Use Short Name Path in Image

Severity: medium
Author: frack113, Nasreddine Bencherchali
Source: upstream

Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image detection

MITRE ATT&CK coverage

Tactic	Techniques
Defense Evasion	`T1564.004` Hide Artifacts: NTFS File Attributes

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation

Stages and Predicates

Stage 1: `selection`

or:
Image|contains: '~1\'
Image|contains: '~2\'

Stage 2: `not 1 of filter_main_*`

or:
Image|contains: '\AppData\'
Image|contains: '\Temp\'
Image|endswith: '~1\7zG.exe'
Image|endswith: '~1\unzip.exe'
ParentImage: 'C:\Windows\System32\Dism.exe'
ParentImage: 'C:\Windows\System32\cleanmgr.exe'

Stage 3: `not 1 of filter_optional_*`

or:
Company: 'InstallShield Software Corporation'
Description: 'InstallShield (R) Setup Engine'
ParentImage|endswith: '\WebEx\WebexHost.exe'
ParentImage|endswith: '\thor\thor64.exe'
Product: 'InstallShield (R)'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Company`	eq	`InstallShield Software Corporation`
`Description`	eq	`InstallShield (R) Setup Engine`
`Image`	ends_with	`~1\7zG.exe` `~1\unzip.exe`
`Image`	match	`\AppData\` corpus 9 (sigma 9) `\Temp\` corpus 5 (sigma 5) `~1\` `~2\`
`ParentImage`	ends_with	`\WebEx\WebexHost.exe` corpus 3 (sigma 3) `\thor\thor64.exe` corpus 3 (sigma 3)
`ParentImage`	eq	`C:\Windows\System32\Dism.exe` `C:\Windows\System32\cleanmgr.exe`
`Product`	eq	`InstallShield (R)`