Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image

Rule Info

Name
Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image
Author
frack113, Florian Roth (Nextron Systems), Josh Nickels
Description
Detects potential commandline obfuscation using unicode characters. Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.
Reference
https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation
Date
2024-09-02 00:00:00
Modified
2024-09-05 00:00:00
Id
584bca0f-3608-4402-80fd-4075ff6072e3
Tags
attack.defense-evasion attack.t1027 DEMO
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=584bca0f-3608-4402-80fd-4075ff6072e3

Rule History

Author
Title
Date
Commit
secDre4mer
Merge PR #5002 from @secDre4mer - Update `Potential CommandLine Obfuscation Using Unicode Characters` rules
2024-09-06
ab2fb3642
Nasreddine Bencherchali
Merge PR #4993 from @nasbench - Fix Issues
2024-09-02
b86a494f5
Nasreddine Bencherchali
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12
598d29f81
Nasreddine Bencherchali
Merge PR #4928 from @nasbench - Fix FPs and issues found in testing
2024-07-24
779111a0d
Nasreddine Bencherchali
feat: more updates
2023-03-06
e3503d5d6
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022