Detection rules › Sigma

Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image

Status
test
Severity
high
Author
frack113, Florian Roth (Nextron Systems), Josh Nickels
Source
github.com/SigmaHQ/sigma

Detects potential commandline obfuscation using unicode characters. Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.

MITRE ATT&CK coverage

Event coverage

ProviderEventTitle
SysmonEvent ID 1Process creation

Rule body yaml

title: Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image
id: 584bca0f-3608-4402-80fd-4075ff6072e3
related:
    - id: e0552b19-5a83-4222-b141-b36184bb8d79
      type: similar
    - id: ad691d92-15f2-4181-9aa4-723c74f9ddc3 # RTLO
      type: similar
    - id: 2c0d2d7b-30d6-4d14-9751-7b9113042ab9
      type: obsolete
status: test
description: |
    Detects potential commandline obfuscation using unicode characters.
    Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.
references:
    - https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http
author: frack113, Florian Roth (Nextron Systems), Josh Nickels
date: 2024-09-02
modified: 2025-05-30
tags:
    - attack.stealth
    - attack.t1027
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith:
            - '\cmd.exe'
            - '\cscript.exe'
            - '\powershell.exe'
            - '\powershell_ise.exe'
            - '\pwsh.exe'
            - '\wscript.exe'
        OriginalFileName:
            - 'Cmd.EXE'
            - 'cscript.exe'
            - 'PowerShell.EXE'
            - 'PowerShell_ISE.EXE'
            - 'pwsh.dll'
            - 'wscript.exe'
    selection_special_chars:
        CommandLine|contains:
            # spacing modifier letters that get auto-replaced
            - 'ˣ' # 0x02E3
            - '˪' # 0x02EA
            - 'ˢ' # 0x02E2
            # Forward slash alternatives
            - '∕' # 0x22FF
            - '⁄' # 0x206F
            # Hyphen alternatives
            - '―' # 0x2015
            - '—' # 0x2014
            # Whitespace that don't work as path separator
            - ' ' # 0x00A0
            # Other
            - '¯'
            - '®'
            - '¶'
            # Unicode whitespace characters
            - '⠀' # Braille Pattern Blank (Unicode: U+2800)
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

Stages and Predicates

Stage 0: condition

all of selection_*

Stage 1: selection_img

selection_img:
    Image|endswith:
        - '\cmd.exe'
        - '\cscript.exe'
        - '\powershell.exe'
        - '\powershell_ise.exe'
        - '\pwsh.exe'
        - '\wscript.exe'
    OriginalFileName:
        - 'Cmd.EXE'
        - 'cscript.exe'
        - 'PowerShell.EXE'
        - 'PowerShell_ISE.EXE'
        - 'pwsh.dll'
        - 'wscript.exe'

Stage 2: selection_special_chars

selection_special_chars:
    CommandLine|contains:
        # spacing modifier letters that get auto-replaced
        - 'ˣ' # 0x02E3
        - '˪' # 0x02EA
        - 'ˢ' # 0x02E2
        # Forward slash alternatives
        - '∕' # 0x22FF
        - '⁄' # 0x206F
        # Hyphen alternatives
        - '―' # 0x2015
        - '—' # 0x2014
        # Whitespace that don't work as path separator
        - ' ' # 0x00A0
        # Other
        - '¯'
        - '®'
        - '¶'
        # Unicode whitespace characters
        - '⠀' # Braille Pattern Blank (Unicode: U+2800)

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CommandLinematch
  •   corpus 2 (sigma 2)
  • ® corpus 2 (sigma 2)
  • ¯ corpus 2 (sigma 2)
  • corpus 2 (sigma 2)
  • ˢ corpus 2 (sigma 2)
  • ˣ corpus 2 (sigma 2)
  • ˪ corpus 2 (sigma 2)
  • corpus 2 (sigma 2)
  • corpus 2 (sigma 2)
  • corpus 2 (sigma 2)
  • corpus 2 (sigma 2)
Imageends_with
  • \cmd.exe corpus 134 (sigma 134)
  • \cscript.exe corpus 76 (sigma 76)
  • \powershell.exe corpus 186 (sigma 186)
  • \powershell_ise.exe corpus 42 (sigma 42)
  • \pwsh.exe corpus 172 (sigma 172)
  • \wscript.exe corpus 78 (sigma 78)
OriginalFileNameeq
  • Cmd.EXE corpus 65 (sigma 44, splunk 17, elastic 4)
  • PowerShell.EXE corpus 121 (sigma 85, splunk 30, elastic 6)
  • PowerShell_ISE.EXE corpus 51 (splunk 30, sigma 18, elastic 3)
  • cscript.exe corpus 19 (sigma 17, elastic 2)
  • pwsh.dll corpus 112 (sigma 79, splunk 30, elastic 3)
  • wscript.exe corpus 20 (sigma 17, elastic 3)