diff --git a/.github/workflows/known-FPs.csv b/.github/workflows/known-FPs.csv index 98f7e89fb..3717f73f1 100644 --- a/.github/workflows/known-FPs.csv +++ b/.github/workflows/known-FPs.csv @@ -29,3 +29,9 @@ cfeed607-6aa4-4bbd-9627-b637deb723c8;New or Renamed User Account with '$' in Att 7b449a5e-1db5-4dd0-a2dc-4e3a67282538;Hidden Local User Creation;HomeGroupUser\$ 1f2b5353-573f-4880-8e33-7d04dcf97744;Sysmon Configuration Modification;Computer: evtx-PC 734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8;Remote PowerShell Session Host Process (WinRM);WIN-FPV0DSIC9O6 +a96970af-f126-420d-90e1-d37bf25e50e1;Use Short Name Path in Image;Ninite\.exe +349d891d-fef0-4fe4-bc53-eee623a15969;Use Short Name Path in Command Line;Ninite\.exe +a96970af-f126-420d-90e1-d37bf25e50e1;Use Short Name Path in Image;target\.exe +349d891d-fef0-4fe4-bc53-eee623a15969;Use Short Name Path in Command Line;target\.exe +a96970af-f126-420d-90e1-d37bf25e50e1;Use Short Name Path in Image;unzip\.exe +349d891d-fef0-4fe4-bc53-eee623a15969;Use Short Name Path in Command Line;TeamViewer_\.exe diff --git a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml new file mode 100644 index 000000000..7ee974601 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml @@ -0,0 +1,30 @@ +title: Use Short Name Path in Command Line +id: 349d891d-fef0-4fe4-bc53-eee623a15969 +related: + - id: a96970af-f126-420d-90e1-d37bf25e50e1 + type: similar +status: experimental +description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection +author: frack113, Nasreddine Bencherchali +references: + - https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/ + - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN + - https://twitter.com/frack113/status/1555830623633375232 +date: 2022/08/07 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains: + - '~1\' + - '~2\' + filter_dism: + ParentImage: C:\Windows\System32\Dism.exe + condition: selection and not 1 of filter_* +falsepositives: + - Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process. +level: medium +tags: + - attack.defense_evasion + - attack.t1564.004 diff --git a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_image.yml b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_image.yml new file mode 100644 index 000000000..e01fe0308 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_image.yml @@ -0,0 +1,30 @@ +title: Use Short Name Path in Image +id: a96970af-f126-420d-90e1-d37bf25e50e1 +related: + - id: 349d891d-fef0-4fe4-bc53-eee623a15969 + type: similar +status: experimental +description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Iamge detection +author: frack113, Nasreddine Bencherchali +references: + - https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/ + - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN + - https://twitter.com/frack113/status/1555830623633375232 +date: 2022/08/07 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|contains: + - '~1\' + - '~2\' + filter_dism: + ParentImage: C:\Windows\System32\Dism.exe + condition: selection and not 1 of filter_* +falsepositives: + - Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process. +level: high +tags: + - attack.defense_evasion + - attack.t1564.004