title: Suspicious Commandline Escape description: Detects suspicious process that use escape characters status: experimental references: - https://twitter.com/vysecurity/status/885545634958385153 - https://twitter.com/Hexacorn/status/885553465417756673 - https://twitter.com/Hexacorn/status/885570278637678592 - https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html - http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/ author: juju4 modified: 2018/12/11 tags: - attack.defense_evasion - attack.t1140 logsource: category: process_creation product: windows detection: selection: CommandLine: - - ^h^t^t^p - h"t"t"p condition: selection falsepositives: - False positives depend on scripts and administrative tools used in the monitored environment level: low