title: NTFS Vulnerability Exploitation
author: Florian Roth
date: 2021/01/11
description: This the exploitation of a NTFS vulnerability as reported without many
    details via Twitter
detection:
    SELECTION_1:
        EventID: 55
    SELECTION_2:
        Origin: File System Driver
    SELECTION_3:
        Description: '*contains a corrupted file record*'
    SELECTION_4:
        Description: '*The name of the file is "\"*'
    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- Unlikely
id: f14719ce-d3ab-4e25-9ce6-2899092260b0
level: critical
logsource:
    product: windows
    service: system
references:
- https://twitter.com/jonasLyk/status/1347900440000811010
- https://twitter.com/wdormann/status/1347958161609809921
tags:
- attack.impact
- attack.t1499.001
yml_filename: win_ntfs_vuln_exploit.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin