Potential PowerShell Obfuscation Via WCHAR
Detects suspicious encoded character syntax often used for defense evasion
Sigma rule (View on GitHub)
1title: Potential PowerShell Obfuscation Via WCHAR
2id: e312efd0-35a1-407f-8439-b8d434b438a6
3status: test
4description: Detects suspicious encoded character syntax often used for defense evasion
5references:
6 - https://twitter.com/0gtweet/status/1281103918693482496
7author: Florian Roth (Nextron Systems)
8date: 2020/07/09
9modified: 2023/01/05
10tags:
11 - attack.execution
12 - attack.t1059.001
13 - attack.defense_evasion
14 - attack.t1027
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection:
20 CommandLine|contains: '(WCHAR)0x'
21 condition: selection
22falsepositives:
23 - Unknown
24level: high
References
Related rules
- HackTool - Covenant PowerShell Launcher
- Base64 Encoded PowerShell Command Detected
- NTFS Alternate Data Stream
- Potential PowerShell Downgrade Attack
- PowerShell -encodedcommand Switch