Skip to content

Commit 68c4537

Browse files
committed
fix: drop ambiguous option chars (dashes) from ArgFuscator detection to reduce FPs
1 parent f4109c5 commit 68c4537

File tree

1 file changed

+1
-1
lines changed

1 file changed

+1
-1
lines changed

s1_powerquery_hunting.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -457,6 +457,6 @@
457457
{
458458
"category": "Defense Evasion",
459459
"name": "ArgFuscator Command-Line Obfuscation (T1027.010)",
460-
"query": "endpoint.os = \"windows\" AND (#cmdline contains (\"\u1d43\",\"\u1d47\",\"\u1d9c\",\"\u1d48\",\"\u1d49\",\"\u1da0\",\"\u1d4d\",\"\u02b0\",\"\u02b2\",\"\u1d4f\",\"\u02e1\",\"\u1d50\",\"\u207f\",\"\u1d52\",\"\u1d56\",\"\u02b3\",\"\u02e2\",\"\u1d57\",\"\u1d58\",\"\u1d5b\",\"\u02b7\",\"\u02e3\",\"\u02b8\",\"\u1dbb\") OR (#cmdline contains (\"\uff42\",\"\uff43\",\"\uff44\",\"\uff46\",\"\uff48\",\"\uff49\",\"\uff4a\",\"\uff4b\",\"\uff4d\",\"\uff50\",\"\uff51\",\"\uff52\",\"\uff53\",\"\uff54\",\"\uff55\",\"\uff56\",\"\uff57\",\"\uff58\",\"\uff59\",\"\uff5a\",\"\uff21\",\"\uff24\",\"\uff2a\",\"\uff2b\",\"\uff2f\",\"\uff33\",\"\uff34\",\"\uff35\",\"\uff36\",\"\uff37\",\"\uff38\",\"\uff39\",\"\uff02\",\"\uff10\",\"\uff11\",\"\uff1a\",\"\u2010\",\"\u2012\",\"\u2013\",\"\u2014\",\"\u2015\",\"\u2044\",\"\u2212\",\"\u2215\",\"\ufe63\",\"\uff0d\",\"\u00ad\",\"\u034f\",\"\u200b\",\"\u200c\",\"\u200d\",\"\u200e\",\"\u200f\",\"\u202a\",\"\u202b\",\"\u202c\",\"\u202d\",\"\u202e\",\"\u2060\",\"\u2061\",\"\u2062\",\"\u2063\",\"\u2064\",\"\ufeff\") AND src.process.name in (\"adfind.exe\",\"arp.exe\",\"aspnet_compiler.exe\",\"auditpol.exe\",\"bcdedit.exe\",\"cacls.exe\",\"certreq.exe\",\"certutil.exe\",\"cmdkey.exe\",\"cmstp.exe\",\"csc.exe\",\"cscript.exe\",\"curl.exe\",\"dism.exe\",\"driverquery.exe\",\"expand.exe\",\"extrac32.exe\",\"findstr.exe\",\"forfiles.exe\",\"ftp.exe\",\"ipconfig.exe\",\"jsc.exe\",\"makecab.exe\",\"msbuild.exe\",\"msiexec.exe\",\"nbtstat.exe\",\"net.exe\",\"netstat.exe\",\"nltest.exe\",\"nslookup.exe\",\"ping.exe\",\"pnputil.exe\",\"powershell.exe\",\"pwsh.exe\",\"procdump.exe\",\"psexec.exe\",\"query.exe\",\"reg.exe\",\"regedit.exe\",\"regsvr32.exe\",\"robocopy.exe\",\"route.exe\",\"rpcping.exe\",\"runas.exe\",\"schtasks.exe\",\"takeown.exe\",\"tar.exe\",\"taskkill.exe\",\"tasklist.exe\",\"vbc.exe\",\"w32tm.exe\",\"wevtutil.exe\",\"where.exe\",\"whoami.exe\",\"wmic.exe\",\"wscript.exe\")))\n| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count(), UniqueSrcCmdlines=array_agg_distinct(src.process.cmdline), UniqueTgtCmdlines=array_agg_distinct(tgt.process.cmdline) by endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.verified\n| let _firstSeenNs = _FirstSeenMs * 1000000\n| let _lastSeenNs = _LastSeenMs * 1000000\n| let AllSrcCmdlines = UniqueSrcCmdlines.to_string(', '), AllTgtCmdlines = UniqueTgtCmdlines.to_string(', ')\n| columns \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.verified, AllSrcCmdlines, AllTgtCmdlines, Count\n| sort -Count\n| limit 100000"
460+
"query": "endpoint.os = \"windows\" AND (#cmdline contains (\"\u1d43\",\"\u1d47\",\"\u1d9c\",\"\u1d48\",\"\u1d49\",\"\u1da0\",\"\u1d4d\",\"\u02b0\",\"\u02b2\",\"\u1d4f\",\"\u02e1\",\"\u1d50\",\"\u207f\",\"\u1d52\",\"\u1d56\",\"\u02b3\",\"\u02e2\",\"\u1d57\",\"\u1d58\",\"\u1d5b\",\"\u02b7\",\"\u02e3\",\"\u02b8\",\"\u1dbb\") OR (#cmdline contains (\"\uff42\",\"\uff43\",\"\uff44\",\"\uff46\",\"\uff48\",\"\uff49\",\"\uff4a\",\"\uff4b\",\"\uff4d\",\"\uff50\",\"\uff51\",\"\uff52\",\"\uff53\",\"\uff54\",\"\uff55\",\"\uff56\",\"\uff57\",\"\uff58\",\"\uff59\",\"\uff5a\",\"\uff21\",\"\uff24\",\"\uff2a\",\"\uff2b\",\"\uff2f\",\"\uff33\",\"\uff34\",\"\uff35\",\"\uff36\",\"\uff37\",\"\uff38\",\"\uff39\",\"\uff02\",\"\uff10\",\"\uff11\",\"\uff1a\",\"\u00ad\",\"\u034f\",\"\u200b\",\"\u200c\",\"\u200d\",\"\u200e\",\"\u200f\",\"\u202a\",\"\u202b\",\"\u202c\",\"\u202d\",\"\u202e\",\"\u2060\",\"\u2061\",\"\u2062\",\"\u2063\",\"\u2064\",\"\ufeff\") AND src.process.name in (\"adfind.exe\",\"arp.exe\",\"aspnet_compiler.exe\",\"auditpol.exe\",\"bcdedit.exe\",\"cacls.exe\",\"certreq.exe\",\"certutil.exe\",\"cmdkey.exe\",\"cmstp.exe\",\"csc.exe\",\"cscript.exe\",\"curl.exe\",\"dism.exe\",\"driverquery.exe\",\"expand.exe\",\"extrac32.exe\",\"findstr.exe\",\"forfiles.exe\",\"ftp.exe\",\"ipconfig.exe\",\"jsc.exe\",\"makecab.exe\",\"msbuild.exe\",\"msiexec.exe\",\"nbtstat.exe\",\"net.exe\",\"netstat.exe\",\"nltest.exe\",\"nslookup.exe\",\"ping.exe\",\"pnputil.exe\",\"powershell.exe\",\"pwsh.exe\",\"procdump.exe\",\"psexec.exe\",\"query.exe\",\"reg.exe\",\"regedit.exe\",\"regsvr32.exe\",\"robocopy.exe\",\"route.exe\",\"rpcping.exe\",\"runas.exe\",\"schtasks.exe\",\"takeown.exe\",\"tar.exe\",\"taskkill.exe\",\"tasklist.exe\",\"vbc.exe\",\"w32tm.exe\",\"wevtutil.exe\",\"where.exe\",\"whoami.exe\",\"wmic.exe\",\"wscript.exe\")))\n| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count(), UniqueSrcCmdlines=array_agg_distinct(src.process.cmdline), UniqueTgtCmdlines=array_agg_distinct(tgt.process.cmdline) by endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.verified\n| let _firstSeenNs = _FirstSeenMs * 1000000\n| let _lastSeenNs = _LastSeenMs * 1000000\n| let AllSrcCmdlines = UniqueSrcCmdlines.to_string(', '), AllTgtCmdlines = UniqueTgtCmdlines.to_string(', ')\n| columns \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.verified, AllSrcCmdlines, AllTgtCmdlines, Count\n| sort -Count\n| limit 100000"
461461
}
462462
]

0 commit comments

Comments
 (0)