-f126-420d-90e1-d37bf25e50e1;Use Short Name Path in Image;unzip\.exe
+349d891d-fef0-4fe4-bc53-eee623a15969;Use Short Name Path in Command Line;TeamViewer_\.exe

rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml

@@ -0,0 +1,30 @@
+title: Use Short Name Path in Command Line
+id: 349d891d-fef0-4fe4-bc53-eee623a15969
+related:
+    - id: a96970af-f126-420d-90e1-d37bf25e50e1
+      type: similar
+status: experimental
+description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection
+author: frack113, Nasreddine Bencherchali
+references:
+    - https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/
+    - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN
+    - https://twitter.com/frack113/status/1555830623633375232
+date: 2022/08/07
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine|contains: 
+            - '~1\'
+            - '~2\'
+    filter_dism:
+        ParentImage: C:\Windows\System32\Dism.exe
+    condition: selection and not 1 of filter_*
+falsepositives:
+    - Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process.
+level: medium
+tags:
+    - attack.defense_evasion
+    - attack.t1564.004

rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_image.yml

@@ -0,0 +1,30 @@
+title: Use Short Name Path in Image
+id: a96970af-f126-420d-90e1-d37bf25e50e1
+related:
+    - id: 349d891d-fef0-4fe4-bc53-eee623a15969
+      type: similar
+status: experimental
+description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Iamge detection
+author: frack113, Nasreddine Bencherchali
+references:
+    - https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/
+    - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN
+    - https://twitter.com/frack113/status/1555830623633375232
+date: 2022/08/07
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|contains:
+            - '~1\'
+            - '~2\'
+    filter_dism:
+        ParentImage: C:\Windows\System32\Dism.exe
+    condition: selection and not 1 of filter_*
+falsepositives:
+    - Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process.
+level: high
+tags:
+    - attack.defense_evasion
+    - attack.t1564.004