Potential Homoglyph Attack Using Lookalike Characters in Filename

calendar Apr 1, 2024 · attack.defense_evasion attack.t1036 attack.t1036.003  ·
Share on: linkedin copy

Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters. This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.

Sigma rule (View on GitHub)

 1title: Potential Homoglyph Attack Using Lookalike Characters in Filename
 2id: 4f1707b1-b50b-45b4-b5a2-3978b5a5d0d6
 3status: test
 4description: |
 5    Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters.
 6    This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that
 7    are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.    
 8references:
 9    - https://redcanary.com/threat-detection-report/threats/socgholish/#threat-socgholish
10    - http://www.irongeek.com/homoglyph-attack-generator.php
11author: Micah Babinski, @micahbabinski
12date: 2023/05/08
13tags:
14    - attack.defense_evasion
15    - attack.t1036
16    - attack.t1036.003
17    # - attack.t1036.008
18logsource:
19    category: file_event
20    product: windows
21detection:
22    selection_upper:
23        TargetFilename|contains:
24            - "\u0410" # А/A
25            - "\u0412" # В/B
26            - "\u0415" # Е/E
27            - "\u041a" # К/K
28            - "\u041c" # М/M
29            - "\u041d" # Н/H
30            - "\u041e" # О/O
31            - "\u0420" # Р/P
32            - "\u0421" # С/C
33            - "\u0422" # Т/T
34            - "\u0425" # Х/X
35            - "\u0405" # Ѕ/S
36            - "\u0406" # І/I
37            - "\u0408" # Ј/J
38            - "\u04ae" # Ү/Y
39            - "\u04c0" # Ӏ/I
40            - "\u050C" # Ԍ/G
41            - "\u051a" # Ԛ/Q
42            - "\u051c" # Ԝ/W
43            - "\u0391" # Α/A
44            - "\u0392" # Β/B
45            - "\u0395" # Ε/E
46            - "\u0396" # Ζ/Z
47            - "\u0397" # Η/H
48            - "\u0399" # Ι/I
49            - "\u039a" # Κ/K
50            - "\u039c" # Μ/M
51            - "\u039d" # Ν/N
52            - "\u039f" # Ο/O
53            - "\u03a1" # Ρ/P
54            - "\u03a4" # Τ/T
55            - "\u03a5" # Υ/Y
56            - "\u03a7" # Χ/X
57    selection_lower:
58        TargetFilename|contains:
59            - "\u0430" # а/a
60            - "\u0435" # е/e
61            - "\u043e" # о/o
62            - "\u0440" # р/p
63            - "\u0441" # с/c
64            - "\u0445" # х/x
65            - "\u0455" # ѕ/s
66            - "\u0456" # і/i
67            - "\u04cf" # ӏ/l
68            - "\u0458" # ј/j
69            - "\u04bb" # һ/h
70            - "\u0501" # ԁ/d
71            - "\u051b" # ԛ/q
72            - "\u051d" # ԝ/w
73            - "\u03bf" # ο/o
74    condition: 1 of selection_*
75falsepositives:
76    - File names with legitimate Cyrillic text. Will likely require tuning (or not be usable) in countries where these alphabets are in use.
77level: medium

References

  • SocGholish - Red Canary Threat Detection Report

    SocGholish leverages drive-by-downloads masquerading as software updates to trick visitors of compromised websites into executing malware.


    Read More

  • Search Irongeek.com: Affiliates: Help Irongeek.com pay for bandwidth and research equipment: Homoglyph Attack Generator and Punycode Converter Homoglyph Attack Generator      This app is meant to m...


    Read More

Related rules

to-top