In my old post about certutil I mentioned that it accepts a number of less-known Unicode characters passed to its command line. Powershell accepting a number of Unicode characters representing “-” and its variations is a very well-known fact too.
What’s new? You may ask…
Processing command line was never easy. All Operating Systems, their various shells as well as many command line tools come with their own command line parsing ideas and quirks, but, I bet, whoever designed many of these command line argument parsers didn’t really see the Unicode character set coming…
In recent years we moved away from a simple world of “-“, “–“, and “/” as command/options switches towards the world that is well… kinda developing now.
In 2024 we have a number of popular Windows programs that accept a lot of Unicode characters as ‘special’:
- \t (Unicode 0x0009) – <Character Tabulation> (HT, TAB) // \t needs to be interpreted
- \n (Unicode 0x000A) – (EOL, LF, NL) // \n needs to be interpreted
- \r (Unicode 0x000D) – <Carriage Return> (CR) // \r needs to be interpreted
- ” ” (Unicode 0x0020) – Space (SP) // ignore quotes
- ” (Unicode 0x0022) – Quotation Mark
- ‘ (Unicode 0x0027) – Apostrophe
- – (Unicode 0x002D) – Hyphen-Minus
- / (Unicode 0x002F) – Solidus, slash, forward slash
- – (Unicode 0x0096 – mapped to 0xFB in codepage 437)
- ” ” (Unicode 0x00A0) – No-Break Space (NBSP) // ignore quotes
- – (Unicode 0x2013) – En Dash
- — (Unicode 0x2014) – Em Dash
- “ (Unicode 0x201C) – Left Double Quotation Mark
- ” (Unicode 0x201D) – Right Double Quotation Mark
- “ ” (Unicode 0x202F) – Narrow No-Break Space (NNBSP) // ignore quotes
- − (Unicode 0x2212) – Minus Sign
- and possibly more
While not all programs accept these yet, we can already list a few that actually do:
- certutil.exe
- powershell.exe
- pwsh.exe
- certreq.exe
- conhost.exe
You may ask… what’s a big deal?
Well, the big deal is that many assumptions about how command line arguments are passed to programs shaped the whole industry obsessively focused on detection engineering fixated on “recognizable command line patterns”.
These Unicode characters break a lot of these assumptions…