fromCharCode in unicode

Hunt Hypothesis

The detection rule identifies potential obfuscation techniques using fromCharCode in Unicode strings, which may indicate adversaries attempting to bypass basic string-based detection mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to uncover stealthy payloads or command-and-control communications that evade traditional signature-based detection.

YARA Rule

rule fromCharCode_in_unicode {
    strings: 
        $ = "\\u0066\\u0072\\u006f\\u006d\\u0043\\u0068\\u0061\\u0072\\u0043\\u006f\\u0064\\u0065"
    condition: 
        any of them and filesize < 500KB
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints
• Source Rule

False Positive Guidance

• Scenario: Scripting in PowerShell using fromCharCode for string manipulation
  Description: A legitimate PowerShell script may use fromCharCode to construct strings dynamically, such as when generating filenames or processing user input.
  Filter/Exclusion: Check for the presence of PowerShell in the process name or filter by ProcessName == "powershell.exe".

• Scenario: Unicode string construction in JavaScript-based web applications
  Description: Web applications or frontend scripts may use fromCharCode to build Unicode strings for rendering or data processing.
  Filter/Exclusion: Filter by ProcessName == "chrome.exe" or ProcessName == "iexplore.exe" and exclude known web application domains.

• Scenario: Scheduled job using JavaScript to generate reports
  Description: A scheduled job may use a JavaScript-based tool (e.g., Node.js script) to generate reports or export data using Unicode characters.
  Filter/Exclusion: Exclude processes associated with scheduled tasks (e.g., Task Scheduler or schtasks.exe) or filter by known reporting tools.

• Scenario: Admin task using a custom script to handle Unicode encoding
  Description: System administrators may use custom scripts (e.g., in Python or Bash) to handle Unicode encoding, such as converting between character sets.
  Filter/Exclusion: Filter by user account (e.g., User == "admin") or check for the presence of admin in the command line arguments.

• Scenario: Log parsing tool using Unicode for log formatting
  Description: Log parsing or monitoring tools (e.g., Splunk, ELK stack) may use Unicode in their internal processing or formatting logic.
  Filter/Exclusion: Exclude processes related to log parsing tools (e.g., splunkd.exe, logstash.exe) or filter by known