Potential CommandLine Confusion Via Path Escape Abuse

Rule Info

Tags
attack.defense_evasion
Modified
2023-03-16 00:00:00
Author
Nasreddine Bencherchali (Nextron Systems)
Name
Potential CommandLine Confusion Via Path Escape Abuse
Description
Detects additional path escapes in the commandline, which could be a sign of obfuscation or defense evasion in order to confuse commandline logging
Date
2023-02-28 00:00:00
Reference
https://twitter.com/max_mal_/status/1630277636021731330?s=12&t=CTdiUNa2DOwmpnNt8QUuaQ
Id
376e5108-02e6-4f89-98bf-8be09b97616a
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022