Techniques
Sample rules
Use NTFS Short Name in Command Line
- source: sigma
- technicques:
- t1564
- t1564.004
Description
Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection
Detection logic
condition: selection and not filter
filter:
- ParentImage|endswith:
- \WebEx\WebexHost.exe
- \thor\thor64.exe
- CommandLine|contains: C:\xampp\vcredist\VCREDI~1.EXE
selection:
CommandLine|contains:
- ~1.exe
- ~1.bat
- ~1.msi
- ~1.vbe
- ~1.vbs
- ~1.dll
- ~1.ps1
- ~1.js
- ~1.hta
- ~2.exe
- ~2.bat
- ~2.msi
- ~2.vbe
- ~2.vbs
- ~2.dll
- ~2.ps1
- ~2.js
- ~2.hta
Use Short Name Path in Image
- source: sigma
- technicques:
- t1564
- t1564.004
Description
Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image detection
Detection logic
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_installers:
- Image|contains|all:
- \AppData\
- \Temp\
- Image|endswith:
- ~1\unzip.exe
- ~1\7zG.exe
filter_main_system_process:
ParentImage:
- C:\Windows\System32\Dism.exe
- C:\Windows\System32\cleanmgr.exe
filter_optional_installshield:
- Product: InstallShield (R)
- Description: InstallShield (R) Setup Engine
- Company: InstallShield Software Corporation
filter_optional_thor:
ParentImage|endswith: \thor\thor64.exe
filter_optional_webex:
ParentImage|endswith: \WebEx\WebexHost.exe
selection:
Image|contains:
- ~1\
- ~2\