sigmamediumHunting

Potential Command Line Path Traversal Evasion Attempt

Detects potential evasion or obfuscation attempts using bogus path traversal via the commandline

MITRE ATT&CK

defense-evasion

Detection Query

selection_1:
  Image|contains: \Windows\
  CommandLine|contains:
    - \..\Windows\
    - \..\System32\
    - \..\..\
selection_2:
  CommandLine|contains: .exe\..\
filter_optional_google_drive:
  CommandLine|contains: \Google\Drive\googledrivesync.exe\..\
filter_optional_citrix:
  CommandLine|contains: \Citrix\Virtual Smart
    Card\Citrix.Authentication.VirtualSmartcard.Launcher.exe\..\
condition: 1 of selection_* and not 1 of filter_optional_*

Author

Christian Burkard (Nextron Systems)

Created

2021-10-26

Data Sources

windowsProcess Creation Events

Platforms

windows

References

Tags

attack.defense-evasionattack.t1036

Raw Content

title: Potential Command Line Path Traversal Evasion Attempt
id: 1327381e-6ab0-4f38-b583-4c1b8346a56b
status: test
description: Detects potential evasion or obfuscation attempts using bogus path traversal via the commandline
references:
    - https://twitter.com/hexacorn/status/1448037865435320323
    - https://twitter.com/Gal_B1t/status/1062971006078345217
author: Christian Burkard (Nextron Systems)
date: 2021-10-26
modified: 2023-03-29
tags:
    - attack.defense-evasion
    - attack.t1036
logsource:
    category: process_creation
    product: windows
detection:
    selection_1:
        Image|contains: '\Windows\'
        CommandLine|contains:
            - '\..\Windows\'
            - '\..\System32\'
            - '\..\..\'
    selection_2:
        CommandLine|contains: '.exe\..\'
    filter_optional_google_drive:
        CommandLine|contains: '\Google\Drive\googledrivesync.exe\..\'
    filter_optional_citrix:
        CommandLine|contains: '\Citrix\Virtual Smart Card\Citrix.Authentication.VirtualSmartcard.Launcher.exe\..\'
    condition: 1 of selection_* and not 1 of filter_optional_*
falsepositives:
    - Google Drive
    - Citrix
level: medium