Full Report
A new open-source and cross-platform tool called Tirith can detect homoglyph attacks over command-line environments by analyzing URLs in typed commands and stopping their execution. [...]
Analysis Summary
# Tool/Technique: Tirith
## Overview
Tirith is a new open-source and cross-platform tool designed to detect and stop homoglyph attacks, terminal injection attacks, and other command-line based deceptive threats by analyzing URLs within typed commands before execution.
## Technical Details
- Type: Tool
- Platform: Cross-platform (Windows, Linux, macOS, supporting bash, zsh, fish, and PowerShell shells)
- Capabilities: Detects homoglyph URLs, analyzes shell injection patterns (like pipe-to-shell), checks for insecure transport, inspects dotfile hijacking attempts, and audits executed scripts via SHA-256. Analysis is performed locally and instantaneously.
- First Seen: February 2026 (based on article date)
## MITRE ATT&CK Mapping
This tool directly defends against several techniques, primarily focused on the initial execution and defense evasion phases:
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.003 - Phishing: Spearphishing Link (Specifically for URL-based homoglyph attacks reaching the command line)
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information (Relevant to misdirection via Unicode/homoglyphs)
- **TA0012 - Command and Control**
- T1071 - Application Layer Protocol (Defending against connections to malicious domains disguised via homoglyphs)
## Functionality
### Core Capabilities
* **Homoglyph Detection:** Analyzes URLs in typed commands for Unicode lookalike characters, punycode, and mixed scripts that appear identical to legitimate domains but resolve differently.
* **Terminal Injection Prevention:** Detects and blocks commands containing suspicious elements like ANSI escapes, Bidi overrides, and zero-width characters often used in terminal injection attacks (e.g., ClickFix).
* **Shell Hooking:** Hooks into supported user shells (zsh, bash, fish, PowerShell) to intercept and inspect commands right before execution.
* **Local and Fast Analysis:** Performs all analysis locally without network calls, achieving sub-millisecond overhead.
### Advanced Features
* **Threat Pattern Blocking:** Specifically blocks pipe-to-shell patterns (`curl | bash`, `wget | sh`, `eval $(…)`) and checks for insecure transport (HTTP to shell).
* **Dotfile Hijacking Defense:** Scans for attempts to modify critical configuration files (e.g., `~/.bashrc`, `~/.ssh/authorized_keys`).
* **Supply-Chain Risk Auditing:** Assesses risks related to typosquatted Git repositories or untrusted Docker registries embedded in commands.
* **Credential Exposure Check:** Analyzes userinfo URLs and hidden destinations in shorteners.
* **Script Auditing:** Can audit receipts of executed scripts using SHA-256 hash verification.
## Indicators of Compromise
* File Hashes: N/A (Tool analysis focuses on *preventing* the execution of malicious inputs, not analyzing existing malware artifacts.)
* File Names: N/A
* Registry Keys: N/A
* Network Indicators: N/A (Tirith performs analysis locally and makes no network calls.)
* Behavioral Indicators: Pre-execution interception of commands containing hidden Unicode characters, ANSI escapes, or pipe-to-shell structures in supported shells.
## Associated Threat Actors
* No specific threat actors were named as using Tirith itself; it is a defensive tool created by the author "Sheeki" to combat broad attack types like ClickFix attacks and phishing campaigns that employ homoglyphs.
## Detection Methods
* This section primarily applies to detecting the *use* of Tirith, or detecting the *attacks Tirith blocks*.
* Signature-based detection: Not applicable for a defensive tool unless signatures for its installation or behavior are identified.
* Behavioral detection: Monitoring for hooks being placed on shell processes (zsh, bash, fish, PowerShell) to intercept standard input/command execution.
* YARA rules: Not applicable based on the provided context.
## Mitigation Strategies
* **Prevention:** Deploy and configure Tirith within command-line environments (Linux, macOS, Windows with PowerShell) to intercept deceptive inputs.
* **Hardening Recommendations:** Users should be trained on identifying homoglyph domains and suspicious command structures, though Tirith automates much of this protection. Note that Tirith does **not** hook `cmd.exe` on Windows, necessitating additional awareness for users relying on the legacy command prompt.
## Related Tools/Techniques
* **Homoglyph Attacks:** As seen in past phishing campaigns impersonating brands like Booking.com.
* **ClickFix Attacks:** Mentioned as an attack type that relies on users executing hidden or malicious commands in the terminal.
* **Browser/Security Solutions:** Solutions implemented in web browsers to prevent homoglyph exploitation in URLs.