Query Details

Script Interpreter Executing Commands With Non ASCII Characters

Query

let CyrillicChar = datatable (CyrillicCharacter: string)
[
    // (Uppercase)
    "А", "Б", "В", "Г", "Д", "Е", "Ё", "Ж", "З", "И", "Й", "К", "Л", "М", "Н", 
    "О", "П", "Р", "С", "Т", "У", "Ф", "Х", "Ц", "Ч", "Ш", "Щ", "Ъ", "Ы", "Ь", 
    "Э", "Ю", "Я",
    //  (Lowercase)
    "а", "б", "в", "г", "д", "е", "ё", "ж", "з", "и", "й", "к", "л", "м", "н", 
    "о", "п", "р", "с", "т", "у", "ф", "х", "ц", "ч", "ш", "щ", "ъ", "ы", "ь", 
    "э", "ю", "я"
];
let ArabicChar = datatable (ArabicCharacter: string)
[
    "ا",  "ب", "ت", "ث", "ج", "ح", "خ", "د", "ذ", "ر", "ز", "س", "ش", "ص", "ض", "ط", "ظ", "ع", "غ", "ف", "ق", "ك", "ل", "م", "ن", "ه", "و", "ي"
];
let ChineseunicodeChar = "[\u4e00-\u9fff]";
let ScriptInterpreter = datatable (OS: string, ScriptInterpreter: string)
[
    // macOS & Linux
    "macOS / Linux", "/bin/bash",
    "macOS / Linux", "/bin/sh",
    "macOS / Linux", "/bin/zsh",
    "macOS / Linux", "/usr/bin/python",
    "macOS / Linux", "/usr/bin/python3",
    "macOS / Linux", "/usr/bin/perl",
    "macOS / Linux", "/usr/bin/ruby",
    "macOS / Linux", "/usr/bin/osascript",
    "macOS / Linux", "/usr/bin/php",
    // Windows
    "Windows", "powershell.exe",
    "Windows", "pwsh.exe", // PowerShell Core
    "Windows", "cmd.exe",
    "Windows", "wscript.exe", // Windows Script Host 
    "Windows", "cscript.exe", // Windows Script Host 
    "Windows", "mshta.exe", // HTML Application Host 
    "Windows", "regsvr32.exe", 
    "Windows", "rundll32.exe"
];
DeviceProcessEvents
| where FileName has_any (ScriptInterpreter)
| where ProcessCommandLine has_any ( CyrillicChar) or ProcessCommandLine has_any (ArabicChar) or ProcessCommandLine matches regex ChineseunicodeChar

About this query

Script Interpreter Executing Commands with Non-ASCII Characters

Query Information

MITRE ATT&CK Technique(s)

Technique IDTitleLink
T1027Obfuscated Files or Informationhttps://attack.mitre.org/techniques/T1027/
T1059Command and Scripting Interpreterhttps://attack.mitre.org/techniques/T1059/

Description

This rule detects the execution of script interpreters (such as PowerShell, cmd, bash, python, etc.) where the command line contains non-ASCII characters, specifically Cyrillic, Arabic, or Chinese Unicode characters. This pattern can be indicative of obfuscation techniques used by adversaries to evade detection or to target specific region

Author <Optional>

References

Defender XDR

Explanation

This query is designed to detect potentially suspicious activity on a computer system by identifying when script interpreters (like PowerShell, cmd, bash, python, etc.) execute commands that contain non-ASCII characters, specifically Cyrillic, Arabic, or Chinese characters. These characters might be used by attackers to obfuscate their commands, making them harder to detect and analyze, or to target specific regions or languages.

Here's a simple breakdown of the query:

  1. Character Sets: The query defines three sets of non-ASCII characters:

    • Cyrillic Characters: Includes both uppercase and lowercase Cyrillic letters.
    • Arabic Characters: Includes common Arabic script characters.
    • Chinese Characters: Matches any character in the Chinese Unicode range.
  2. Script Interpreters: It lists common script interpreters for both macOS/Linux and Windows systems, such as bash, python, PowerShell, and cmd.

  3. Detection Logic: The query searches through device process events to find instances where any of the listed script interpreters are used and the command line contains any of the specified non-ASCII characters.

By identifying these patterns, the query helps in spotting potential obfuscation techniques or region-specific targeting by adversaries, which are tactics associated with certain MITRE ATT&CK techniques (T1027 and T1059).

Details

Benjamin Zulliger profile picture

Benjamin Zulliger

Released: October 27, 2025

Tables

DeviceProcessEvents

Keywords

DeviceProcessEvents

Operators

letdatatablehas_anymatches regexwhereor

MITRE Techniques

Actions

GitHub