From ab2fb3642611988012a1ee79b056e2f3068059aa Mon Sep 17 00:00:00 2001 From: secDre4mer <61268450+secDre4mer@users.noreply.github.com> Date: Fri, 6 Sep 2024 11:42:04 +0200 Subject: [PATCH] Merge PR #5002 from @secDre4mer - Update `Potential CommandLine Obfuscation Using Unicode Characters` rules update: Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image - Add coverage for `0x00A0` update: Potential CommandLine Obfuscation Using Unicode Characters - Add coverage for `0x00A0` --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- .../proc_creation_win_susp_cli_obfuscation_unicode.yml | 6 +++++- .../proc_creation_win_susp_cli_obfuscation_unicode_img.yml | 5 +++++ .../proc_creation_win_susp_right_to_left_override.yml | 5 +++++ 3 files changed, 15 insertions(+), 1 deletion(-) diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode.yml index 47b1dde305b..515e4bd1aa3 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode.yml @@ -3,6 +3,8 @@ id: e0552b19-5a83-4222-b141-b36184bb8d79 related: - id: 584bca0f-3608-4402-80fd-4075ff6072e3 type: similar + - id: ad691d92-15f2-4181-9aa4-723c74f9ddc3 # RTLO + type: similar - id: 2c0d2d7b-30d6-4d14-9751-7b9113042ab9 type: obsolete status: test @@ -14,7 +16,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http author: frack113, Florian Roth (Nextron Systems) date: 2022-01-15 -modified: 2024-09-02 +modified: 2024-09-05 tags: - attack.defense-evasion - attack.t1027 @@ -35,6 +37,8 @@ detection: # Hyphen alternatives - '―' # 0x2015 - '—' # 0x2014 + # Whitespace that don't work as path separator + - ' ' # 0x00A0 # Other - '¯' - '®' diff --git a/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode_img.yml b/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode_img.yml index 67a1d751ae5..8127ccc75c5 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode_img.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode_img.yml @@ -3,6 +3,8 @@ id: 584bca0f-3608-4402-80fd-4075ff6072e3 related: - id: e0552b19-5a83-4222-b141-b36184bb8d79 type: similar + - id: ad691d92-15f2-4181-9aa4-723c74f9ddc3 # RTLO + type: similar - id: 2c0d2d7b-30d6-4d14-9751-7b9113042ab9 type: obsolete status: test @@ -14,6 +16,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http author: frack113, Florian Roth (Nextron Systems), Josh Nickels date: 2024-09-02 +modified: 2024-09-05 tags: - attack.defense-evasion - attack.t1027 @@ -46,6 +49,8 @@ detection: # Hyphen alternatives - '―' # 0x2015 - '—' # 0x2014 + # Whitespace that don't work as path separator + - ' ' # 0x00A0 # Other - '¯' - '®' diff --git a/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override.yml b/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override.yml index 53583383428..e6c3841b5c0 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override.yml @@ -1,5 +1,10 @@ title: Potential Defense Evasion Via Right-to-Left Override id: ad691d92-15f2-4181-9aa4-723c74f9ddc3 +related: + - id: e0552b19-5a83-4222-b141-b36184bb8d79 + type: derived + - id: 584bca0f-3608-4402-80fd-4075ff6072e3 + type: derived status: test description: | Detects the presence of the "u202+E" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence.