From c38bfe86da42f6aeefefa9b93917afaedc06b69f Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sat, 6 Aug 2022 11:25:44 +0200 Subject: [PATCH 1/3] Add short path and Image --- .github/workflows/known-FPs.csv | 3 +++ .../proc_creation_win_ntfs_short_name_use.yml | 20 +++++++++++++++++-- 2 files changed, 21 insertions(+), 2 deletions(-) diff --git a/.github/workflows/known-FPs.csv b/.github/workflows/known-FPs.csv index 98f7e89fb..d836ad6d9 100644 --- a/.github/workflows/known-FPs.csv +++ b/.github/workflows/known-FPs.csv @@ -29,3 +29,6 @@ cfeed607-6aa4-4bbd-9627-b637deb723c8;New or Renamed User Account with '$' in Att 7b449a5e-1db5-4dd0-a2dc-4e3a67282538;Hidden Local User Creation;HomeGroupUser\$ 1f2b5353-573f-4880-8e33-7d04dcf97744;Sysmon Configuration Modification;Computer: evtx-PC 734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8;Remote PowerShell Session Host Process (WinRM);WIN-FPV0DSIC9O6 +dd6b39d9-d9be-4a3b-8fe0-fe3c6a5c1795;Use NTFS Short Name in Command Line;target\.exe +dd6b39d9-d9be-4a3b-8fe0-fe3c6a5c1795;Use NTFS Short Name in Command Line;unzip\.exe +dd6b39d9-d9be-4a3b-8fe0-fe3c6a5c1795;Use NTFS Short Name in Command Line;TeamViewer_\.exe diff --git a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use.yml b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use.yml index 4dea126c3..46a33868e 100644 --- a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use.yml +++ b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use.yml @@ -7,15 +7,31 @@ references: - https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/ - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN date: 2022/08/05 +modified: 2022/08/06 logsource: category: process_creation product: windows detection: - selection: + selection_cmd: CommandLine|contains: - '~1.' - '~2.' - condition: selection + - '~1\' + - '~2\' + selection_image: + Image|contains: + - '~1.' + - '~2.' + - '~1\' + - '~2\' + filter_dism: + ParentImage: C:\Windows\System32\Dism.exe + filter_ninite: + ParentImage|endswith: + - \Ninite.exe + - \target.exe + - \target.bat + condition: 1 of selection_* and not 1 of filter_* falsepositives: - Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process. level: medium From f1eba857803655212c56868afab28d5d8b93179c Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 7 Aug 2022 08:37:58 +0200 Subject: [PATCH 2/3] Add short name path --- .github/workflows/known-FPs.csv | 6 ++-- ...ation_win_ntfs_short_name_path_use_cli.yml | 30 +++++++++++++++++++ ...ion_win_ntfs_short_name_path_use_image.yml | 30 +++++++++++++++++++ .../proc_creation_win_ntfs_short_name_use.yml | 20 ++----------- 4 files changed, 65 insertions(+), 21 deletions(-) create mode 100644 rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml create mode 100644 rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_image.yml diff --git a/.github/workflows/known-FPs.csv b/.github/workflows/known-FPs.csv index d836ad6d9..59eed8e9a 100644 --- a/.github/workflows/known-FPs.csv +++ b/.github/workflows/known-FPs.csv @@ -29,6 +29,6 @@ cfeed607-6aa4-4bbd-9627-b637deb723c8;New or Renamed User Account with '$' in Att 7b449a5e-1db5-4dd0-a2dc-4e3a67282538;Hidden Local User Creation;HomeGroupUser\$ 1f2b5353-573f-4880-8e33-7d04dcf97744;Sysmon Configuration Modification;Computer: evtx-PC 734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8;Remote PowerShell Session Host Process (WinRM);WIN-FPV0DSIC9O6 -dd6b39d9-d9be-4a3b-8fe0-fe3c6a5c1795;Use NTFS Short Name in Command Line;target\.exe -dd6b39d9-d9be-4a3b-8fe0-fe3c6a5c1795;Use NTFS Short Name in Command Line;unzip\.exe -dd6b39d9-d9be-4a3b-8fe0-fe3c6a5c1795;Use NTFS Short Name in Command Line;TeamViewer_\.exe +a96970af-f126-420d-90e1-d37bf25e50e1;Use Short Name Path in Image;Ninite\.exe +349d891d-fef0-4fe4-bc53-eee623a15969;Use Short Name Path in Command Line;Ninite\.exe + diff --git a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml new file mode 100644 index 000000000..7ee974601 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml @@ -0,0 +1,30 @@ +title: Use Short Name Path in Command Line +id: 349d891d-fef0-4fe4-bc53-eee623a15969 +related: + - id: a96970af-f126-420d-90e1-d37bf25e50e1 + type: similar +status: experimental +description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection +author: frack113, Nasreddine Bencherchali +references: + - https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/ + - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN + - https://twitter.com/frack113/status/1555830623633375232 +date: 2022/08/07 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains: + - '~1\' + - '~2\' + filter_dism: + ParentImage: C:\Windows\System32\Dism.exe + condition: selection and not 1 of filter_* +falsepositives: + - Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process. +level: medium +tags: + - attack.defense_evasion + - attack.t1564.004 diff --git a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_image.yml b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_image.yml new file mode 100644 index 000000000..e01fe0308 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_image.yml @@ -0,0 +1,30 @@ +title: Use Short Name Path in Image +id: a96970af-f126-420d-90e1-d37bf25e50e1 +related: + - id: 349d891d-fef0-4fe4-bc53-eee623a15969 + type: similar +status: experimental +description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Iamge detection +author: frack113, Nasreddine Bencherchali +references: + - https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/ + - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN + - https://twitter.com/frack113/status/1555830623633375232 +date: 2022/08/07 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|contains: + - '~1\' + - '~2\' + filter_dism: + ParentImage: C:\Windows\System32\Dism.exe + condition: selection and not 1 of filter_* +falsepositives: + - Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process. +level: high +tags: + - attack.defense_evasion + - attack.t1564.004 diff --git a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use.yml b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use.yml index 46a33868e..4dea126c3 100644 --- a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use.yml +++ b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use.yml @@ -7,31 +7,15 @@ references: - https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/ - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN date: 2022/08/05 -modified: 2022/08/06 logsource: category: process_creation product: windows detection: - selection_cmd: + selection: CommandLine|contains: - '~1.' - '~2.' - - '~1\' - - '~2\' - selection_image: - Image|contains: - - '~1.' - - '~2.' - - '~1\' - - '~2\' - filter_dism: - ParentImage: C:\Windows\System32\Dism.exe - filter_ninite: - ParentImage|endswith: - - \Ninite.exe - - \target.exe - - \target.bat - condition: 1 of selection_* and not 1 of filter_* + condition: selection falsepositives: - Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process. level: medium From acbc9110e4a1d33e7f011952e322366b34400587 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 7 Aug 2022 08:38:11 +0200 Subject: [PATCH 3/3] Add short name path --- .github/workflows/known-FPs.csv | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/known-FPs.csv b/.github/workflows/known-FPs.csv index 59eed8e9a..3717f73f1 100644 --- a/.github/workflows/known-FPs.csv +++ b/.github/workflows/known-FPs.csv @@ -31,4 +31,7 @@ cfeed607-6aa4-4bbd-9627-b637deb723c8;New or Renamed User Account with '$' in Att 734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8;Remote PowerShell Session Host Process (WinRM);WIN-FPV0DSIC9O6 a96970af-f126-420d-90e1-d37bf25e50e1;Use Short Name Path in Image;Ninite\.exe 349d891d-fef0-4fe4-bc53-eee623a15969;Use Short Name Path in Command Line;Ninite\.exe - +a96970af-f126-420d-90e1-d37bf25e50e1;Use Short Name Path in Image;target\.exe +349d891d-fef0-4fe4-bc53-eee623a15969;Use Short Name Path in Command Line;target\.exe +a96970af-f126-420d-90e1-d37bf25e50e1;Use Short Name Path in Image;unzip\.exe +349d891d-fef0-4fe4-bc53-eee623a15969;Use Short Name Path in Command Line;TeamViewer_\.exe