Detect Command Obfuscation in Google Chronicle
Adversaries may obfuscate content during command execution to impede detection. Command-line obfuscation makes strings and patterns within commands and scripts more difficult to signature and analyze. Techniques include: Base64 encoding, string splitting ('Wor'+'d.Application'), character reordering with rev, caret insertion (p^o^w^e^r^s^h^e^l^l), environment variable substitution (%COMSPEC%), directory traversal to binary paths, XOR encryption, and ROT13. Tools like Invoke-Obfuscation and Invoke-DOSfuscation automate obfuscation. Adversaries including APT32, APT29, MuddyWater, Kimsuky, QakBot, FIN6, Wizard Spider, Cobalt Group, and many ransomware operators use command obfuscation extensively.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1027 Obfuscated Files or Information
- Sub-technique
- T1027.010 Command Obfuscation
- Canonical reference
- https://attack.mitre.org/techniques/T1027/010/
YARA-L Detection Query
rule t1027_010_command_obfuscation {
meta:
author = "Argus Detection Engineering"
description = "Detects command obfuscation techniques (T1027.010) via caret insertion, Base64 encoding, string splitting, Invoke-Expression, and environment variable substitution in Windows process command lines"
severity = "HIGH"
priority = "HIGH"
mitre_attack_tactic = "Defense Evasion"
mitre_attack_technique = "T1027.010"
reference = "https://attack.mitre.org/techniques/T1027/010/"
created = "2026-04-13"
events:
$e.metadata.event_type = "PROCESS_LAUNCH"
$e.principal.process.file.full_path = /(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe)$/
(
$e.target.process.command_line = /(?i)(\^[a-zA-Z0-9]){3,}/
or $e.target.process.command_line = /(?i)(`[a-zA-Z0-9]){3,}/
or $e.target.process.command_line = /(?i)(-encodedcommand|-enc\s|-ec\s)/
or $e.target.process.command_line = /(?i)(\[convert\]::frombase64|frombase64string)/
or $e.target.process.command_line = /(?i)(invoke-expression|iex\(|iex\s)/
or $e.target.process.command_line = /(?i)(%comspec%|%systemroot%|%windir%)/
or $e.target.process.command_line = /(?i)(\[char\])/
or $e.target.process.command_line = /('[a-z]{2,}'\s*\+\s*'[a-z]{2,}')/
or $e.target.process.command_line = /(?i)(-bxor|-band|-bnot)/
)
condition:
$e
}Chronicle YARA-L 2.0 rule detecting T1027.010 command obfuscation patterns in process launch events. Covers caret and backtick obfuscation, Base64 encoded commands, Invoke-Expression, environment variable substitution, character array construction, string concatenation splitting, and XOR operations.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate PowerShell remoting sessions where WinRM passes -EncodedCommand payloads to remote endpoints as part of normal PSRemoting operation
- Azure automation runbooks and DSC configurations that serialize PowerShell code as Base64 for safe transport over management APIs
- Third-party endpoint management platforms (e.g., Tanium, BigFix) that dynamically build and encode command strings for cross-platform compatibility
Other platforms for T1027.010
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1PowerShell Caret Obfuscation (Invoke-DOSfuscation Style)
Expected signal: Sysmon Event ID 1: cmd.exe with caret-obfuscated command line. The Sysmon CommandLine field will contain the raw obfuscated command. Security Event ID 4688 (if enabled) with the obfuscated command. PowerShell ScriptBlock Log will contain the deobfuscated 'Write-Host caret-obfuscation-test'.
- Test 2PowerShell String Splitting Obfuscation
Expected signal: Sysmon Event ID 1: powershell.exe with string splitting in command line. PowerShell ScriptBlock Log Event ID 4104: will show both the obfuscated and deobfuscated versions. The ScriptBlock log captures the assembled 'Invoke-Expression' call after string joining.
- Test 3Environment Variable Substring Extraction (cmd.exe Level Obfuscation)
Expected signal: Sysmon Event ID 1: cmd.exe with /V:ON flag (enables delayed variable expansion) and environment variable manipulation syntax. The !a:~0,7! syntax extracts a substring from the variable, demonstrating the character assembly obfuscation technique.
- Test 4Base64 Double-Encoding Obfuscation
Expected signal: Sysmon Event ID 1: first powershell.exe with -Command flag and Base64 operations. Sysmon Event ID 1: second powershell.exe with -EncodedCommand flag. PowerShell ScriptBlock Log Event ID 4104: two entries — the outer decoder and the inner decoded command.
References (6)
- https://attack.mitre.org/techniques/T1027/010/
- https://github.com/danielbohannon/Invoke-Obfuscation
- https://github.com/danielbohannon/Invoke-DOSfuscation
- https://web.archive.org/web/20170923102302/https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html
- https://redcanary.com/threat-detection-report/techniques/powershell/
- https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_powershell_exe?view=powershell-5.1
Unlock Pro Content
Get the full detection package for T1027.010 including response playbook, investigation guide, and atomic red team tests.