Detection rules › Sigma
Potential Homoglyph Attack Using Lookalike Characters in Filename
Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters. This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Stealth | T1036.003 Masquerading: Rename Legitimate Utilities |
Event coverage
| Provider | Event | Title |
|---|---|---|
| Sysmon | Event ID 11 | FileCreate |
Rule body yaml
title: Potential Homoglyph Attack Using Lookalike Characters in Filename
id: 4f1707b1-b50b-45b4-b5a2-3978b5a5d0d6
status: test
description: |
Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters.
This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that
are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.
references:
- https://redcanary.com/threat-detection-report/threats/socgholish/#threat-socgholish
- http://www.irongeek.com/homoglyph-attack-generator.php
author: Micah Babinski, @micahbabinski
date: 2023-05-08
tags:
- attack.stealth
- attack.t1036
- attack.t1036.003
logsource:
category: file_event
product: windows
detection:
selection_upper:
TargetFilename|contains:
- "\u0410" # А/A
- "\u0412" # В/B
- "\u0415" # Е/E
- "\u041a" # К/K
- "\u041c" # М/M
- "\u041d" # Н/H
- "\u041e" # О/O
- "\u0420" # Р/P
- "\u0421" # С/C
- "\u0422" # Т/T
- "\u0425" # Х/X
- "\u0405" # Ѕ/S
- "\u0406" # І/I
- "\u0408" # Ј/J
- "\u04ae" # Ү/Y
- "\u04c0" # Ӏ/I
- "\u050C" # Ԍ/G
- "\u051a" # Ԛ/Q
- "\u051c" # Ԝ/W
- "\u0391" # Α/A
- "\u0392" # Β/B
- "\u0395" # Ε/E
- "\u0396" # Ζ/Z
- "\u0397" # Η/H
- "\u0399" # Ι/I
- "\u039a" # Κ/K
- "\u039c" # Μ/M
- "\u039d" # Ν/N
- "\u039f" # Ο/O
- "\u03a1" # Ρ/P
- "\u03a4" # Τ/T
- "\u03a5" # Υ/Y
- "\u03a7" # Χ/X
selection_lower:
TargetFilename|contains:
- "\u0430" # а/a
- "\u0435" # е/e
- "\u043e" # о/o
- "\u0440" # р/p
- "\u0441" # с/c
- "\u0445" # х/x
- "\u0455" # ѕ/s
- "\u0456" # і/i
- "\u04cf" # ӏ/l
- "\u0458" # ј/j
- "\u04bb" # һ/h
- "\u0501" # ԁ/d
- "\u051b" # ԛ/q
- "\u051d" # ԝ/w
- "\u03bf" # ο/o
condition: 1 of selection_*
falsepositives:
- File names with legitimate Cyrillic text. Will likely require tuning (or not be usable) in countries where these alphabets are in use.
level: medium
Stages and Predicates
Stage 0: condition
1 of selection_*Stage 1: selection_upper
selection_upper:
TargetFilename|contains:
- "\u0410"
- "\u0412"
- "\u0415"
- "\u041a"
- "\u041c"
- "\u041d"
- "\u041e"
- "\u0420"
- "\u0421"
- "\u0422"
- "\u0425"
- "\u0405"
- "\u0406"
- "\u0408"
- "\u04ae"
- "\u04c0"
- "\u050C"
- "\u051a"
- "\u051c"
- "\u0391"
- "\u0392"
- "\u0395"
- "\u0396"
- "\u0397"
- "\u0399"
- "\u039a"
- "\u039c"
- "\u039d"
- "\u039f"
- "\u03a1"
- "\u03a4"
- "\u03a5"
- "\u03a7"
Stage 2: selection_lower
selection_lower:
TargetFilename|contains:
- "\u0430"
- "\u0435"
- "\u043e"
- "\u0440"
- "\u0441"
- "\u0445"
- "\u0455"
- "\u0456"
- "\u04cf"
- "\u0458"
- "\u04bb"
- "\u0501"
- "\u051b"
- "\u051d"
- "\u03bf"
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
TargetFilename | match |
|