detection.wiki

Detection rules › Sigma

Potential Dosfuscation Activity

Severity
medium
Author
frack113, Nasreddine Bencherchali (Nextron Systems)
Source
upstream

Detects possible payload obfuscation via the commandline

MITRE ATT&CK coverage

TacticTechniques
ExecutionT1059 Command and Scripting Interpreter

Event coverage

ProviderEvent IDTitle
Sysmon1Process creation
Security-Auditing4688A new process has been created.

Stages and Predicates

Stage 1: selection

or:
CommandLine|contains: ' c^m^d'
CommandLine|contains: ' c^md'
CommandLine|contains: ' cm^d'
CommandLine|contains: ' s^e^t '
CommandLine|contains: ' s^et '
CommandLine|contains: ' se^t '
CommandLine|contains: '%COMSPEC:~'
CommandLine|contains: '(,(,'
CommandLine|contains: ',;,'
CommandLine|contains: ';; ;;'
CommandLine|contains: ';;;;'
CommandLine|contains: '^^'
CommandLine|contains: '^c^m^d'
CommandLine|contains: '^cm^d'
CommandLine|contains: '^|^'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CommandLinematch
  • c^m^d
  • c^md
  • cm^d
  • s^e^t
  • s^et
  • se^t
  • %COMSPEC:~
  • (,(,
  • ,;,
  • ;; ;;
  • ;;;;
  • ^^
  • ^c^m^d
  • ^cm^d
  • ^|^