Date: 09/10/2024
Severity: Medium
Summary
"Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image" refers to the practice where attackers use Unicode characters to obfuscate command-line arguments in order to disguise malicious activities. This technique can make it harder for security tools and analysts to detect and analyze the commands being executed, especially when the obfuscation is applied within or associated with suspicious images or files.
Indicators of Compromise (IOC) List
Image | '\cmd.exe' '\cscript.exe' '\powershell.exe' '\pwsh.exe' '\wscript.exe' |
OriginalFileName | 'Cmd.EXE' 'cscript.exe' 'PowerShell.EXE' 'pwsh.dll' 'wscript.exe' |
CommandLine | 'ˣ' '˪' 'ˢ' '∕ ' '⁄ ' '―' '—' ' ' '¯' '®' '¶' |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | (resourceName = "Sysmon" AND eventtype = "1") AND image in ("\cmd.exe", "\cscript.exe", "\powershell.exe", "\pwsh.exe", "\wscript.exe") AND originalfilename in ("Cmd.EXE","cscript.exe","PowerShell.EXE","pwsh.dll","wscript.exe" ) AND commandline in ("ˣ","˪","ˢ","∕","⁄","―","—"," ","¯","®","¶") |
Detection Query 2 | Technologygroup = "EDR" AND image in ("\cmd.exe", "\cscript.exe", "\powershell.exe", "\pwsh.exe", "\wscript.exe") AND originalfilename in ("Cmd.EXE","cscript.exe","PowerShell.EXE","pwsh.dll","wscript.exe" ) AND commandline in ("ˣ","˪","ˢ","∕","⁄","―","—"," ","¯","®","¶") |
Reference:
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode_img.yml
https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http