title: Format.com FileSystem LOLBIN
id: 9fb6b26e-7f9e-4517-a48b-8cac4a1b6c60
status: experimental
description: Detects the execution of format.com with a suspicious filesystem selection that could indicate a defense evasion activity in which format.com is used to load malicious DLL files or other programs
author: Florian Roth
date: 2022/01/04
references:
    - https://twitter.com/0gtweet/status/1477925112561209344
    - https://twitter.com/wdormann/status/1478011052130459653?s=20
tags:
    - attack.defense_evasion
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\format.com'
        CommandLine|contains: '/fs:'
    filter:
        CommandLine|contains:
            - '/fs:FAT'
            - '/fs:exFAT'
            - '/fs:NTFS'
            - '/fs:UDF'
            - '/fs:ReFS'
    condition: selection and not 1 of filter*
falsepositives:
    - unknown
level: high