title: Command Line Path Traversial Evasion
author: Christian Burkard
date: 2021/10/26
description: Detects the attempt to evade or obfuscate the executed command on the
    CommandLine using bogus path traversal
detection:
    SELECTION_1:
        EventID: 1
    SELECTION_2:
        Image: '*\Windows\\*'
    SELECTION_3:
        CommandLine: '*\..\Windows\\*'
    SELECTION_4:
        CommandLine: '*\..\System32\\*'
    SELECTION_5:
        CommandLine: '*\..\..\\*'
    SELECTION_6:
        CommandLine: '*.exe\..\\*'
    condition: (SELECTION_1 and ((SELECTION_2 and (SELECTION_3 or SELECTION_4 or SELECTION_5))
        or SELECTION_6))
falsepositives:
- Unknown
id: 1327381e-6ab0-4f38-b583-4c1b8346a56b
level: high
logsource:
    category: process_creation
    product: windows
references:
- https://twitter.com/hexacorn/status/1448037865435320323
- https://twitter.com/Gal_B1t/status/1062971006078345217
status: experimental
tags:
- attack.defense_evasion
- attack.t1036
yml_filename: win_commandline_path_traversal_evasion.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation