Adversaries may rename systems to emojis or pizza-related names to evade detection and blend in with legitimate system names. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential obfuscation tactics used by attackers to hide their presence.
KQL Query
DeviceProcessEvents
| distinct DeviceName
| extend fakeescape=replace("%5f", "_", replace("%2d", "-", url_encode(DeviceName)))
| where fakeescape != DeviceName
id: 3e246f82-6a80-4cd3-8d4c-8afa2b7451d2
name: EmojiHunt
description: |
Did you know you can use Emojis in Windows?.
Read more here: https://davidzych.com/abusing-emoji-in-windows.
Check-out who in your organization has renamed his or her computer to a Pizza or to a smiling poop.
You might be amused by the results, or perhaps angry if one of your systems or scripts was broken by this...
Note: this query will also return some machines with non-English charcters that are not Emojis.
Credit for this query goes to miflower - thanks for bringing joy to our lives! :).
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
query: |
DeviceProcessEvents
| distinct DeviceName
| extend fakeescape=replace("%5f", "_", replace("%2d", "-", url_encode(DeviceName)))
| where fakeescape != DeviceName
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: System Update Scheduled Job Renames Computer to βπβ (Pizza Emoji)
Description: A scheduled task runs during system updates and renames the computer to a pizza emoji as part of a naming convention for easier identification.
Filter/Exclusion: process.name != "schtasks.exe" OR process.name != "wuauclt.exe"
Scenario: IT Admin Renames Server Using PowerShell for Documentation Purposes
Description: An admin uses PowerShell to rename a server to an emoji (e.g., βπ-DB01β) to denote itβs a database server in a non-standard naming scheme.
Filter/Exclusion: process.name != "powershell.exe" OR user.name != "IT_Admin"
Scenario: User Renames Computer to βπβ as a Personal Preference
Description: A user renames their personal workstation to an emoji (e.g., βπ-Workβ) as a personal identifier or joke.
Filter/Exclusion: user.name != "User_Account" OR process.name != "explorer.exe"
Scenario: Backup Tool Renames Temporary Folder with Emoji for Clarity
Description: A backup tool (e.g., Veeam, Acronis) creates a temporary folder named with an emoji (e.g., βπ-Backupβ) for easier recognition.
Filter/Exclusion: process.name != "veeam.exe" OR process.name != "acronis.exe"
Scenario: Group Policy Object (GPO) Renames Computers Using Emoji for Department Identification
Description: A GPO is configured to rename computers in a department using emojis (e.g., βπ-HR01β) as part of a naming standard.
Filter/Exclusion: `event_id != 410 OR event_id != 411 OR event