Detectionhightest

Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image

Detects potential commandline obfuscation using unicode characters. Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

François Hubaut, Florian Roth (Nextron Systems), Josh NickelsCreated Mon Sep 02Updated Fri May 30584bca0f-3608-4402-80fd-4075ff6072e3windows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection_img:
        Image|endswith:
            - '\cmd.exe'
            - '\cscript.exe'
            - '\powershell.exe'
            - '\powershell_ise.exe'
            - '\pwsh.exe'
            - '\wscript.exe'
        OriginalFileName:
            - 'Cmd.EXE'
            - 'cscript.exe'
            - 'PowerShell.EXE'
            - 'PowerShell_ISE.EXE'
            - 'pwsh.dll'
            - 'wscript.exe'
    selection_special_chars:
        CommandLine|contains:
            # spacing modifier letters that get auto-replaced
            - 'ˣ' # 0x02E3
            - '˪' # 0x02EA
            - 'ˢ' # 0x02E2
            # Forward slash alternatives
            - '∕' # 0x22FF
            - '⁄' # 0x206F
            # Hyphen alternatives
            - '―' # 0x2015
            - '—' # 0x2014
            # Whitespace that don't work as path separator
            - ' ' # 0x00A0
            # Other
            - '¯'
            - '®'
            - '¶'
            # Unicode whitespace characters
            - '⠀' # Braille Pattern Blank (Unicode: U+2800)
    condition: all of selection_*

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Techniques

T1027 · Obfuscated Files or Information

Related Rules

SimilarThreat Huntmedium

Potential CommandLine Obfuscation Using Unicode Characters

Detects potential CommandLine obfuscation using unicode characters. Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.

Detects similar activity. Both rules may fire on overlapping events.

SimilarDetectionhigh

Potential Defense Evasion Via Right-to-Left Override

Detects the presence of the "u202+E" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence. This character is used as an obfuscation and masquerading techniques by adversaries to trick users into opening malicious files.

Detects similar activity. Both rules may fire on overlapping events.

Similar

2c0d2d7b-30d6-4d14-9751-7b9113042ab9

Rule not found

Rule Metadata

Rule ID

584bca0f-3608-4402-80fd-4075ff6072e3

Status

test

Level

high

Type

Detection

Created

Mon Sep 02

Modified

Fri May 30

Author

François Hubaut, Florian Roth (Nextron Systems), Josh Nickels

Path

rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode_img.yml

Raw Tags

attack.defense-evasionattack.t1027

View on GitHub