Potential Homoglyph Attack Using Lookalike Characters in Filename
Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters. This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.
Sigma rule (View on GitHub)
1title: Potential Homoglyph Attack Using Lookalike Characters in Filename
2id: 4f1707b1-b50b-45b4-b5a2-3978b5a5d0d6
3status: test
4description: |
5 Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters.
6 This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that
7 are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.
8references:
9 - https://redcanary.com/threat-detection-report/threats/socgholish/#threat-socgholish
10 - http://www.irongeek.com/homoglyph-attack-generator.php
11author: Micah Babinski, @micahbabinski
12date: 2023/05/08
13tags:
14 - attack.defense_evasion
15 - attack.t1036
16 - attack.t1036.003
17 # - attack.t1036.008
18logsource:
19 category: file_event
20 product: windows
21detection:
22 selection_upper:
23 TargetFilename|contains:
24 - "\u0410" # А/A
25 - "\u0412" # В/B
26 - "\u0415" # Е/E
27 - "\u041a" # К/K
28 - "\u041c" # М/M
29 - "\u041d" # Н/H
30 - "\u041e" # О/O
31 - "\u0420" # Р/P
32 - "\u0421" # С/C
33 - "\u0422" # Т/T
34 - "\u0425" # Х/X
35 - "\u0405" # Ѕ/S
36 - "\u0406" # І/I
37 - "\u0408" # Ј/J
38 - "\u04ae" # Ү/Y
39 - "\u04c0" # Ӏ/I
40 - "\u050C" # Ԍ/G
41 - "\u051a" # Ԛ/Q
42 - "\u051c" # Ԝ/W
43 - "\u0391" # Α/A
44 - "\u0392" # Β/B
45 - "\u0395" # Ε/E
46 - "\u0396" # Ζ/Z
47 - "\u0397" # Η/H
48 - "\u0399" # Ι/I
49 - "\u039a" # Κ/K
50 - "\u039c" # Μ/M
51 - "\u039d" # Ν/N
52 - "\u039f" # Ο/O
53 - "\u03a1" # Ρ/P
54 - "\u03a4" # Τ/T
55 - "\u03a5" # Υ/Y
56 - "\u03a7" # Χ/X
57 selection_lower:
58 TargetFilename|contains:
59 - "\u0430" # а/a
60 - "\u0435" # е/e
61 - "\u043e" # о/o
62 - "\u0440" # р/p
63 - "\u0441" # с/c
64 - "\u0445" # х/x
65 - "\u0455" # ѕ/s
66 - "\u0456" # і/i
67 - "\u04cf" # ӏ/l
68 - "\u0458" # ј/j
69 - "\u04bb" # һ/h
70 - "\u0501" # ԁ/d
71 - "\u051b" # ԛ/q
72 - "\u051d" # ԝ/w
73 - "\u03bf" # ο/o
74 condition: 1 of selection_*
75falsepositives:
76 - File names with legitimate Cyrillic text. Will likely require tuning (or not be usable) in countries where these alphabets are in use.
77level: medium
References
Related rules
- Potential Homoglyph Attack Using Lookalike Characters
- Processes Executing with Unusual Command Lines
- Unexpected Internal Process Name
- PUA - Potential PE Metadata Tamper Using Rcedit
- Potential Homoglyph Attack Using Lookalike Characters