Potential Commandline Obfuscation Using Escape Characters
Detects potential commandline obfuscation using known escape characters
Sigma rule (View on GitHub)
1title: Potential Commandline Obfuscation Using Escape Characters
2id: f0cdd048-82dc-4f7a-8a7a-b87a52b6d0fd
3status: test
4description: Detects potential commandline obfuscation using known escape characters
5references:
6 - https://twitter.com/vysecurity/status/885545634958385153
7 - https://twitter.com/Hexacorn/status/885553465417756673 # Dead link
8 - https://twitter.com/Hexacorn/status/885570278637678592 # Dead link
9 - https://www.mandiant.com/resources/blog/obfuscation-wild-targeted-attackers-lead-way-evasion-techniques
10 - https://web.archive.org/web/20190213114956/http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/
11author: juju4
12date: 2018-12-11
13modified: 2023-03-03
14tags:
15 - attack.defense-evasion
16 - attack.t1140
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 selection:
22 CommandLine|contains:
23 # - <TAB> # no TAB modifier in sigmac yet, so this matches <TAB> (or TAB in elasticsearch backends without DSL queries)
24 - 'h^t^t^p'
25 - 'h"t"t"p'
26 condition: selection
27falsepositives:
28 - Unknown
29level: medium
References
-
In this example, FIN7 implements FIN8’s passing of commands via StdIn – this time passing it to cmd.exe instead of powershell.exe – but the evasion effect is the same. While this example will expos...
Read More -
Continuation of a tutorial explaining how the command line is received by a Windows program and split into individual arguments
Read More
Related rules
- Base64 Encoded PowerShell Command Detected
- DNS-over-HTTPS Enabled by Registry
- Linux Base64 Encoded Pipe to Shell
- Linux Base64 Encoded Shebang In CLI
- Linux Shell Pipe to Shell