T1027.010 Command Obfuscation Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let ObfuscationPatterns = dynamic([
  "^p^o^w^e^r", "^c^m^d", "^w^s^c^r^i^p^t",
  "`p`o`w`e`r", "`c`m`d",
  "po`w`er", "po^w^er",
  "\"cmd\"", "\"powershell\"",
  "eNVComspec", "%COMSPEC%",
  "[char]", "[Convert]::FromBase64",
  "iex(", "iex (",
  "Invoke-Expression",
  "$env:ComSpec"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe")
| where ProcessCommandLine has_any (ObfuscationPatterns)
    or ProcessCommandLine matches regex @"(\^[a-zA-Z0-9]\^[a-zA-Z0-9]){3,}"
    or ProcessCommandLine matches regex @"[\"\'][a-z]{2,4}[\"\'][\+\s]+[\"\'][a-z]{2,4}[\"\'][\+\s]+"
| extend CaretObfuscation = ProcessCommandLine matches regex @"(\^[a-zA-Z0-9]\^[a-zA-Z0-9]){3,}"
| extend StringSplitting = ProcessCommandLine matches regex @"[\"\'][a-z]{2,}[\"\'][\+\s]+[\"\'][a-z]+[\"\'\
]"
| extend Base64Encoded = ProcessCommandLine has_any ("[Convert]::FromBase64", "EncodedCommand", "-enc ")
| extend InvokeExpr = ProcessCommandLine has_any ("iex(", "Invoke-Expression")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, CaretObfuscation, StringSplitting, Base64Encoded, InvokeExpr
| sort by Timestamp desc

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Legitimate Base64 encoding in PowerShell for handling binary data in scripts, such as certificate operations or data serialization
IT automation scripts using Invoke-Expression to evaluate dynamically-constructed commands for valid operational reasons
String concatenation patterns in legitimate PowerShell scripts where variable names or paths are assembled from components
Log parsing scripts that process logs containing caret or special characters

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (Image="*\\cmd.exe" OR Image="*\\powershell.exe" OR Image="*\\pwsh.exe"
   OR Image="*\\wscript.exe" OR Image="*\\cscript.exe")
| eval cmdline=CommandLine
| eval CaretObfusc=if(match(cmdline, "(\^[a-zA-Z0-9]){3,}"), 1, 0)
| eval Base64Obfusc=if(match(lower(cmdline), "(-encodedcommand|-enc\s|-ec\s|frombase64|[convert])"), 1, 0)
| eval InvokeExpr=if(match(lower(cmdline), "(invoke-expression|iex\(|iex\s)"), 1, 0)
| eval XORObfusc=if(match(lower(cmdline), "(-bxor|-band|-bnot|xor\s+0x)"), 1, 0)
| eval EnvVarSubst=if(match(cmdline, "(%comspec%|%systemroot%|%windir%).*cmd\|powershell"), 1, 0)
| eval StringSplit=if(match(cmdline, "'[a-z]+'\s*\+\s*'[a-z]+'"), 1, 0)
| eval ObfuscScore=CaretObfusc+Base64Obfusc+InvokeExpr+XORObfusc+EnvVarSubst+StringSplit
| where ObfuscScore > 0
| table _time, host, User, Image, CommandLine, ParentImage, ObfuscScore,
        CaretObfusc, Base64Obfusc, InvokeExpr, XORObfusc, StringSplit
| sort - ObfuscScore

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate PowerShell scripts using Base64 for data handling in IT automation tools (Ansible, Chef, Puppet)
Software deployment scripts that encode parameters for transmission across management interfaces
Security monitoring scripts that use Invoke-Expression to evaluate dynamic queries
Database administrators using PowerShell string concatenation for dynamic SQL queries

Elastic Security (EQL)

eql

process where event.type == "start"
  and process.name in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe")
  and (
    process.command_line like~ "*^?^?^*"
    or process.command_line like~ "*`?`?`*"
    or process.command_line like~ "*[Convert]::FromBase64*"
    or process.command_line like~ "*-EncodedCommand*"
    or process.command_line like~ "*-enc *"
    or process.command_line like~ "*iex(*"
    or process.command_line like~ "*Invoke-Expression*"
    or process.command_line like~ "*%COMSPEC%*"
    or process.command_line like~ "*[char]*"
    or process.command_line regex~ "(\^[a-zA-Z0-9]){3,}"
    or process.command_line regex~ "'[a-z]{2,4}'\s*\+\s*'[a-z]{2,4}'"
  )

high severity high confidence

Data Sources

Elastic Endpoint Security Winlogbeat with Sysmon Elastic Agent (endpoint)

Required Tables

logs-endpoint.events.process-* winlogbeat-*

False Positives

Legitimate administrative PowerShell scripts that use -EncodedCommand for long command strings in scheduled tasks or remote management tools like Ansible/SCCM
Security tooling and EDR agents that internally invoke encoded commands for telemetry or response actions
Developer toolchains (e.g., build scripts, CI runners) that dynamically construct command strings using string concatenation

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  "HOSTNAME" AS host,
  "Process Name" AS process_name,
  "Command" AS command_line,
  CASE WHEN REGEXP_MATCH("Command", '(\^[a-zA-Z0-9]){3,}') THEN 1 ELSE 0 END AS caret_obfusc,
  CASE WHEN LOWER("Command") LIKE '%-encodedcommand%' OR LOWER("Command") LIKE '%-enc %' OR LOWER("Command") LIKE '%frombase64%' THEN 1 ELSE 0 END AS base64_obfusc,
  CASE WHEN LOWER("Command") LIKE '%invoke-expression%' OR LOWER("Command") LIKE '%iex(%' OR LOWER("Command") LIKE '%iex (%' THEN 1 ELSE 0 END AS invoke_expr,
  CASE WHEN "Command" LIKE '%%comspec%%' OR "Command" LIKE '%%systemroot%%' THEN 1 ELSE 0 END AS env_var_subst,
  CASE WHEN REGEXP_MATCH("Command", '''[a-z]+''\s*\+\s*''[a-z]+''') THEN 1 ELSE 0 END AS string_split
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 13, 14, 15)
  AND QIDNAME(qid) IN ('Process Create', 'Sysmon Process Create', 'Windows Security Process Creation')
  AND ("Process Name" LIKE '%cmd.exe' OR "Process Name" LIKE '%powershell.exe' OR "Process Name" LIKE '%pwsh.exe' OR "Process Name" LIKE '%wscript.exe' OR "Process Name" LIKE '%cscript.exe')
  AND (
    REGEXP_MATCH("Command", '(\^[a-zA-Z0-9]){3,}')
    OR LOWER("Command") LIKE '%-encodedcommand%'
    OR LOWER("Command") LIKE '%-enc %'
    OR LOWER("Command") LIKE '%frombase64%'
    OR LOWER("Command") LIKE '%invoke-expression%'
    OR LOWER("Command") LIKE '%iex(%'
    OR "Command" LIKE '%%comspec%%'
    OR REGEXP_MATCH("Command", '''[a-z]+''\s*\+\s*''[a-z]+''')
    OR LOWER("Command") LIKE '%[char]%'
  )
LAST 24 HOURS
ORDER BY starttime DESC

high severity medium confidence

Data Sources

IBM QRadar SIEM Windows Security Event Log (WinCollect) Sysmon via WinCollect or Universal DSM

Required Tables

events

False Positives

Automated deployment systems using encoded PowerShell commands to pass configuration payloads through remote execution frameworks
Legitimate IT management tools (e.g., ConnectWise, Kaseya) that encode inline scripts for transmission to endpoints
Red team and penetration testing engagements using Invoke-Obfuscation or Invoke-DOSfuscation in authorized scope

Sumo Logic CSE

sql

_sourceCategory=*windows*sysmon* OR _sourceCategory=*wineventlog*security*
| where EventID in ("1", "4688")
| json field=_raw "CommandLine" as command_line nodrop
| json field=_raw "Image" as image nodrop
| json field=_raw "NewProcessName" as new_process_name nodrop
| where (
    matches(image, "(?i).*(cmd|powershell|pwsh|wscript|cscript)\.exe$")
    or matches(new_process_name, "(?i).*(cmd|powershell|pwsh|wscript|cscript)\.exe$")
  )
| where !isNull(command_line)
| eval caret_obfusc = if(matches(command_line, "(\\^[a-zA-Z0-9]){3,}"), 1, 0)
| eval base64_obfusc = if(
    matches(toLowerCase(command_line), "(-encodedcommand|-enc\\s|-ec\\s|frombase64|\\[convert\\])"),
    1, 0)
| eval invoke_expr = if(
    matches(toLowerCase(command_line), "(invoke-expression|iex\\(|iex\\s)"),
    1, 0)
| eval env_var_subst = if(matches(command_line, "(%comspec%|%systemroot%|%windir%)"), 1, 0)
| eval string_split = if(matches(command_line, "'[a-z]+'\\s*\\+\\s*'[a-z]+'"), 1, 0)
| eval xor_obfusc = if(matches(toLowerCase(command_line), "(-bxor|-band|-bnot|xor\\s+0x)"), 1, 0)
| eval obfusc_score = caret_obfusc + base64_obfusc + invoke_expr + env_var_subst + string_split + xor_obfusc
| where obfusc_score > 0
| fields _messageTime, Computer, User, image, new_process_name, command_line, obfusc_score,
         caret_obfusc, base64_obfusc, invoke_expr, env_var_subst, string_split, xor_obfusc
| sort by obfusc_score desc

high severity high confidence

Data Sources

Sumo Logic Cloud SIEM Windows Sysmon via Installed Collector Windows Security Event Log via Installed Collector

Required Tables

_sourceCategory=*windows*sysmon* _sourceCategory=*wineventlog*security*

False Positives

Software installers and package managers that wrap PowerShell commands with encoding to handle special characters in file paths or product keys
Group Policy preferences and login scripts that use environment variable substitution (%COMSPEC%, %WINDIR%) as a standard practice
Monitoring agents and backup software that call encoded PowerShell for privileged operations under service accounts

Google Chronicle / SecOps

yaral

rule t1027_010_command_obfuscation {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects command obfuscation techniques (T1027.010) via caret insertion, Base64 encoding, string splitting, Invoke-Expression, and environment variable substitution in Windows process command lines"
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1027.010"
    reference = "https://attack.mitre.org/techniques/T1027/010/"
    created = "2026-04-13"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.process.file.full_path = /(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe)$/
    (
      $e.target.process.command_line = /(?i)(\^[a-zA-Z0-9]){3,}/
      or $e.target.process.command_line = /(?i)(`[a-zA-Z0-9]){3,}/
      or $e.target.process.command_line = /(?i)(-encodedcommand|-enc\s|-ec\s)/
      or $e.target.process.command_line = /(?i)(\[convert\]::frombase64|frombase64string)/
      or $e.target.process.command_line = /(?i)(invoke-expression|iex\(|iex\s)/
      or $e.target.process.command_line = /(?i)(%comspec%|%systemroot%|%windir%)/
      or $e.target.process.command_line = /(?i)(\[char\])/
      or $e.target.process.command_line = /('[a-z]{2,}'\s*\+\s*'[a-z]{2,}')/
      or $e.target.process.command_line = /(?i)(-bxor|-band|-bnot)/
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle SIEM Google Chronicle Forwarder (Windows Sysmon) Chronicle Unified Data Model (UDM)

Required Tables

UDM Events (PROCESS_LAUNCH)

False Positives

Legitimate PowerShell remoting sessions where WinRM passes -EncodedCommand payloads to remote endpoints as part of normal PSRemoting operation
Azure automation runbooks and DSC configurations that serialize PowerShell code as Base64 for safe transport over management APIs
Third-party endpoint management platforms (e.g., Tanium, BigFix) that dynamically build and encode command strings for cross-platform compatibility

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| ImageFileName = /(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe)$/
| CommandLine = /./
| eval caret_obfusc = if(match(CommandLine, /(\^[a-zA-Z0-9]){3,}/), 1, 0)
| eval backtick_obfusc = if(match(CommandLine, /(`[a-zA-Z0-9]){3,}/), 1, 0)
| eval base64_obfusc = if(match(lower(CommandLine), /(-encodedcommand|-enc\s|-ec\s|frombase64|\[convert\])/), 1, 0)
| eval invoke_expr = if(match(lower(CommandLine), /(invoke-expression|iex\(|iex\s)/), 1, 0)
| eval env_var_subst = if(match(CommandLine, /(%comspec%|%systemroot%|%windir%)/i), 1, 0)
| eval string_split = if(match(CommandLine, /'[a-z]{2,}'\s*\+\s*'[a-z]{2,}'/), 1, 0)
| eval xor_obfusc = if(match(lower(CommandLine), /(-bxor|-band|-bnot|xor\s+0x)/), 1, 0)
| eval char_construct = if(match(CommandLine, /\[char\]/i), 1, 0)
| eval obfusc_score = caret_obfusc + backtick_obfusc + base64_obfusc + invoke_expr + env_var_subst + string_split + xor_obfusc + char_construct
| where obfusc_score > 0
| table(["@timestamp", ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName,
         obfusc_score, caret_obfusc, backtick_obfusc, base64_obfusc, invoke_expr,
         env_var_subst, string_split, xor_obfusc, char_construct])
| sort(field=obfusc_score, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection CrowdStrike Falcon LogScale (Humio) Falcon ProcessRollup2 event stream

Required Tables

ProcessRollup2

False Positives

CrowdStrike RTR (Real Time Response) scripts that administrators run interactively may contain encoded payloads or Invoke-Expression calls as part of legitimate incident response actions
Software packaging tools and MSI wrappers that call PowerShell with -EncodedCommand to execute embedded post-install configuration scripts
Vulnerability scanners and compliance assessment tools (e.g., Tenable, Qualys agents) that invoke encoded PowerShell for WMI-based host inventory collection

Command Obfuscation

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections