Command Obfuscation via Unicode Modifier Letters

  1[metadata]
  2creation_date = "2025/11/13"
  3integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
  4maturity = "production"
  5updated_date = "2026/04/30"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the presence of Unicode modifier letters in the process command_line. Adversaries sometimes replace ASCII
 11characters with visually similar Unicode modifier letters to evade simple string-based detections.
 12"""
 13from = "now-9m"
 14index = [
 15    "endgame-*",
 16    "logs-crowdstrike.fdr*",
 17    "logs-endpoint.events.process-*",
 18    "logs-m365_defender.event-*",
 19    "logs-sentinel_one_cloud_funnel.*",
 20    "logs-system.security*",
 21    "logs-windows.forwarded*",
 22    "logs-windows.sysmon_operational-*",
 23    "winlogbeat-*",
 24]
 25language = "eql"
 26license = "Elastic License v2"
 27name = "Command Obfuscation via Unicode Modifier Letters"
 28references = ["https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation"]
 29risk_score = 73
 30rule_id = "37148ae6-c6ec-4fe4-88b1-02f40aed93a9"
 31severity = "high"
 32tags = [
 33    "Domain: Endpoint",
 34    "OS: Windows",
 35    "Use Case: Threat Detection",
 36    "Tactic: Defense Evasion",
 37    "Data Source: Elastic Endgame",
 38    "Resources: Investigation Guide",
 39    "Data Source: Elastic Defend",
 40    "Data Source: Windows Security Event Logs",
 41    "Data Source: Microsoft Defender XDR",
 42    "Data Source: Sysmon",
 43    "Data Source: SentinelOne",
 44    "Data Source: Crowdstrike",
 45]
 46timestamp_override = "event.ingested"
 47type = "eql"
 48
 49query = '''
 50process where host.os.type == "windows" and event.type == "start" and
 51  (
 52    process.name : (
 53      "reg.exe", "net.exe", "net1.exe", "certutil.exe", "MSHTA.EXE", "msiexec.exe", "bitsadmin.exe", "CertReq.exe",
 54      "PrintBrm.exe", "MSBuild.exe", "wuauclt.exe", "curl.exe", "wget.exe", "ssh.exe", "Cmd.Exe", "PowerShell.EXE",
 55      "CONHOST.EXE", "wscript.exe", "cscript.exe", "REGSVR32.EXE", "RUNDLL32.EXE", "procdump.exe", "ntdsutil.exe",
 56      "diskshadow.exe", "schtasks.exe", "sc.exe", "wmic.exe", "VSSADMIN.EXE", "WBADMIN.EXE", "iCACLS.EXE",
 57      "sftp.exe", "scp.exe", "esentutl.exe", "InstallUtil.exe", "wevtutil.exe"
 58    ) or
 59    ?process.pe.original_file_name in (
 60      "reg.exe", "net.exe", "net1.exe", "CertUtil.exe", "MSHTA.EXE", "msiexec.exe", "bitsadmin.exe", "CertReq.exe",
 61      "PrintBrm.exe", "MSBuild.exe", "wuauclt.exe", "curl.exe", "wget.exe", "ssh.exe", "Cmd.Exe", "PowerShell.EXE",
 62      "CONHOST.EXE", "wscript.exe", "cscript.exe", "REGSVR32.EXE", "RUNDLL32.EXE", "procdump", "ntdsutil.exe",
 63      "diskshadow.exe", "schtasks.exe", "sc.exe", "wmic.exe", "VSSADMIN.EXE", "WBADMIN.EXE", "iCACLS.EXE",
 64      "sftp.exe", "scp.exe", "esentutl.exe", "InstallUtil.exe", "wevtutil.exe"
 65    )
 66 ) and
 67 process.command_line regex """.*[ʰ-˿ᴬ-ᶻ]+.*"""
 68'''
 69
 70note = """## Triage and analysis
 71
 72### Investigating Command Obfuscation via Unicode Modifier Letters
 73
 74#### Possible investigation steps
 75
 76- What did the raw modifier-letter command hide after ASCII normalization?
 77  - Focus: raw `process.command_line` and modifier-letter code points in `U+02B0-U+02FF` or `U+1D2C-U+1D7B`.
 78  - Hint: preserve the raw string, view code points, then compare with NFKC or ASCII-folded rendering; visual review can miss modifier letters a Windows utility may parse as ASCII.
 79  - Implication: escalate when normalization reveals a behavior-changing verb, flag, URL, path, or target; lower suspicion when characters remain in localized names, package names, or path text and behavior is unchanged.
 80
 81- What operational intent does the normalized command express?
 82  - Focus: normalized `process.command_line`, `process.name`, and the hidden verb, option, URL, path, or target after ASCII normalization.
 83  - Hint: map the hidden token to the utility family: "urlcache" or remote retrieval for certutil/bitsadmin/curl/wget, "encodedcommand" or script execution for PowerShell/cmd/script hosts, add/create/delete for reg/sc/schtasks, shadow/log deletion for vssadmin/wevtutil, and dump/export for procdump/ntdsutil. Treat paired quote insertion or shorthand options as adjacent obfuscation on the same decision path.
 84  - Implication: escalate when the normalized token enables high-risk utility behavior; lower suspicion when it remains read-only status, inventory, or installer activity fitting the same process context.
 85
 86- Is the utility identity consistent with the normalized behavior?
 87  - Focus: `process.executable`, `process.pe.original_file_name`, `process.hash.sha256`, `process.code_signature.subject_name`, and `process.code_signature.trusted`.
 88  - Implication: escalate when the binary is renamed, user-writable, unsigned/untrusted, mismatched to its original file name, or new for the host; lower suspicion when a signed, stable utility path fits the normalized behavior. Identity alone never clears obfuscation.
 89
 90- Does the launch and session context explain why this utility received obfuscated text?
 91  - Focus: `process.parent.executable`, `process.parent.command_line`, `process.Ext.session_info.logon_type`, `process.Ext.token.elevation_level`, and the `user.id` / `host.id` cohort.
 92  - Implication: escalate when a document, browser, archive tool, script host, unexpected interactive user, remote session, or unexplained service chain introduces the command; lower suspicion when a recognized management, installer, or testing launcher runs the same unchanged pattern under the expected account and host cohort.
 93
 94- Did the obfuscated process launch follow-on process activity?
 95  - Focus: child process starts on the same `host.id` where `process.parent.entity_id` matches alert `process.entity_id`; read child `process.name`, `process.executable`, and `process.command_line`. $investigate_0
 96  - Hint: inspect same-process file, network, or registry activity for utility effects without child processes. $investigate_1 Missing network telemetry is unresolved, not benign. If `process.entity_id` is absent, pivot with `host.id`, alert `process.pid`, child `process.parent.pid`, and a tight alert window.
 97  - Implication: escalate when child activity shows shells, script hosts, installers, remote clients, credential tools, service/task utilities, or cleanup commands matching normalized intent; lower suspicion when no suspicious child follows and the normalized command fits the local workflow.
 98
 99- If local evidence is suspicious or unresolved, does related alert history change scope?
100  - Focus: related alerts for the same `host.id`, using the strongest local suspicious anchor: normalized command fragment, modifier-letter sequence, utility identity, or parent launcher. $investigate_2
101  - Hint: if host history does not explain the activity, compare related alerts for the same `user.id` with the same anchors. $investigate_3
102  - Implication: broaden containment when the same obfuscation pattern appears across unrelated hosts or users; keep local when the pattern stays confined to one confirmed workflow and process evidence has no contradiction.
103
104- Based on command meaning, utility identity, lineage/session, follow-on processes, and scope, what disposition is supported?
105  - Implication: escalate when normalization changes behavior and identity, lineage, child-process, or scope evidence supports abuse; close only when normalized meaning is unchanged or clearly benign and every process-context category fits one exact workflow; preserve raw command evidence and escalate when evidence is mixed or incomplete.
106
107### False positive analysis
108
109- Localized product names, internationalized paths, user-supplied file names, vendor installers, deployment frameworks, or internal admin tools can introduce non-ASCII package names or paths. Confirm only when normalization leaves behavior unchanged, modifier letters sit in content rather than a verb or flag, utility identity and parent command line match one recognized workflow, and `user.id` plus `host.id` fit the same local task. If records exist, use them as corroboration; otherwise require prior alerts from this rule with the same normalized command pattern, launcher, host, and user.
110- Security testing or detection-validation exercises may intentionally use obfuscated commands. Confirm by matching normalized `process.command_line`, modifier-letter sequence, `process.parent.executable`, `host.id`, and `user.id` to the test scope; outside test records can corroborate but should not override contradictory process evidence.
111- Before creating an exception, build it from the minimum confirmed pattern: normalized `process.command_line`, modifier-letter sequence or code-point range, utility identity in `process.executable` or `process.pe.original_file_name`, launcher context in `process.parent.executable`, and the stable `host.id` or `user.id` cohort. Avoid exceptions on `process.name` alone or the mere presence of non-ASCII characters.
112
113### Response and remediation
114
115- If confirmed benign, reverse any temporary containment and record the raw and normalized `process.command_line`, recovered code points, utility identity, parent command line, and `user.id` / `host.id` evidence that validated the workflow. Create an exception only for the same recurring pattern.
116- If suspicious but unconfirmed, preserve the raw command string, normalized rendering, recovered code points, alerting and child `process.entity_id` values, parent command line, and `user.id` / `host.id` scope before containment. Apply reversible containment first, such as heightened monitoring, temporary account restrictions, or host isolation only when the normalized command, lineage, or follow-on process activity suggests active compromise and the host can tolerate isolation.
117- If confirmed malicious, isolate the host or restrict the affected account based on the normalized intent, launcher chain, child process activity, and related-alert scope. Record alerting and child `process.entity_id` values before suspending or terminating processes, then eradicate only the payloads, configuration changes, or destructive actions identified in the case evidence.
118- Post-incident hardening: replace scripts that require modifier-letter arguments, pin administrative automation to stable signed launcher paths and expected parent command lines, and retain full process command-line, parentage, child-process, and user-host telemetry for future alerts.
119"""
120
121setup = """## Setup
122
123This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.
124
125Setup instructions: https://ela.st/install-elastic-defend
126
127### Additional data sources
128
129This rule also supports the following third-party data sources. For setup instructions, refer to the links below:
130
131- [CrowdStrike](https://ela.st/crowdstrike-integration)
132- [Microsoft Defender XDR](https://ela.st/m365-defender)
133- [SentinelOne Cloud Funnel](https://ela.st/sentinel-one-cloud-funnel)
134- [Sysmon Event ID 1 - Process Creation](https://ela.st/sysmon-event-1-setup)
135- [Windows Process Creation Logs](https://ela.st/audit-process-creation)
136"""
137
138[rule.investigation_fields]
139field_names = [
140    "@timestamp",
141    "host.id",
142    "user.id",
143    "process.entity_id",
144    "process.pid",
145    "process.executable",
146    "process.command_line",
147    "process.Ext.session_info.logon_type",
148    "process.Ext.token.elevation_level",
149    "process.hash.sha256",
150    "process.pe.original_file_name",
151    "process.code_signature.subject_name",
152    "process.code_signature.trusted",
153    "process.parent.executable",
154    "process.parent.command_line",
155]
156
157[transform]
158
159[[transform.investigate]]
160label = "Child process activity from the obfuscated process"
161description = ""
162providers = [
163  [
164    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
165    { excluded = false, field = "process.parent.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" },
166    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" },
167    { excluded = false, field = "event.type", queryType = "phrase", value = "start", valueType = "string" }
168  ]
169]
170relativeFrom = "now-1h"
171relativeTo = "now"
172
173[[transform.investigate]]
174label = "File, network, or registry activity by the obfuscated process"
175description = ""
176providers = [
177  [
178    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
179    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" },
180    { excluded = false, field = "event.category", queryType = "phrase", value = "file", valueType = "string" }
181  ],
182  [
183    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
184    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" },
185    { excluded = false, field = "event.category", queryType = "phrase", value = "network", valueType = "string" }
186  ],
187  [
188    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
189    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" },
190    { excluded = false, field = "event.category", queryType = "phrase", value = "registry", valueType = "string" }
191  ]
192]
193relativeFrom = "now-1h"
194relativeTo = "now"
195
196[[transform.investigate]]
197label = "Alerts associated with the host"
198description = ""
199providers = [
200  [
201    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
202    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" }
203  ]
204]
205relativeFrom = "now-48h/h"
206relativeTo = "now"
207
208[[transform.investigate]]
209label = "Alerts associated with the user"
210description = ""
211providers = [
212  [
213    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
214    { excluded = false, field = "user.id", queryType = "phrase", value = "{{user.id}}", valueType = "string" }
215  ]
216]
217relativeFrom = "now-48h/h"
218relativeTo = "now"
219
220[[rule.threat]]
221framework = "MITRE ATT&CK"
222[[rule.threat.technique]]
223id = "T1027"
224name = "Obfuscated Files or Information"
225reference = "https://attack.mitre.org/techniques/T1027/"
226
227[[rule.threat.technique.subtechnique]]
228id = "T1027.010"
229name = "Command Obfuscation"
230reference = "https://attack.mitre.org/techniques/T1027/010/"
231
232[rule.threat.tactic]
233id = "TA0005"
234name = "Defense Evasion"
235reference = "https://attack.mitre.org/tactics/TA0005/"