Potential CommandLine Confusion Via Path Escape Abuse

Rule Info

Name
Potential CommandLine Confusion Via Path Escape Abuse
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects additional path escapes in the commandline, which could be a sign of obfuscation or defense evasion in order to confuse commandline logging
Reference
https://twitter.com/max_mal_/status/1630277636021731330?s=12&t=CTdiUNa2DOwmpnNt8QUuaQ
Date
2023-02-28 00:00:00
Modified
2023-03-16 00:00:00
Id
376e5108-02e6-4f89-98bf-8be09b97616a
Tags
attack.defense_evasion
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022