blue-team-tools/rules/windows/process_creation/proc_creation_win_cmd_dosfuscation.yml

title: Suspicious Dosfuscation Character in Commandline
id: a77c1610-fc73-4019-8e29-0f51efc04a51
status: experimental
description: Detects possible payload obfuscation via the commandline
references:
    - https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/dosfuscation-report.pdf
author: frack113
date: 2022/02/15
modified: 2022/09/02
tags:
    - attack.execution
    - attack.t1059
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            - '^^'
            # - '""'
            - ',;,'
            - '%COMSPEC:~'
            # - '%%'
            # - '&&'
            - ' s^et '
            - ' s^e^t '
            - ' se^t '
    condition: selection
falsepositives:
    - Legitimate use
level: medium