Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging.
status testauthor Sami Ruohonenid 8c521530-5169-495d-a199-0a3a881ad24e
view Sigma YAML
title: NTFS Alternate Data Stream
id: 8c521530-5169-495d-a199-0a3a881ad24e
status: test
description: Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging.
references:
- https://web.archive.org/web/20220614030603/http://www.powertheshell.com/ntfsstreams/
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md
author: Sami Ruohonen
date: 2018-07-24
modified: 2022-12-25
tags:
- attack.stealth
- attack.t1564.004
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_content:
ScriptBlockText|contains:
- set-content
- add-content
selection_stream:
ScriptBlockText|contains: '-stream'
condition: all of selection*
falsepositives:
- Unknown
level: high
high
Potential Rundll32 Execution With DLL Stored In ADS
Detects execution of rundll32 where the DLL being called is stored in an Alternate Data Stream (ADS).
status testauthor Harjot Singh, '@cyb3rjy0t'id 9248c7e1-2bf3-4661-a22c-600a8040b446
view Sigma YAML
title: Potential Rundll32 Execution With DLL Stored In ADS
id: 9248c7e1-2bf3-4661-a22c-600a8040b446
status: test
description: Detects execution of rundll32 where the DLL being called is stored in an Alternate Data Stream (ADS).
references:
- https://lolbas-project.github.io/lolbas/Binaries/Rundll32
author: Harjot Singh, '@cyb3rjy0t'
date: 2023-01-21
modified: 2026-03-16
tags:
- attack.stealth
- attack.t1564.004
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\rundll32.exe'
- OriginalFileName: 'RUNDLL32.EXE'
selection_cli:
# Example:
# rundll32 "C:\ads\file.txt:ADSDLL.dll",DllMain
# Note: This doesn't cover the use case where a full path for the DLL isn't used. As it requires a more expensive regex
CommandLine|re: '[Rr][Uu][Nn][Dd][Ll][Ll]32(?:\.[Ee][Xx][Ee])? \S+?\w:\S+?:'
condition: all of selection_*
falsepositives:
- Unknown
level: high
high
PrintBrm ZIP Creation of Extraction
Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation.
status testauthor frack113id cafeeba3-01da-4ab4-b6c4-a31b1d9730c7
view Sigma YAML
title: PrintBrm ZIP Creation of Extraction
id: cafeeba3-01da-4ab4-b6c4-a31b1d9730c7
status: test
description: Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation.
references:
- https://lolbas-project.github.io/lolbas/Binaries/PrintBrm/
author: frack113
date: 2022-05-02
tags:
- attack.command-and-control
- attack.stealth
- attack.t1105
- attack.t1564.004
logsource:
product: windows
category: process_creation
detection:
selection:
Image|endswith: '\PrintBrm.exe'
CommandLine|contains|all:
- ' -f'
- '.zip'
condition: selection
falsepositives:
- Unknown
level: high
high
Run PowerShell Script from ADS
Detects PowerShell script execution from Alternate Data Stream (ADS)
status testauthor Sergey Soldatov, Kaspersky Lab, oscd.communityid 45a594aa-1fbd-4972-a809-ff5a99dd81b8
view Sigma YAML
title: Run PowerShell Script from ADS
id: 45a594aa-1fbd-4972-a809-ff5a99dd81b8
status: test
description: Detects PowerShell script execution from Alternate Data Stream (ADS)
references:
- https://github.com/p0shkatz/Get-ADS/blob/1c3a3562e713c254edce1995a7d9879c687c7473/Get-ADS.ps1
author: Sergey Soldatov, Kaspersky Lab, oscd.community
date: 2019-10-30
modified: 2022-07-14
tags:
- attack.stealth
- attack.t1564.004
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\powershell.exe'
- '\pwsh.exe'
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|contains|all:
- 'Get-Content'
- '-Stream'
condition: selection
falsepositives:
- Unknown
level: high
high
Suspicious File Download From File Sharing Websites - File Stream
Detects the download of suspicious file type from a well-known file and paste sharing domain
status testauthor Florian Roth (Nextron Systems)id 52182dfb-afb7-41db-b4bc-5336cb29b464
view Sigma YAML
title: Suspicious File Download From File Sharing Websites - File Stream
id: 52182dfb-afb7-41db-b4bc-5336cb29b464
related:
- id: ae02ed70-11aa-4a22-b397-c0d0e8f6ea99
type: similar
status: test
description: Detects the download of suspicious file type from a well-known file and paste sharing domain
references:
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015
- https://www.cisa.gov/uscert/ncas/alerts/aa22-321a
- https://fabian-voith.de/2020/06/25/sysmon-v11-1-reads-alternate-data-streams/
- https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
author: Florian Roth (Nextron Systems)
date: 2022-08-24
modified: 2025-12-10
tags:
- attack.stealth
- attack.s0139
- attack.t1564.004
logsource:
product: windows
category: create_stream_hash
detection:
selection_domain:
Contents|contains:
- '.githubusercontent.com' # Includes both gists and github repositories / Michael Haag (idea)
- 'anonfiles.com'
- 'cdn.discordapp.com'
- 'ddns.net'
- 'dl.dropboxusercontent.com'
- 'ghostbin.co'
- 'github.com'
- 'glitch.me'
- 'gofile.io'
- 'hastebin.com'
- 'mediafire.com'
- 'mega.nz'
- 'onrender.com'
- 'pages.dev'
- 'paste.ee'
- 'pastebin.com'
- 'pastebin.pl'
- 'pastetext.net'
- 'pixeldrain.com'
- 'privatlab.com'
- 'privatlab.net'
- 'send.exploit.in'
- 'sendspace.com'
- 'storage.googleapis.com'
- 'storjshare.io'
- 'supabase.co'
- 'temp.sh'
- 'transfer.sh'
- 'trycloudflare.com'
- 'ufile.io'
- 'w3spaces.com'
- 'workers.dev'
selection_extension:
TargetFilename|contains:
- '.cpl:Zone'
- '.dll:Zone'
- '.exe:Zone'
- '.hta:Zone'
- '.lnk:Zone'
- '.one:Zone'
- '.vbe:Zone'
- '.vbs:Zone'
- '.xll:Zone'
condition: all of selection_*
falsepositives:
- Some false positives might occur with binaries download via Github
level: high
high
Unusual File Download from Direct IP Address
Detects the download of suspicious file type from URLs with IP
title: Unusual File Download from Direct IP Address
id: 025bd229-fd1f-4fdb-97ab-20006e1a5368
status: test
description: Detects the download of suspicious file type from URLs with IP
references:
- https://github.com/trustedsec/SysmonCommunityGuide/blob/adcdfee20999f422b974c8d4149bf4c361237db7/chapters/file-stream-creation-hash.md
- https://labs.withsecure.com/publications/detecting-onenote-abuse
author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)
date: 2022-09-07
modified: 2023-02-10
tags:
- attack.stealth
- attack.t1564.004
logsource:
product: windows
category: create_stream_hash
detection:
selection:
Contents|re: 'http[s]?://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
TargetFilename|contains:
- '.ps1:Zone'
- '.bat:Zone'
- '.exe:Zone'
- '.vbe:Zone'
- '.vbs:Zone'
- '.dll:Zone'
- '.one:Zone'
- '.cmd:Zone'
- '.hta:Zone'
- '.xll:Zone'
- '.lnk:Zone'
condition: selection
falsepositives:
- Unknown
level: high
medium
Execute From Alternate Data Streams
Detects execution from an Alternate Data Stream (ADS). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection
status testauthor frack113id 7f43c430-5001-4f8b-aaa9-c3b88f18fa5c
view Sigma YAML
title: Execute From Alternate Data Streams
id: 7f43c430-5001-4f8b-aaa9-c3b88f18fa5c
status: test
description: Detects execution from an Alternate Data Stream (ADS). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md
author: frack113
date: 2021-09-01
modified: 2022-10-09
tags:
- attack.stealth
- attack.t1564.004
logsource:
category: process_creation
product: windows
detection:
selection_stream:
CommandLine|contains: 'txt:'
selection_tools_type:
CommandLine|contains|all:
- 'type '
- ' > '
selection_tools_makecab:
CommandLine|contains|all:
- 'makecab '
- '.cab'
selection_tools_reg:
CommandLine|contains|all:
- 'reg '
- ' export '
selection_tools_regedit:
CommandLine|contains|all:
- 'regedit '
- ' /E '
selection_tools_esentutl:
CommandLine|contains|all:
- 'esentutl '
- ' /y '
- ' /d '
- ' /o '
condition: selection_stream and (1 of selection_tools_*)
falsepositives:
- Unknown
level: medium
medium
Hidden Executable In NTFS Alternate Data Stream
Detects the creation of an ADS (Alternate Data Stream) that contains an executable by looking at a non-empty Imphash
status testauthor Florian Roth (Nextron Systems), @0xrawsecid b69888d4-380c-45ce-9cf9-d9ce46e67821
view Sigma YAML
title: Hidden Executable In NTFS Alternate Data Stream
id: b69888d4-380c-45ce-9cf9-d9ce46e67821
status: test
description: Detects the creation of an ADS (Alternate Data Stream) that contains an executable by looking at a non-empty Imphash
references:
- https://twitter.com/0xrawsec/status/1002478725605273600?s=21
author: Florian Roth (Nextron Systems), @0xrawsec
date: 2018-06-03
modified: 2023-02-10
tags:
- attack.stealth
- attack.s0139
- attack.t1564.004
logsource:
product: windows
category: create_stream_hash
definition: 'Requirements: Sysmon or equivalent configured with Imphash logging'
detection:
selection:
Hash|contains: 'IMPHASH='
filter_main_null:
Hash|contains: 'IMPHASH=00000000000000000000000000000000'
condition: selection and not 1 of filter_main_*
falsepositives:
- This rule isn't looking for any particular binary characteristics. As legitimate installers and programs were seen embedding hidden binaries in their ADS. Some false positives are expected from browser processes and similar.
level: medium
medium
Hidden Flag Set On File/Directory Via Chflags - MacOS
Detects the execution of the "chflags" utility with the "hidden" flag, in order to hide files on MacOS.
When a file or directory has this hidden flag set, it becomes invisible to the default file listing commands and in graphical file browsers.
status testauthor Omar Khaled (@beacon_exe)id 3b2c1059-ae5f-40b6-b5d4-6106d3ac20fe
view Sigma YAML
title: Hidden Flag Set On File/Directory Via Chflags - MacOS
id: 3b2c1059-ae5f-40b6-b5d4-6106d3ac20fe
status: test
description: |
Detects the execution of the "chflags" utility with the "hidden" flag, in order to hide files on MacOS.
When a file or directory has this hidden flag set, it becomes invisible to the default file listing commands and in graphical file browsers.
references:
- https://www.sentinelone.com/labs/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/
- https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/
- https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf
- https://ss64.com/mac/chflags.html
author: Omar Khaled (@beacon_exe)
date: 2024-08-21
tags:
- attack.credential-access
- attack.command-and-control
- attack.stealth
- attack.t1218
- attack.t1564.004
- attack.t1552.001
- attack.t1105
logsource:
product: macos
category: process_creation
detection:
selection:
Image|endswith: '/chflags'
CommandLine|contains: 'hidden '
condition: selection
falsepositives:
- Legitimate usage of chflags by administrators and users.
level: medium
medium
Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream
Detects the creation of hidden file/folder with the "::$index_allocation" stream. Which can be used as a technique to prevent access to folder and files from tooling such as "explorer.exe" and "powershell.exe"
status testauthor Scoubi (@ScoubiMtl)id a8f866e1-bdd4-425e-a27a-37619238d9c7
view Sigma YAML
title: Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream
id: a8f866e1-bdd4-425e-a27a-37619238d9c7
related:
- id: 0900463c-b33b-49a8-be1d-552a3b553dae
type: similar
status: test
description: |
Detects the creation of hidden file/folder with the "::$index_allocation" stream. Which can be used as a technique to prevent access to folder and files from tooling such as "explorer.exe" and "powershell.exe"
references:
- https://twitter.com/pfiatde/status/1681977680688738305
- https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/
- https://sec-consult.com/blog/detail/pentesters-windows-ntfs-tricks-collection/
- https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3
author: Scoubi (@ScoubiMtl)
date: 2023-10-09
tags:
- attack.stealth
- attack.t1564.004
logsource:
product: windows
category: file_event
detection:
selection:
# Note: Both Sysmon and ETW are unable to log the presence of such streams in the CommandLine. But EDRs such as Crowdstrike are able to use e.g. CMD console history. Users are advised to test this before usage
TargetFilename|contains: '::$index_allocation'
condition: selection
falsepositives:
- Unlikely
level: medium
medium
Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI
Detects command line containing reference to the "::$index_allocation" stream, which can be used as a technique to prevent access to folders or files from tooling such as "explorer.exe" or "powershell.exe"
status testauthor Nasreddine Bencherchali (Nextron Systems), Scoubi (@ScoubiMtl)id 0900463c-b33b-49a8-be1d-552a3b553dae
view Sigma YAML
title: Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI
id: 0900463c-b33b-49a8-be1d-552a3b553dae
related:
- id: a8f866e1-bdd4-425e-a27a-37619238d9c7
type: similar
status: test
description: |
Detects command line containing reference to the "::$index_allocation" stream, which can be used as a technique to prevent access to folders or files from tooling such as "explorer.exe" or "powershell.exe"
references:
- https://twitter.com/pfiatde/status/1681977680688738305
- https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/
- https://sec-consult.com/blog/detail/pentesters-windows-ntfs-tricks-collection/
- https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3
author: Nasreddine Bencherchali (Nextron Systems), Scoubi (@ScoubiMtl)
date: 2023-10-09
tags:
- attack.stealth
- attack.t1564.004
logsource:
product: windows
category: process_creation
detection:
selection:
# Note: Both Sysmon and ETW are unable to log the presence of such stream in the CommandLine. But EDRs such as Crowdstrike are able to using for example CMD console history. Users are advised to test this before usage
CommandLine|contains: '::$index_allocation'
condition: selection
falsepositives:
- Unlikely
level: medium
medium
Powershell Store File In Alternate Data Stream
Storing files in Alternate Data Stream (ADS) similar to Astaroth malware.
status testauthor frack113id a699b30e-d010-46c8-bbd1-ee2e26765fe9
view Sigma YAML
title: Powershell Store File In Alternate Data Stream
id: a699b30e-d010-46c8-bbd1-ee2e26765fe9
status: test
description: Storing files in Alternate Data Stream (ADS) similar to Astaroth malware.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md
author: frack113
date: 2021-09-02
modified: 2022-12-25
tags:
- attack.stealth
- attack.t1564.004
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_compspec:
ScriptBlockText|contains|all:
- 'Start-Process'
- '-FilePath "$env:comspec" '
- '-ArgumentList '
- '>'
condition: selection_compspec
falsepositives:
- Unknown
level: medium
medium
Remote File Download Via Findstr.EXE
Detects execution of "findstr" with specific flags and a remote share path. This specific set of CLI flags would allow "findstr" to download the content of the file located on the remote share as described in the LOLBAS entry.
title: Remote File Download Via Findstr.EXE
id: 587254ee-a24b-4335-b3cd-065c0f1f4baa
related:
- id: bf6c39fc-e203-45b9-9538-05397c1b4f3f
type: obsolete
status: test
description: |
Detects execution of "findstr" with specific flags and a remote share path. This specific set of CLI flags would allow "findstr" to download the content of the file located on the remote share as described in the LOLBAS entry.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Findstr/
- https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems)
date: 2020-10-05
modified: 2024-03-05
tags:
- attack.credential-access
- attack.command-and-control
- attack.stealth
- attack.t1218
- attack.t1564.004
- attack.t1552.001
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection_findstr:
- CommandLine|contains: findstr
- Image|endswith: 'findstr.exe'
- OriginalFileName: 'FINDSTR.EXE'
selection_cli_download_1:
CommandLine|contains|windash: ' -v '
selection_cli_download_2:
CommandLine|contains|windash: ' -l '
selection_cli_download_3:
CommandLine|contains: '\\\\'
condition: selection_findstr and all of selection_cli_download_*
falsepositives:
- Unknown
level: medium
medium
Suspicious Diantz Alternate Data Stream Execution
Compress target file into a cab file stored in the Alternate Data Stream (ADS) of the target file.
status testauthor frack113id 6b369ced-4b1d-48f1-b427-fdc0de0790bd
view Sigma YAML
title: Suspicious Diantz Alternate Data Stream Execution
id: 6b369ced-4b1d-48f1-b427-fdc0de0790bd
status: test
description: Compress target file into a cab file stored in the Alternate Data Stream (ADS) of the target file.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Diantz/
author: frack113
date: 2021-11-26
modified: 2022-12-31
tags:
- attack.stealth
- attack.t1564.004
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- diantz.exe
- .cab
CommandLine|re: ':[^\\]'
condition: selection
falsepositives:
- Very Possible
level: medium
medium
Suspicious Extrac32 Alternate Data Stream Execution
Extract data from cab file and hide it in an alternate data stream
status testauthor frack113id 4b13db67-0c45-40f1-aba8-66a1a7198a1e
view Sigma YAML
title: Suspicious Extrac32 Alternate Data Stream Execution
id: 4b13db67-0c45-40f1-aba8-66a1a7198a1e
status: test
description: Extract data from cab file and hide it in an alternate data stream
references:
- https://lolbas-project.github.io/lolbas/Binaries/Extrac32/
author: frack113
date: 2021-11-26
modified: 2022-12-30
tags:
- attack.stealth
- attack.t1564.004
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- extrac32.exe
- .cab
CommandLine|re: ':[^\\]'
condition: selection
falsepositives:
- Unknown
level: medium
medium
Unusual File Download From File Sharing Websites - File Stream
Detects the download of suspicious file type from a well-known file and paste sharing domain
status testauthor Florian Roth (Nextron Systems)id ae02ed70-11aa-4a22-b397-c0d0e8f6ea99
view Sigma YAML
title: Unusual File Download From File Sharing Websites - File Stream
id: ae02ed70-11aa-4a22-b397-c0d0e8f6ea99
related:
- id: 52182dfb-afb7-41db-b4bc-5336cb29b464
type: similar
status: test
description: Detects the download of suspicious file type from a well-known file and paste sharing domain
references:
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015
- https://www.cisa.gov/uscert/ncas/alerts/aa22-321a
- https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
author: Florian Roth (Nextron Systems)
date: 2022-08-24
modified: 2025-12-10
tags:
- attack.stealth
- attack.s0139
- attack.t1564.004
logsource:
product: windows
category: create_stream_hash
detection:
selection_domain:
Contents|contains:
- '.githubusercontent.com' # Includes both gists and github repositories / Michael Haag (idea)
- 'anonfiles.com'
- 'cdn.discordapp.com'
- 'ddns.net'
- 'dl.dropboxusercontent.com'
- 'ghostbin.co'
- 'github.com'
- 'glitch.me'
- 'gofile.io'
- 'hastebin.com'
- 'mediafire.com'
- 'mega.nz'
- 'onrender.com'
- 'pages.dev'
- 'paste.ee'
- 'pastebin.com'
- 'pastebin.pl'
- 'pastetext.net'
- 'pixeldrain.com'
- 'privatlab.com'
- 'privatlab.net'
- 'send.exploit.in'
- 'sendspace.com'
- 'storage.googleapis.com'
- 'storjshare.io'
- 'supabase.co'
- 'temp.sh'
- 'transfer.sh'
- 'trycloudflare.com'
- 'ufile.io'
- 'w3spaces.com'
- 'workers.dev'
selection_extension:
TargetFilename|contains:
- '.bat:Zone'
- '.cmd:Zone'
- '.ps1:Zone'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
medium
Use NTFS Short Name in Command Line
Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection
status testauthor frack113, Nasreddine Bencherchali (Nextron Systems)id dd6b39d9-d9be-4a3b-8fe0-fe3c6a5c1795
view Sigma YAML
title: Use NTFS Short Name in Command Line
id: dd6b39d9-d9be-4a3b-8fe0-fe3c6a5c1795
related:
- id: 3ef5605c-9eb9-47b0-9a71-b727e6aa5c3b
type: similar
status: test
description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection
references:
- https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)
- https://twitter.com/jonasLyk/status/1555914501802921984
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-05
modified: 2022-09-21
tags:
- attack.stealth
- attack.t1564.004
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- '~1.exe'
- '~1.bat'
- '~1.msi'
- '~1.vbe'
- '~1.vbs'
- '~1.dll'
- '~1.ps1'
- '~1.js'
- '~1.hta'
- '~2.exe'
- '~2.bat'
- '~2.msi'
- '~2.vbe'
- '~2.vbs'
- '~2.dll'
- '~2.ps1'
- '~2.js'
- '~2.hta'
filter:
- ParentImage|endswith:
- '\WebEx\WebexHost.exe'
- '\thor\thor64.exe'
- CommandLine|contains: 'C:\xampp\vcredist\VCREDI~1.EXE'
condition: selection and not filter
falsepositives:
- Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process.
level: medium
medium
Use NTFS Short Name in Image
Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image based detection
status testauthor frack113, Nasreddine Bencherchali (Nextron Systems)id 3ef5605c-9eb9-47b0-9a71-b727e6aa5c3b
view Sigma YAML
title: Use NTFS Short Name in Image
id: 3ef5605c-9eb9-47b0-9a71-b727e6aa5c3b
related:
- id: dd6b39d9-d9be-4a3b-8fe0-fe3c6a5c1795
type: similar
status: test
description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image based detection
references:
- https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)
- https://twitter.com/jonasLyk/status/1555914501802921984
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-06
modified: 2023-07-20
tags:
- attack.stealth
- attack.t1564.004
logsource:
category: process_creation
product: windows
detection:
selection:
Image|contains:
- '~1.bat'
- '~1.dll'
- '~1.exe'
- '~1.hta'
- '~1.js'
- '~1.msi'
- '~1.ps1'
- '~1.tmp'
- '~1.vbe'
- '~1.vbs'
- '~2.bat'
- '~2.dll'
- '~2.exe'
- '~2.hta'
- '~2.js'
- '~2.msi'
- '~2.ps1'
- '~2.tmp'
- '~2.vbe'
- '~2.vbs'
filter_main_generic_parent:
ParentImage: 'C:\Windows\explorer.exe'
filter_optional_webex:
ParentImage|endswith: '\WebEx\WebexHost.exe'
filter_optional_thor:
ParentImage|endswith: '\thor\thor64.exe'
filter_optional_winzip:
Image: 'C:\PROGRA~1\WinZip\WZPREL~1.EXE'
filter_optional_vcred:
Image|endswith: '\VCREDI~1.EXE'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Software Installers
level: medium
medium
Use Short Name Path in Image
Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image detection
status testauthor frack113, Nasreddine Bencherchaliid a96970af-f126-420d-90e1-d37bf25e50e1
view Sigma YAML
title: Use Short Name Path in Image
id: a96970af-f126-420d-90e1-d37bf25e50e1
related:
- id: 349d891d-fef0-4fe4-bc53-eee623a15969
type: similar
status: test
description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image detection
references:
- https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)
- https://twitter.com/frack113/status/1555830623633375232
author: frack113, Nasreddine Bencherchali
date: 2022-08-07
modified: 2025-10-20
tags:
- attack.stealth
- attack.t1564.004
logsource:
category: process_creation
product: windows
detection:
selection:
Image|contains:
- '~1\'
- '~2\'
filter_main_system_process:
ParentImage:
- 'C:\Windows\System32\Dism.exe'
- 'C:\Windows\System32\cleanmgr.exe' # Spawns DismHost.exe with a shortened username (if too long)
filter_main_installers:
- Image|contains|all:
- '\AppData\'
- '\Temp\'
- Image|endswith:
- '~1\unzip.exe'
- '~1\7zG.exe'
filter_optional_webex:
ParentImage|endswith: '\WebEx\WebexHost.exe' # Spawns a shortened version of the CLI and Image processes
filter_optional_thor:
ParentImage|endswith: '\thor\thor64.exe'
filter_optional_installshield:
- Product: 'InstallShield (R)'
- Description: 'InstallShield (R) Setup Engine'
- Company: 'InstallShield Software Corporation'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process.
level: medium
low
Insensitive Subfolder Search Via Findstr.EXE
Detects execution of findstr with the "s" and "i" flags for a "subfolder" and "insensitive" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands.