Keypoints
- Adversaries modify command syntax to avoid signature detection using escapes, spacing, and special characters.
- Built-in encodings like base64 and URL encoding are commonly abused to hide payloads.
- String splitting, concatenation, and altered casing reconstruct commands at runtime.
- Directory traversal and path obfuscation hide which binary is actually executed.
- Public obfuscation tools (Invoke-Obfuscation, Invoke-DOSfucation) automate complex command hiding.
Description:
- Like speaking in riddles, command obfuscation hides a clear message inside noise so only the intended listener can reconstruct the meaning.
- Attackers transform commands using encodings, escapes, token substitution, and path tricks so malicious actions run while signatures and simple parsing fail; this enables stealthy execution and complicates detection and response.
Detection:
- Monitor command execution logs (PowerShell, bash, cmd) for long encoded strings or repeated use of base64, URL, or percent-encoding; flag high-entropy or nonprintable sequences.
- Inspect process command-line arguments for unusual escape characters (^, %, $, +), excessive spacing, concatenation operators, or repeated token substitution patterns.
- Use endpoint telemetry to capture full script content and intermediate decoded forms; apply dynamic decoding (base64, URL decode) to reveal hidden payloads before signature matching.
- Correlate suspicious commands with parent process, user context, and creation times; commands run by unusual parents or at odd hours increase risk of malicious obfuscation.
- Watch file metadata and script execution events for use of known obfuscation tool names (Invoke-Obfuscation, Invoke-DOSfucation) and uncommon script packers; block or quarantine known tool binaries where possible.
- Be aware of common false positives: legitimate tooling may use encoding or quoting; validate by checking destination endpoints, subsequent network connections, and file drops to prioritize alerts.
- Hunt proactively with detections that normalize commands (remove escapes, resolve env vars, decode strings) and then apply behavioral rules; log decoded variants and build playbooks to capture and analyze reconstructed commands.
Tactics:
Defense Evasion
Platforms:
Linux, Windows, macOS
Data Sources:
Command: Command Execution, File: File Metadata, Script: Script Execution
Relationship Citations:
(Citation: Cybereason TA505 April 2019),(Citation: ESET LoudMiner June 2019),(Citation: ClearSky MuddyWater Nov 2018),(Citation: Microsoft Actinium February 2022),(Citation: ESET Turla PowerShell May 2019),(Citation: Talos MuddyWater Jan 2022),(Citation: Unit 42 Valak July 2020),(Citation: Picus Emotet Dec 2018),(Citation: Bitdefender Sardonic Aug 2021),(Citation: Unit42 CookieMiner Jan 2019),(Citation: Unit 42 MuddyWater Nov 2017),(Citation: Cylance Machete Mar 2017),(Citation: Trend Micro Black Basta October 2022),(Citation: PowerSploit Documentation),(Citation: Cisco Talos Avos Jun 2022),(Citation: ESET Gamaredon June 2020),(Citation: MalwareBytes LazyScripter Feb 2021),(Citation: CISA AA20-259A Iran-Based Actor September 2020),(Citation: Talos PoetRAT October 2020),(Citation: objsee mac malware 2017),(Citation: Deep Instinct TA505 Apr 2019),(Citation: TrendMicro Netwalker May 2020),(Citation: Prevailion DarkWatchman 2021),(Citation: Github PowerShell Empire),(Citation: Talos Zeus Panda Nov 2017),(Citation: Unit 42 Magic Hound Feb 2017),(Citation: Rewterz Sidewinder APT April 2020),(Citation: Securelist MuddyWater Oct 2018),(Citation: Talos MuddyWater May 2019),(Citation: Cyber Forensicator Silence Jan 2019),(Citation: Trend Micro Muddy Water March 2021),(Citation: ClearSky MuddyWater June 2019),(Citation: Unit 42 CARROTBAT November 2018),(Citation: Talos Cobalt Group July 2018),(Citation: Trend Micro Emotet Jan 2019),(Citation: Unit 42 BackConfig May 2020),(Citation: ESET Machete July 2019),(Citation: Talos Frankenstein June 2019),(Citation: Visa FIN6 Feb 2019),(Citation: FireEye Ryuk and Trickbot January 2019),(Citation: DFIR Ryuk’s Return October 2020),(Citation: Cybereason Astaroth Feb 2019),(Citation: Unit 42 DarkHydrus July 2018),(Citation: Cybereason Cobalt Kitty 2017),(Citation: FoxIT Wocao December 2019),(Citation: FireEye FIN7 Aug 2018),(Citation: FireEye Obfuscation June 2017),(Citation: Bitdefender FIN8 July 2021),(Citation: TrendMicro Patchwork Dec 2017),(Citation: FireEye Know Your Enemy FIN8 Aug 2016),(Citation: FireEye APT29 Nov 2018),(Citation: Sophos Netwalker May 2020),(Citation: FireEye APT19),(Citation: Symantec Leafminer July 2018),(Citation: Microsoft Unidentified Dec 2018),(Citation: Bromium Ursnif Mar 2017),(Citation: Costa AvosLocker May 2022),(Citation: Microsoft Iranian Threat Actor Trends November 2021),(Citation: Cybereason OperationCuckooBees May 2022),(Citation: GitHub Invoke-Obfuscation),(Citation: GitHub PowerSploit May 2012),(Citation: FireEye APT32 May 2017),(Citation: ESET ComRAT May 2020),(Citation: Cyberint Qakbot May 2021),(Citation: FireEye MuddyWater Mar 2018),(Citation: ATT Sidewinder January 2021),(Citation: Tetra Defense Sodinokibi March 2020),(Citation: CrowdStrike IceApple May 2022),(Citation: Flashpoint FIN 7 March 2019),(Citation: Talos Emotet Jan 2019),(Citation: Morphisec Cobalt Gang Oct 2018),(Citation: CISA ComRAT Oct 2020),(Citation: TrendMicro POWERSTATS V3 June 2019),(Citation: Kaspersky Lyceum October 2021),(Citation: Trend Micro Ransomware Spotlight Play July 2023),(Citation: CrowdStrike AQUATIC PANDA December 2021),(Citation: ESET Emotet Dec 2018),(Citation: ESET Telebots Dec 2016),(Citation: MSTIC NOBELIUM Mar 2021),(Citation: CrowdStrike Carbon Spider August 2021),(Citation: Unit 42 QUADAGENT July 2018),(Citation: BitDefender BADHATCH Mar 2021),(Citation: Cycraft Chimera April 2020),(Citation: Microsoft ASR Obfuscation)