fix: drop ambiguous option chars (dashes) from ArgFuscator detection to reduce FPs

LasCC · LasCC · commit 68c4537b74ef · 2026-03-27T20:31:00.000-04:00
diff --git a/s1_powerquery_hunting.json b/s1_powerquery_hunting.json
@@ -457,6 +457,6 @@
     {
         "category": "Defense Evasion",
         "name": "ArgFuscator Command-Line Obfuscation (T1027.010)",
-        "query": "endpoint.os = \"windows\" AND (#cmdline contains (\"\u1d43\",\"\u1d47\",\"\u1d9c\",\"\u1d48\",\"\u1d49\",\"\u1da0\",\"\u1d4d\",\"\u02b0\",\"\u02b2\",\"\u1d4f\",\"\u02e1\",\"\u1d50\",\"\u207f\",\"\u1d52\",\"\u1d56\",\"\u02b3\",\"\u02e2\",\"\u1d57\",\"\u1d58\",\"\u1d5b\",\"\u02b7\",\"\u02e3\",\"\u02b8\",\"\u1dbb\") OR (#cmdline contains (\"\uff42\",\"\uff43\",\"\uff44\",\"\uff46\",\"\uff48\",\"\uff49\",\"\uff4a\",\"\uff4b\",\"\uff4d\",\"\uff50\",\"\uff51\",\"\uff52\",\"\uff53\",\"\uff54\",\"\uff55\",\"\uff56\",\"\uff57\",\"\uff58\",\"\uff59\",\"\uff5a\",\"\uff21\",\"\uff24\",\"\uff2a\",\"\uff2b\",\"\uff2f\",\"\uff33\",\"\uff34\",\"\uff35\",\"\uff36\",\"\uff37\",\"\uff38\",\"\uff39\",\"\uff02\",\"\uff10\",\"\uff11\",\"\uff1a\",\"\u2010\",\"\u2012\",\"\u2013\",\"\u2014\",\"\u2015\",\"\u2044\",\"\u2212\",\"\u2215\",\"\ufe63\",\"\uff0d\",\"\u00ad\",\"\u034f\",\"\u200b\",\"\u200c\",\"\u200d\",\"\u200e\",\"\u200f\",\"\u202a\",\"\u202b\",\"\u202c\",\"\u202d\",\"\u202e\",\"\u2060\",\"\u2061\",\"\u2062\",\"\u2063\",\"\u2064\",\"\ufeff\") AND src.process.name in (\"adfind.exe\",\"arp.exe\",\"aspnet_compiler.exe\",\"auditpol.exe\",\"bcdedit.exe\",\"cacls.exe\",\"certreq.exe\",\"certutil.exe\",\"cmdkey.exe\",\"cmstp.exe\",\"csc.exe\",\"cscript.exe\",\"curl.exe\",\"dism.exe\",\"driverquery.exe\",\"expand.exe\",\"extrac32.exe\",\"findstr.exe\",\"forfiles.exe\",\"ftp.exe\",\"ipconfig.exe\",\"jsc.exe\",\"makecab.exe\",\"msbuild.exe\",\"msiexec.exe\",\"nbtstat.exe\",\"net.exe\",\"netstat.exe\",\"nltest.exe\",\"nslookup.exe\",\"ping.exe\",\"pnputil.exe\",\"powershell.exe\",\"pwsh.exe\",\"procdump.exe\",\"psexec.exe\",\"query.exe\",\"reg.exe\",\"regedit.exe\",\"regsvr32.exe\",\"robocopy.exe\",\"route.exe\",\"rpcping.exe\",\"runas.exe\",\"schtasks.exe\",\"takeown.exe\",\"tar.exe\",\"taskkill.exe\",\"tasklist.exe\",\"vbc.exe\",\"w32tm.exe\",\"wevtutil.exe\",\"where.exe\",\"whoami.exe\",\"wmic.exe\",\"wscript.exe\")))\n| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count(), UniqueSrcCmdlines=array_agg_distinct(src.process.cmdline), UniqueTgtCmdlines=array_agg_distinct(tgt.process.cmdline) by endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.verified\n| let _firstSeenNs = _FirstSeenMs * 1000000\n| let _lastSeenNs = _LastSeenMs * 1000000\n| let AllSrcCmdlines = UniqueSrcCmdlines.to_string(', '), AllTgtCmdlines = UniqueTgtCmdlines.to_string(', ')\n| columns  \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.verified, AllSrcCmdlines, AllTgtCmdlines, Count\n| sort -Count\n| limit 100000"
+        "query": "endpoint.os = \"windows\" AND (#cmdline contains (\"\u1d43\",\"\u1d47\",\"\u1d9c\",\"\u1d48\",\"\u1d49\",\"\u1da0\",\"\u1d4d\",\"\u02b0\",\"\u02b2\",\"\u1d4f\",\"\u02e1\",\"\u1d50\",\"\u207f\",\"\u1d52\",\"\u1d56\",\"\u02b3\",\"\u02e2\",\"\u1d57\",\"\u1d58\",\"\u1d5b\",\"\u02b7\",\"\u02e3\",\"\u02b8\",\"\u1dbb\") OR (#cmdline contains (\"\uff42\",\"\uff43\",\"\uff44\",\"\uff46\",\"\uff48\",\"\uff49\",\"\uff4a\",\"\uff4b\",\"\uff4d\",\"\uff50\",\"\uff51\",\"\uff52\",\"\uff53\",\"\uff54\",\"\uff55\",\"\uff56\",\"\uff57\",\"\uff58\",\"\uff59\",\"\uff5a\",\"\uff21\",\"\uff24\",\"\uff2a\",\"\uff2b\",\"\uff2f\",\"\uff33\",\"\uff34\",\"\uff35\",\"\uff36\",\"\uff37\",\"\uff38\",\"\uff39\",\"\uff02\",\"\uff10\",\"\uff11\",\"\uff1a\",\"\u00ad\",\"\u034f\",\"\u200b\",\"\u200c\",\"\u200d\",\"\u200e\",\"\u200f\",\"\u202a\",\"\u202b\",\"\u202c\",\"\u202d\",\"\u202e\",\"\u2060\",\"\u2061\",\"\u2062\",\"\u2063\",\"\u2064\",\"\ufeff\") AND src.process.name in (\"adfind.exe\",\"arp.exe\",\"aspnet_compiler.exe\",\"auditpol.exe\",\"bcdedit.exe\",\"cacls.exe\",\"certreq.exe\",\"certutil.exe\",\"cmdkey.exe\",\"cmstp.exe\",\"csc.exe\",\"cscript.exe\",\"curl.exe\",\"dism.exe\",\"driverquery.exe\",\"expand.exe\",\"extrac32.exe\",\"findstr.exe\",\"forfiles.exe\",\"ftp.exe\",\"ipconfig.exe\",\"jsc.exe\",\"makecab.exe\",\"msbuild.exe\",\"msiexec.exe\",\"nbtstat.exe\",\"net.exe\",\"netstat.exe\",\"nltest.exe\",\"nslookup.exe\",\"ping.exe\",\"pnputil.exe\",\"powershell.exe\",\"pwsh.exe\",\"procdump.exe\",\"psexec.exe\",\"query.exe\",\"reg.exe\",\"regedit.exe\",\"regsvr32.exe\",\"robocopy.exe\",\"route.exe\",\"rpcping.exe\",\"runas.exe\",\"schtasks.exe\",\"takeown.exe\",\"tar.exe\",\"taskkill.exe\",\"tasklist.exe\",\"vbc.exe\",\"w32tm.exe\",\"wevtutil.exe\",\"where.exe\",\"whoami.exe\",\"wmic.exe\",\"wscript.exe\")))\n| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count(), UniqueSrcCmdlines=array_agg_distinct(src.process.cmdline), UniqueTgtCmdlines=array_agg_distinct(tgt.process.cmdline) by endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.verified\n| let _firstSeenNs = _FirstSeenMs * 1000000\n| let _lastSeenNs = _LastSeenMs * 1000000\n| let AllSrcCmdlines = UniqueSrcCmdlines.to_string(', '), AllTgtCmdlines = UniqueTgtCmdlines.to_string(', ')\n| columns  \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.verified, AllSrcCmdlines, AllTgtCmdlines, Count\n| sort -Count\n| limit 100000"
     }
 ]

Original file line number	Diff line number	Diff line change
`@@ -457,6 +457,6 @@`
`457`	`457`	`{`
`458`	`458`	`"category": "Defense Evasion",`
`459`	`459`	`"name": "ArgFuscator Command-Line Obfuscation (T1027.010)",`
`460`		- "query": "endpoint.os = \"windows\" AND (#cmdline contains (\"\u1d43\",\"\u1d47\",\"\u1d9c\",\"\u1d48\",\"\u1d49\",\"\u1da0\",\"\u1d4d\",\"\u02b0\",\"\u02b2\",\"\u1d4f\",\"\u02e1\",\"\u1d50\",\"\u207f\",\"\u1d52\",\"\u1d56\",\"\u02b3\",\"\u02e2\",\"\u1d57\",\"\u1d58\",\"\u1d5b\",\"\u02b7\",\"\u02e3\",\"\u02b8\",\"\u1dbb\") OR (#cmdline contains (\"\uff42\",\"\uff43\",\"\uff44\",\"\uff46\",\"\uff48\",\"\uff49\",\"\uff4a\",\"\uff4b\",\"\uff4d\",\"\uff50\",\"\uff51\",\"\uff52\",\"\uff53\",\"\uff54\",\"\uff55\",\"\uff56\",\"\uff57\",\"\uff58\",\"\uff59\",\"\uff5a\",\"\uff21\",\"\uff24\",\"\uff2a\",\"\uff2b\",\"\uff2f\",\"\uff33\",\"\uff34\",\"\uff35\",\"\uff36\",\"\uff37\",\"\uff38\",\"\uff39\",\"\uff02\",\"\uff10\",\"\uff11\",\"\uff1a\",\"\u2010\",\"\u2012\",\"\u2013\",\"\u2014\",\"\u2015\",\"\u2044\",\"\u2212\",\"\u2215\",\"\ufe63\",\"\uff0d\",\"\u00ad\",\"\u034f\",\"\u200b\",\"\u200c\",\"\u200d\",\"\u200e\",\"\u200f\",\"\u202a\",\"\u202b\",\"\u202c\",\"\u202d\",\"\u202e\",\"\u2060\",\"\u2061\",\"\u2062\",\"\u2063\",\"\u2064\",\"\ufeff\") AND src.process.name in (\"adfind.exe\",\"arp.exe\",\"aspnet_compiler.exe\",\"auditpol.exe\",\"bcdedit.exe\",\"cacls.exe\",\"certreq.exe\",\"certutil.exe\",\"cmdkey.exe\",\"cmstp.exe\",\"csc.exe\",\"cscript.exe\",\"curl.exe\",\"dism.exe\",\"driverquery.exe\",\"expand.exe\",\"extrac32.exe\",\"findstr.exe\",\"forfiles.exe\",\"ftp.exe\",\"ipconfig.exe\",\"jsc.exe\",\"makecab.exe\",\"msbuild.exe\",\"msiexec.exe\",\"nbtstat.exe\",\"net.exe\",\"netstat.exe\",\"nltest.exe\",\"nslookup.exe\",\"ping.exe\",\"pnputil.exe\",\"powershell.exe\",\"pwsh.exe\",\"procdump.exe\",\"psexec.exe\",\"query.exe\",\"reg.exe\",\"regedit.exe\",\"regsvr32.exe\",\"robocopy.exe\",\"route.exe\",\"rpcping.exe\",\"runas.exe\",\"schtasks.exe\",\"takeown.exe\",\"tar.exe\",\"taskkill.exe\",\"tasklist.exe\",\"vbc.exe\",\"w32tm.exe\",\"wevtutil.exe\",\"where.exe\",\"whoami.exe\",\"wmic.exe\",\"wscript.exe\")))\n\| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count(), UniqueSrcCmdlines=array_agg_distinct(src.process.cmdline), UniqueTgtCmdlines=array_agg_distinct(tgt.process.cmdline) by endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.verified\n\| let _firstSeenNs = _FirstSeenMs * 1000000\n\| let _lastSeenNs = _LastSeenMs * 1000000\n\| let AllSrcCmdlines = UniqueSrcCmdlines.to_string(', '), AllTgtCmdlines = UniqueTgtCmdlines.to_string(', ')\n\| columns \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.verified, AllSrcCmdlines, AllTgtCmdlines, Count\n\| sort -Count\n\| limit 100000"
	`460`	+ "query": "endpoint.os = \"windows\" AND (#cmdline contains (\"\u1d43\",\"\u1d47\",\"\u1d9c\",\"\u1d48\",\"\u1d49\",\"\u1da0\",\"\u1d4d\",\"\u02b0\",\"\u02b2\",\"\u1d4f\",\"\u02e1\",\"\u1d50\",\"\u207f\",\"\u1d52\",\"\u1d56\",\"\u02b3\",\"\u02e2\",\"\u1d57\",\"\u1d58\",\"\u1d5b\",\"\u02b7\",\"\u02e3\",\"\u02b8\",\"\u1dbb\") OR (#cmdline contains (\"\uff42\",\"\uff43\",\"\uff44\",\"\uff46\",\"\uff48\",\"\uff49\",\"\uff4a\",\"\uff4b\",\"\uff4d\",\"\uff50\",\"\uff51\",\"\uff52\",\"\uff53\",\"\uff54\",\"\uff55\",\"\uff56\",\"\uff57\",\"\uff58\",\"\uff59\",\"\uff5a\",\"\uff21\",\"\uff24\",\"\uff2a\",\"\uff2b\",\"\uff2f\",\"\uff33\",\"\uff34\",\"\uff35\",\"\uff36\",\"\uff37\",\"\uff38\",\"\uff39\",\"\uff02\",\"\uff10\",\"\uff11\",\"\uff1a\",\"\u00ad\",\"\u034f\",\"\u200b\",\"\u200c\",\"\u200d\",\"\u200e\",\"\u200f\",\"\u202a\",\"\u202b\",\"\u202c\",\"\u202d\",\"\u202e\",\"\u2060\",\"\u2061\",\"\u2062\",\"\u2063\",\"\u2064\",\"\ufeff\") AND src.process.name in (\"adfind.exe\",\"arp.exe\",\"aspnet_compiler.exe\",\"auditpol.exe\",\"bcdedit.exe\",\"cacls.exe\",\"certreq.exe\",\"certutil.exe\",\"cmdkey.exe\",\"cmstp.exe\",\"csc.exe\",\"cscript.exe\",\"curl.exe\",\"dism.exe\",\"driverquery.exe\",\"expand.exe\",\"extrac32.exe\",\"findstr.exe\",\"forfiles.exe\",\"ftp.exe\",\"ipconfig.exe\",\"jsc.exe\",\"makecab.exe\",\"msbuild.exe\",\"msiexec.exe\",\"nbtstat.exe\",\"net.exe\",\"netstat.exe\",\"nltest.exe\",\"nslookup.exe\",\"ping.exe\",\"pnputil.exe\",\"powershell.exe\",\"pwsh.exe\",\"procdump.exe\",\"psexec.exe\",\"query.exe\",\"reg.exe\",\"regedit.exe\",\"regsvr32.exe\",\"robocopy.exe\",\"route.exe\",\"rpcping.exe\",\"runas.exe\",\"schtasks.exe\",\"takeown.exe\",\"tar.exe\",\"taskkill.exe\",\"tasklist.exe\",\"vbc.exe\",\"w32tm.exe\",\"wevtutil.exe\",\"where.exe\",\"whoami.exe\",\"wmic.exe\",\"wscript.exe\")))\n\| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count(), UniqueSrcCmdlines=array_agg_distinct(src.process.cmdline), UniqueTgtCmdlines=array_agg_distinct(tgt.process.cmdline) by endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.verified\n\| let _firstSeenNs = _FirstSeenMs * 1000000\n\| let _lastSeenNs = _LastSeenMs * 1000000\n\| let AllSrcCmdlines = UniqueSrcCmdlines.to_string(', '), AllTgtCmdlines = UniqueTgtCmdlines.to_string(', ')\n\| columns \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.verified, AllSrcCmdlines, AllTgtCmdlines, Count\n\| sort -Count\n\| limit 100000"
`461`	`461`	`}`
`462`	`462`	`]`