Potential PowerShell Obfuscation Via WCHAR/CHAR
Detects suspicious encoded character syntax often used for defense evasion
Sigma rule (View on GitHub)
1title: Potential PowerShell Obfuscation Via WCHAR/CHAR
2id: e312efd0-35a1-407f-8439-b8d434b438a6
3status: test
4description: Detects suspicious encoded character syntax often used for defense evasion
5references:
6 - https://twitter.com/0gtweet/status/1281103918693482496
7author: Florian Roth (Nextron Systems)
8date: 2020-07-09
9modified: 2025-03-03
10tags:
11 - attack.execution
12 - attack.t1059.001
13 - attack.defense-evasion
14 - attack.t1027
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection:
20 CommandLine|contains:
21 - '[char]0x'
22 - '(WCHAR)0x'
23 condition: selection
24falsepositives:
25 - Unknown
26level: high
References
-
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More
Related rules
- Base64 Encoded PowerShell Command Detected
- ConvertTo-SecureString Cmdlet Usage Via CommandLine
- Invoke-Obfuscation CLIP+ Launcher
- Invoke-Obfuscation CLIP+ Launcher - PowerShell
- Invoke-Obfuscation CLIP+ Launcher - PowerShell Module