Merge PR #5002 from @secDre4mer - Update `Potential CommandLine Obfus…

…cation Using Unicode Characters` rules update: Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image - Add coverage for `0x00A0` update: Potential CommandLine Obfuscation Using Unicode Characters - Add coverage for `0x00A0` --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
SigmaHQ · Sep 6, 2024 · ab2fb36 · ab2fb36
1 parent 8288d4b
commit ab2fb36
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 1 deletion.
diff --git a/...hreat-hunting/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode.yml b/...hreat-hunting/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode.yml
@@ -3,6 +3,8 @@ id: e0552b19-5a83-4222-b141-b36184bb8d79
 related:
     - id: 584bca0f-3608-4402-80fd-4075ff6072e3
       type: similar
+    - id: ad691d92-15f2-4181-9aa4-723c74f9ddc3 # RTLO
+      type: similar
     - id: 2c0d2d7b-30d6-4d14-9751-7b9113042ab9
       type: obsolete
 status: test
@@ -14,7 +16,7 @@ references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http
 author: frack113, Florian Roth (Nextron Systems)
 date: 2022-01-15
-modified: 2024-09-02
+modified: 2024-09-05
 tags:
     - attack.defense-evasion
     - attack.t1027
@@ -35,6 +37,8 @@ detection:
             # Hyphen alternatives
             - '―' # 0x2015
             - '—' # 0x2014
+            # Whitespace that don't work as path separator
+            - ' ' # 0x00A0
             # Other
             - '¯'
             - '®'

diff --git a/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode_img.yml b/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode_img.yml
@@ -3,6 +3,8 @@ id: 584bca0f-3608-4402-80fd-4075ff6072e3
 related:
     - id: e0552b19-5a83-4222-b141-b36184bb8d79
       type: similar
+    - id: ad691d92-15f2-4181-9aa4-723c74f9ddc3 # RTLO
+      type: similar
     - id: 2c0d2d7b-30d6-4d14-9751-7b9113042ab9
       type: obsolete
 status: test
@@ -14,6 +16,7 @@ references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http
 author: frack113, Florian Roth (Nextron Systems), Josh Nickels
 date: 2024-09-02
+modified: 2024-09-05
 tags:
     - attack.defense-evasion
     - attack.t1027
@@ -46,6 +49,8 @@ detection:
             # Hyphen alternatives
             - '―' # 0x2015
             - '—' # 0x2014
+            # Whitespace that don't work as path separator
+            - ' ' # 0x00A0
             # Other
             - '¯'
             - '®'

diff --git a/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override.yml b/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override.yml
@@ -1,5 +1,10 @@
 title: Potential Defense Evasion Via Right-to-Left Override
 id: ad691d92-15f2-4181-9aa4-723c74f9ddc3
+related:
+    - id: e0552b19-5a83-4222-b141-b36184bb8d79
+      type: derived
+    - id: 584bca0f-3608-4402-80fd-4075ff6072e3
+      type: derived
 status: test
 description: |
     Detects the presence of the "u202+E" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence.