Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image
Detects potential commandline obfuscation using unicode characters. Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.
Sigma rule (View on GitHub)
1title: Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image
2id: 584bca0f-3608-4402-80fd-4075ff6072e3
3related:
4 - id: e0552b19-5a83-4222-b141-b36184bb8d79
5 type: similar
6 - id: ad691d92-15f2-4181-9aa4-723c74f9ddc3 # RTLO
7 type: similar
8 - id: 2c0d2d7b-30d6-4d14-9751-7b9113042ab9
9 type: obsolete
10status: test
11description: |
12 Detects potential commandline obfuscation using unicode characters.
13 Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.
14references:
15 - https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation
16 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http
17author: frack113, Florian Roth (Nextron Systems), Josh Nickels
18date: 2024-09-02
19modified: 2024-09-05
20tags:
21 - attack.defense-evasion
22 - attack.t1027
23logsource:
24 category: process_creation
25 product: windows
26detection:
27 selection_img:
28 Image|endswith:
29 - '\cmd.exe'
30 - '\cscript.exe'
31 - '\powershell.exe'
32 - '\pwsh.exe'
33 - '\wscript.exe'
34 OriginalFileName:
35 - 'Cmd.EXE'
36 - 'cscript.exe'
37 - 'PowerShell.EXE'
38 - 'pwsh.dll'
39 - 'wscript.exe'
40 selection_special_chars:
41 CommandLine|contains:
42 # spacing modifier letters that get auto-replaced
43 - 'ˣ' # 0x02E3
44 - '˪' # 0x02EA
45 - 'ˢ' # 0x02E2
46 # Forward slash alternatives
47 - '∕' # 0x22FF
48 - '⁄' # 0x206F
49 # Hyphen alternatives
50 - '―' # 0x2015
51 - '—' # 0x2014
52 # Whitespace that don't work as path separator
53 - ' ' # 0x00A0
54 # Other
55 - '¯'
56 - '®'
57 - '¶'
58 condition: all of selection_*
59falsepositives:
60 - Unknown
61level: high
References
-
Many Windows applications have multiple ways in which the same command line can be expressed, usually for compatibility or ease-of-use reasons. As a result, command-line arguments are implemented inconsistently making detecting specific commands harder due to the number of variations. This post shows how more than 40 often-used, built-in Windows applications are vulnerable to forms of command-line obfuscation, and presents a tool for analysing other executables.
Read More -
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE
- Base64 Encoded PowerShell Command Detected
- Certificate Exported Via Certutil.EXE
- ConvertTo-SecureString Cmdlet Usage Via CommandLine
- Decode Base64 Encoded Text