Techniques
Sample rules
Potential Command Line Path Traversal Evasion Attempt
- source: sigma
- technicques:
- t1036
Description
Detects potential evasion or obfuscation attempts using bogus path traversal via the commandline
Detection logic
condition: 1 of selection_* and not 1 of filter_optional_*
filter_optional_citrix:
CommandLine|contains: \Citrix\Virtual Smart Card\Citrix.Authentication.VirtualSmartcard.Launcher.exe\..\
filter_optional_google_drive:
CommandLine|contains: \Google\Drive\googledrivesync.exe\..\
selection_1:
CommandLine|contains:
- \..\Windows\
- \..\System32\
- \..\..\
Image|contains: \Windows\
selection_2:
CommandLine|contains: .exe\..\