Detection identifies execution of scripts or files that appear visually benign (low printable character ratio) but result in runtime decoding, dynamic evaluation, and subsequent process or network activity. Correlation links script execution with abnormal Unicode density and follow-on behavior such as child process creation or outbound connections.
| Data Component | Name | Channel |
|---|---|---|
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3, 22 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| WinEventLog:Security | EventCode=4688 | |
| Script Execution (DC0029) | WinEventLog:PowerShell | EventCode=4103, 4104, 4105, 4106 |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Module Load (DC0016) | WinEventLog:Sysmon | EventCode=7 |
| Field | Description |
|---|---|
| AllocationSizeThreshold | To tune for atypical virtual memory allocations that might indicate non-rendering characters in dense files |
| ExecutionContext | Allows tuning for atypical processes from script execution (e.g., powershell.exe, wscript.exe, mshta.exe) |
| UnicodeDensityThreshold | Tune for invisible characters, or atypical amounts of Unicode characters (U+...) |
Detection identifies execution of scripts containing high concentrations of invisible Unicode characters followed by decoding or interpretation behaviors (e.g., base64 decode, eval) and subsequent process or network activity. Emphasis is placed on mismatch between file entropy/structure and execution output.
| Data Component | Name | Channel |
|---|---|---|
| File Metadata (DC0059) | auditd:SYSCALL | stat and lstat syscall results on files, including inode and permission info |
| Command Execution (DC0064) | auditd:EXECVE | execve of script/interpreter (bash, python, node) with suspicious encoded or non-printable content |
| Field | Description |
|---|---|
| DecodeUtility | May include base64 |
| EntropyThreshold | Useful for tuning sections containing high entropy indicative of Unicode sequences |
Detection identifies execution of scripts or applications containing invisible Unicode payloads reconstructed at runtime, correlated with abnormal AppleScript, JavaScript for Automation, or shell execution and subsequent process or network behavior inconsistent with visible file content.
| Data Component | Name | Channel |
|---|---|---|
| Network Connection Creation (DC0082) | NSM:Flow | log entries indicating network connection initiation on macOS |
| Command Execution (DC0064) | macos:unifiedlog | Execution of osascript, sh, bash, zsh, installer, open |
| File Access (DC0055) | macOS:unifiedlog | looking for file access to scripts with abnormal encoding patterns |
| Field | Description |
|---|---|
| ExecutionContext | Use of abnormal AppleScript or JavaScript functions (such as eval()) not typically expected |
| UnicodeCharacterSet | Specific unicode ranges monitored (zero-width, PUA, bidi) |