Home/CVE-2016-4117/Sigma rules
Sigma

Sigma rules for CVE-2016-4117

201 rules · scoped to cve · back to CVE-2016-4117
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.

Detection rules

1 of 201
related high
Potential PowerShell Obfuscation Via WCHAR/CHAR
Detects suspicious encoded character syntax often used for defense evasion
status test author Florian Roth (Nextron Systems) id e312efd0-35a1-407f-8439-b8d434b438a6 license Sigma · DRL-1.1
view Sigma YAML 
title: Potential PowerShell Obfuscation Via WCHAR/CHAR
id: e312efd0-35a1-407f-8439-b8d434b438a6
status: test
description: Detects suspicious encoded character syntax often used for defense evasion
references:
    - https://twitter.com/0gtweet/status/1281103918693482496
author: Florian Roth (Nextron Systems)
date: 2020-07-09
modified: 2025-03-03
tags:
    - attack.execution
    - attack.stealth
    - attack.t1059.001
    - attack.t1027
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            - '[char]0x'
            - '(WCHAR)0x'
    condition: selection
falsepositives:
    - Unknown
level: high
Showing 201-201 of 201
Prev 5 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin