Potential Homoglyph Attack Using Lookalike Characters in Filename
Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters. This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.
Sigma rule (View on GitHub)
1title: Potential Homoglyph Attack Using Lookalike Characters in Filename
2id: 4f1707b1-b50b-45b4-b5a2-3978b5a5d0d6
3status: test
4description: |
5 Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters.
6 This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that
7 are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.
8references:
9 - https://redcanary.com/threat-detection-report/threats/socgholish/#threat-socgholish
10 - http://www.irongeek.com/homoglyph-attack-generator.php
11author: Micah Babinski, @micahbabinski
12date: 2023-05-08
13tags:
14 - attack.defense-evasion
15 - attack.t1036
16 - attack.t1036.003
17 # - attack.t1036.008
18logsource:
19 category: file_event
20 product: windows
21detection:
22 selection_upper:
23 TargetFilename|contains:
24 - "\u0410" # А/A
25 - "\u0412" # В/B
26 - "\u0415" # Е/E
27 - "\u041a" # К/K
28 - "\u041c" # М/M
29 - "\u041d" # Н/H
30 - "\u041e" # О/O
31 - "\u0420" # Р/P
32 - "\u0421" # С/C
33 - "\u0422" # Т/T
34 - "\u0425" # Х/X
35 - "\u0405" # Ѕ/S
36 - "\u0406" # І/I
37 - "\u0408" # Ј/J
38 - "\u04ae" # Ү/Y
39 - "\u04c0" # Ӏ/I
40 - "\u050C" # Ԍ/G
41 - "\u051a" # Ԛ/Q
42 - "\u051c" # Ԝ/W
43 - "\u0391" # Α/A
44 - "\u0392" # Β/B
45 - "\u0395" # Ε/E
46 - "\u0396" # Ζ/Z
47 - "\u0397" # Η/H
48 - "\u0399" # Ι/I
49 - "\u039a" # Κ/K
50 - "\u039c" # Μ/M
51 - "\u039d" # Ν/N
52 - "\u039f" # Ο/O
53 - "\u03a1" # Ρ/P
54 - "\u03a4" # Τ/T
55 - "\u03a5" # Υ/Y
56 - "\u03a7" # Χ/X
57 selection_lower:
58 TargetFilename|contains:
59 - "\u0430" # а/a
60 - "\u0435" # е/e
61 - "\u043e" # о/o
62 - "\u0440" # р/p
63 - "\u0441" # с/c
64 - "\u0445" # х/x
65 - "\u0455" # ѕ/s
66 - "\u0456" # і/i
67 - "\u04cf" # ӏ/l
68 - "\u0458" # ј/j
69 - "\u04bb" # һ/h
70 - "\u0501" # ԁ/d
71 - "\u051b" # ԛ/q
72 - "\u051d" # ԝ/w
73 - "\u03bf" # ο/o
74 condition: 1 of selection_*
75falsepositives:
76 - File names with legitimate Cyrillic text. Will likely require tuning (or not be usable) in countries where these alphabets are in use.
77level: medium
References
Related rules
- PUA - Potential PE Metadata Tamper Using Rcedit
- Potential Homoglyph Attack Using Lookalike Characters
- CodePage Modification Via MODE.COM To Russian Language
- CreateDump Process Dump
- DumpMinitool Execution