EXPLORE
Sign In
← Back to Explore
sigmahighHunting

Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image

Detects potential commandline obfuscation using unicode characters. Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.

MITRE ATT&CK

T1027
defense-evasion

Detection Query

selection_img:
  Image|endswith:
    - \cmd.exe
    - \cscript.exe
    - \powershell.exe
    - \powershell_ise.exe
    - \pwsh.exe
    - \wscript.exe
  OriginalFileName:
    - Cmd.EXE
    - cscript.exe
    - PowerShell.EXE
    - PowerShell_ISE.EXE
    - pwsh.dll
    - wscript.exe
selection_special_chars:
  CommandLine|contains:
    - ˣ
    - ˪
    - ˢ
    - ∕
    - ⁄
    - ―
    - —
    -  
    - ¯
    - ®
    - ¶
    - ⠀
condition: all of selection_*

Author

frack113, Florian Roth (Nextron Systems), Josh Nickels

Created

2024-09-02

Data Sources

windowsProcess Creation Events

Platforms

windows

References

Tags

attack.defense-evasionattack.t1027
Raw Content
title: Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image
id: 584bca0f-3608-4402-80fd-4075ff6072e3
related:
    - id: e0552b19-5a83-4222-b141-b36184bb8d79
      type: similar
    - id: ad691d92-15f2-4181-9aa4-723c74f9ddc3 # RTLO
      type: similar
    - id: 2c0d2d7b-30d6-4d14-9751-7b9113042ab9
      type: obsolete
status: test
description: |
    Detects potential commandline obfuscation using unicode characters.
    Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.
references:
    - https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http
author: frack113, Florian Roth (Nextron Systems), Josh Nickels
date: 2024-09-02
modified: 2025-05-30
tags:
    - attack.defense-evasion
    - attack.t1027
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith:
            - '\cmd.exe'
            - '\cscript.exe'
            - '\powershell.exe'
            - '\powershell_ise.exe'
            - '\pwsh.exe'
            - '\wscript.exe'
        OriginalFileName:
            - 'Cmd.EXE'
            - 'cscript.exe'
            - 'PowerShell.EXE'
            - 'PowerShell_ISE.EXE'
            - 'pwsh.dll'
            - 'wscript.exe'
    selection_special_chars:
        CommandLine|contains:
            # spacing modifier letters that get auto-replaced
            - 'ˣ' # 0x02E3
            - '˪' # 0x02EA
            - 'ˢ' # 0x02E2
            # Forward slash alternatives
            - '∕' # 0x22FF
            - '⁄' # 0x206F
            # Hyphen alternatives
            - '―' # 0x2015
            - '—' # 0x2014
            # Whitespace that don't work as path separator
            - ' ' # 0x00A0
            # Other
            - '¯'
            - '®'
            - '¶'
            # Unicode whitespace characters
            - '⠀' # Braille Pattern Blank (Unicode: U+2800)
    condition: all of selection_*
falsepositives:
    - Unknown
level: high