title: NTFS Vulnerability Exploitation
ruletype: Sigma
author: Florian Roth
date: 2021/01/11
description: This the exploitation of a NTFS vulnerability as reported without many
  details via Twitter
detection:
  SELECTION_1:
    Provider_Name: Ntfs
  SELECTION_2:
    EventID: 55
  SELECTION_3:
    Origin: File System Driver
  SELECTION_4:
    Description: '*contains a corrupted file record*'
  SELECTION_5:
    Description: '*The name of the file is "\"*'
  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
falsepositives:
- Unlikely
id: f14719ce-d3ab-4e25-9ce6-2899092260b0
level: critical
logsource:
  product: windows
  service: system
modified: 2021/11/17
references:
- https://twitter.com/jonasLyk/status/1347900440000811010
- https://twitter.com/wdormann/status/1347958161609809921
status: experimental
tags:
- attack.impact
- attack.t1499.001