Potential Commandline Obfuscation Using Unicode Characters

 1title: Potential Commandline Obfuscation Using Unicode Characters
 2id: e0552b19-5a83-4222-b141-b36184bb8d79
 3related:
 4    - id: 2c0d2d7b-30d6-4d14-9751-7b9113042ab9
 5      type: obsoletes
 6status: test
 7description: |
 8    Detects potential commandline obfuscation using unicode characters.
 9    Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.    
10references:
11    - https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation
12    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http
13author: frack113, Florian Roth (Nextron Systems)
14date: 2022/01/15
15modified: 2023/03/03
16tags:
17    - attack.defense_evasion
18    - attack.t1027
19logsource:
20    category: process_creation
21    product: windows
22detection:
23    selection_spacing_modifiers:
24        CommandLine|contains: # spacing modifier letters that get auto-replaced
25            - 'ˣ' # 0x02E3
26            - '˪' # 0x02EA
27            - 'ˢ' # 0x02E2
28    selection_unicode_slashes: # forward slash alternatives
29        CommandLine|contains:
30            - '∕' # 0x22FF
31            - '⁄' # 0x206F
32    selection_unicode_hyphens: # hyphen alternatives
33        CommandLine|contains:
34            - '―' # 0x2015
35            - '—' # 0x2014
36    selection_other:
37        CommandLine|contains:
38            - 'â'
39            - '€'
40            - '£'
41            - '¯'
42            - '®'
43            - 'µ'
44            - '¶'
45    condition: 1 of selection_*
46falsepositives:
47    - Unknown
48level: high

References

• Windows Command-Line Obfuscation

  

  Many Windows applications have multiple ways in which the same command line can be expressed, usually for compatibility or ease-of-use reasons. As a result, command-line arguments are implemented inconsistently making detecting specific commands harder due to the number of variations. This post shows how more than 40 often-used, built-in Windows applications are vulnerable to forms of command-line obfuscation, and presents a tool for analysing other executables.

  
  Read More

• atomic-red-team/atomics/T1027/T1027.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

  

  Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

  
  Read More

Related rules

• Invoke-Obfuscation Obfuscated IEX Invocation
• Ping Hex IP
• Potential PowerShell Obfuscation Via WCHAR
• Suspicious Download Via Certutil.EXE
• Base64 Encoded PowerShell Command Detected