Potential Commandline Obfuscation Using Escape Characters
Detects potential commandline obfuscation using known escape characters
Sigma rule (View on GitHub)
1title: Potential Commandline Obfuscation Using Escape Characters
2id: f0cdd048-82dc-4f7a-8a7a-b87a52b6d0fd
3status: test
4description: Detects potential commandline obfuscation using known escape characters
5references:
6 - https://twitter.com/vysecurity/status/885545634958385153
7 - https://twitter.com/Hexacorn/status/885553465417756673 # Dead link
8 - https://twitter.com/Hexacorn/status/885570278637678592 # Dead link
9 - https://www.mandiant.com/resources/blog/obfuscation-wild-targeted-attackers-lead-way-evasion-techniques
10 - https://web.archive.org/web/20190213114956/http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/
11author: juju4
12date: 2018/12/11
13modified: 2023/03/03
14tags:
15 - attack.defense_evasion
16 - attack.t1140
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 selection:
22 CommandLine|contains:
23 # - <TAB> # no TAB modifier in sigmac yet, so this matches <TAB> (or TAB in elasticsearch backends without DSL queries)
24 - 'h^t^t^p'
25 - 'h"t"t"p'
26 condition: selection
27falsepositives:
28 - Unknown
29level: medium
References
-
-
-
-
Throughout 2017 we have observed a marked increase in the use of command line evasion and obfuscation by a range of targeted attackers. Cyber espionage groups and financial threat actors continue t...
Read More -
Continuation of a tutorial explaining how the command line is received by a Windows program and split into individual arguments
Read More
Related rules
- Ping Hex IP
- MSHTA Suspicious Execution 01
- Base64 Encoded PowerShell Command Detected
- PowerShell -encodedcommand Switch
- Base64 Encoding in CMD or Powershell