MaxPatrol SIEM

Detects cyberincidents that undermine cyber resilience of a company

T1027.010: Command Obfuscation

Adversaries may obfuscate content during command execution to impede detection. Command-line obfuscation is a method of making strings and patterns within commands and scripts more difficult to signature and analyze. This type of obfuscation can be included within commands executed by delivered payloads (e.g., Phishing and Drive-by Compromise) or interactively via Command and Scripting Interpreter.

For example, adversaries may abuse syntax that utilizes various symbols and escape characters (such as spacing, ^, +. $, and %) to make commands difficult to analyze while maintaining the same intended functionality. Many languages support built-in obfuscation in the form of base64 or URL encoding. Adversaries may also manually implement command obfuscation via string splitting (“Wor”+“d.Application”), order and casing of characters (rev \<\<\<'dwssap/cte/ tac'), globing (mkdir -p '/tmp/:&$NiA'), as well as various tricks involving passing strings through tokens/environment variables/input streams.

Adversaries may also use tricks such as directory traversals to obfuscate references to the binary being invoked by a command (C:\voi\pcw\..\..\Windows\tei\qs\k\..\..\..\system32\erool\..\wbem\wg\je\..\..\wmic.exe shadowcopy delete).

Tools such as Invoke-Obfuscation and Invoke-DOSfucation have also been used to obfuscate commands.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

mitre_attck_execution: PT-CR-581: Execute_Encoded_Powershell: Starting a PowerShell process or a Base64-encoded command is detected
mitre_attck_execution: PT-CR-1087: Dangerous_Command_Usage: An attempt to execute a potentially dangerous command is detected
mitre_attck_lateral_movement: PT-CR-1372: Remote_SSP_Dump: The use of a script from a modified Impacket toolkit is detected. This allows to remotely dump the lsass process memory.
mitre_attck_command_and_control: PT-CR-845: Download_via_Encoded_Powershell: A user downloaded payload via an encoded PowerShell command
mitre_attck_defense_evasion: PT-CR-936: Obfuscated_Powershell: The usage of known obfuscation techniques in PowerShell scripts
hacking_tools: PT-CR-2332: Atexec_Activity: The AtExec tool designed to run commands using scheduled Windows tasks was used
hacking_tools: PT-CR-750: Cobalt_Strike_Powershell_Payload_Delivery: A payload download using an encoded PowerShell command is detected
unix_mitre_attck_defense_evasion: PT-CR-1022: Unix_Suspicious_Emodji_Cmdline: Starting a process with an emoji in the start command possibly to obfuscate the code and create a bind or reverse shell

Detection

IDDS0022Data source and componentFile: File MetadataDescription

Scripts containing obfuscated content may have higher entropy of characters/strings.

IDDS0012Data source and componentScript: Script ExecutionDescription

Monitor executed scripts for indicators of obfuscation and potentially suspicious command syntax, such as uninterpreted escape characters (e.g., ^).

Also monitor commands within scripts for syntax-specific signs of obfuscation, such as encoded or otherwise unreadable blobs of characters.

IDDS0017Data source and componentCommand: Command ExecutionDescription

Monitor executed commands and arguments for indicators of obfuscation and potentially suspicious syntax such as uninterpreted escape characters (e.g., ^).

Also monitor command-lines for syntax-specific signs of obfuscation, such as variations of arguments associated with encoding.

Mitigation

IDM1040NameBehavior Prevention on EndpointDescription

On Windows 10+, enable Attack Surface Reduction (ASR) rules to block execution of potentially obfuscated scripts.

IDM1049NameAntivirus/AntimalwareDescription

Consider utilizing the Antimalware Scan Interface (AMSI) on Windows 10+ to analyze commands after being processed/interpreted.