Suspicious File Creation with Unicode Space Characters

Rule Info

Name
Suspicious File Creation with Unicode Space Characters
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects when files are created with filenames or file paths containing Unicode characters from U+2000 to U+200A. These Unicode space characters can be used to obfuscate file paths, making them appear as regular spaces while actually being different Unicode characters. Attackers often use these space characters for path/file obfuscation to evade security detections.
Reference
https://www.zerosalarium.com/2025/01/path-masquerading-hide-in-plain-sight.html
Date
2025-02-12 00:00:00
Modified
None
Id
512b8fa5-b9c6-4c48-b0e5-bafdb9f7e4be
Tags
attack.defense-evasion attack.t1036
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022