Detection rules › Sigma
Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image
Detects potential commandline obfuscation using unicode characters. Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Defense Evasion | T1027 Obfuscated Files or Information |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
Stages and Predicates
Stage 1: all of selection_img
or:
Image|endswith: '\cmd.exe'
Image|endswith: '\cscript.exe'
Image|endswith: '\powershell.exe'
Image|endswith: '\powershell_ise.exe'
Image|endswith: '\pwsh.exe'
Image|endswith: '\wscript.exe'
OriginalFileName: [Cmd.EXE, PowerShell.EXE, PowerShell_ISE.EXE, cscript.exe, pwsh.dll, wscript.exe]
Stage 2: all of selection_special_chars
or:
CommandLine|contains: ' '
CommandLine|contains: '®'
CommandLine|contains: '¯'
CommandLine|contains: '¶'
CommandLine|contains: 'ˢ'
CommandLine|contains: 'ˣ'
CommandLine|contains: '˪'
CommandLine|contains: '—'
CommandLine|contains: '―'
CommandLine|contains: '⁄'
CommandLine|contains: '∕'
CommandLine|contains: '⠀'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
CommandLine | match |
|
Image | ends_with |
|
OriginalFileName | eq |
|