← Back to SOC feed Coverage →

Obfuscated IP Via CLI

sigma MEDIUM SigmaHQ
imProcessCreate
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-21T23:00:01Z · Confidence: medium

Hunt Hypothesis

Detects usage of an encoded/obfuscated version of an IP address (hex, octal, etc.) via command line

Detection Rule

Sigma (Original)

title: Obfuscated IP Via CLI
id: 56d19cb4-6414-4769-9644-1ed35ffbb148
status: test
description: Detects usage of an encoded/obfuscated version of an IP address (hex, octal, etc.) via command line
references:
    - https://h.43z.one/ipconverter/
    - https://twitter.com/Yasser_Elsnbary/status/1553804135354564608
author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
date: 2022-08-03
modified: 2026-03-16
tags:
    - attack.discovery
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith:
            - '\ping.exe'
            - '\arp.exe'
    selection_ip_1:
        CommandLine|contains:
            - ' 0x'
            - '//0x'
            - '.0x'
            - '.00x'
    selection_ip_2:
        CommandLine|contains|all:
            - 'http://%'
            - '%2e'
    selection_ip_3:
        # http://81.4.31754
        - CommandLine|re: 'https?://[0-9]{1,3}\.[0-9]{1,3}\.0[0-9]{3,4}'
        # http://81.293898
        - CommandLine|re: 'https?://[0-9]{1,3}\.0[0-9]{3,7}'
        # http://1359248394
        - CommandLine|re: 'https?://0[0-9]{3,11}'
        # http://0121.04.0174.012
        - CommandLine|re: 'https?://(?:0[0-9]{1,11}\.){3}0[0-9]{1,11}'
        # http://012101076012
        - CommandLine|re: 'https?://0[0-9]{1,11}'
        # For octal format
        - CommandLine|re: ' [0-7]{7,13}'
    filter_main_valid_ip:
        CommandLine|re: 'https?://(?:(?:25[0-5]|(?:2[0-4]|1\d|[1-9])?\d)(?:\.|\b)){4}'
    condition: selection_img and 1 of selection_ip_* and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium

KQL (Azure Sentinel)

imProcessCreate
| where (TargetProcessName endswith "\\ping.exe" or TargetProcessName endswith "\\arp.exe") and ((TargetProcessCommandLine contains " 0x" or TargetProcessCommandLine contains "//0x" or TargetProcessCommandLine contains ".0x" or TargetProcessCommandLine contains ".00x") or (TargetProcessCommandLine contains "http://%" and TargetProcessCommandLine contains "%2e") or (TargetProcessCommandLine matches regex "https?://[0-9]{1,3}\\.[0-9]{1,3}\\.0[0-9]{3,4}" or TargetProcessCommandLine matches regex "https?://[0-9]{1,3}\\.0[0-9]{3,7}" or TargetProcessCommandLine matches regex "https?://0[0-9]{3,11}" or TargetProcessCommandLine matches regex "https?://(?:0[0-9]{1,11}\\.){3}0[0-9]{1,11}" or TargetProcessCommandLine matches regex "https?://0[0-9]{1,11}" or TargetProcessCommandLine matches regex " [0-7]{7,13}")) and (not(TargetProcessCommandLine matches regex "https?://(?:(?:25[0-5]|(?:2[0-4]|1\\d|[1-9])?\\d)(?:\\.|\\b)){4}"))

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_via_cli.yml