T1027.010 Elastic Security · Elastic

Detect Command Obfuscation in Elastic Security

Adversaries may obfuscate content during command execution to impede detection. Command-line obfuscation makes strings and patterns within commands and scripts more difficult to signature and analyze. Techniques include: Base64 encoding, string splitting ('Wor'+'d.Application'), character reordering with rev, caret insertion (p^o^w^e^r^s^h^e^l^l), environment variable substitution (%COMSPEC%), directory traversal to binary paths, XOR encryption, and ROT13. Tools like Invoke-Obfuscation and Invoke-DOSfuscation automate obfuscation. Adversaries including APT32, APT29, MuddyWater, Kimsuky, QakBot, FIN6, Wizard Spider, Cobalt Group, and many ransomware operators use command obfuscation extensively.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1027 Obfuscated Files or Information
Sub-technique
T1027.010 Command Obfuscation
Canonical reference
https://attack.mitre.org/techniques/T1027/010/

Elastic Detection Query

Elastic Security (Elastic)
eql 
process where event.type == "start"
  and process.name in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe")
  and (
    process.command_line like~ "*^?^?^*"
    or process.command_line like~ "*`?`?`*"
    or process.command_line like~ "*[Convert]::FromBase64*"
    or process.command_line like~ "*-EncodedCommand*"
    or process.command_line like~ "*-enc *"
    or process.command_line like~ "*iex(*"
    or process.command_line like~ "*Invoke-Expression*"
    or process.command_line like~ "*%COMSPEC%*"
    or process.command_line like~ "*[char]*"
    or process.command_line regex~ "(\^[a-zA-Z0-9]){3,}"
    or process.command_line regex~ "'[a-z]{2,4}'\s*\+\s*'[a-z]{2,4}'"
  )
high severity high confidence

Detects command-line obfuscation techniques targeting cmd.exe, PowerShell, and script hosts. Matches caret insertion, backtick obfuscation, Base64 encoding, string concatenation splitting, environment variable substitution, and Invoke-Expression variants consistent with T1027.010.

Data Sources

Elastic Endpoint SecurityWinlogbeat with SysmonElastic Agent (endpoint)

Required Tables

logs-endpoint.events.process-*winlogbeat-*

False Positives & Tuning

  • Legitimate administrative PowerShell scripts that use -EncodedCommand for long command strings in scheduled tasks or remote management tools like Ansible/SCCM
  • Security tooling and EDR agents that internally invoke encoded commands for telemetry or response actions
  • Developer toolchains (e.g., build scripts, CI runners) that dynamically construct command strings using string concatenation
Download portable Sigma rule (.yml)

Other platforms for T1027.010

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1PowerShell Caret Obfuscation (Invoke-DOSfuscation Style)

    Expected signal: Sysmon Event ID 1: cmd.exe with caret-obfuscated command line. The Sysmon CommandLine field will contain the raw obfuscated command. Security Event ID 4688 (if enabled) with the obfuscated command. PowerShell ScriptBlock Log will contain the deobfuscated 'Write-Host caret-obfuscation-test'.

  2. Test 2PowerShell String Splitting Obfuscation

    Expected signal: Sysmon Event ID 1: powershell.exe with string splitting in command line. PowerShell ScriptBlock Log Event ID 4104: will show both the obfuscated and deobfuscated versions. The ScriptBlock log captures the assembled 'Invoke-Expression' call after string joining.

  3. Test 3Environment Variable Substring Extraction (cmd.exe Level Obfuscation)

    Expected signal: Sysmon Event ID 1: cmd.exe with /V:ON flag (enables delayed variable expansion) and environment variable manipulation syntax. The !a:~0,7! syntax extracts a substring from the variable, demonstrating the character assembly obfuscation technique.

  4. Test 4Base64 Double-Encoding Obfuscation

    Expected signal: Sysmon Event ID 1: first powershell.exe with -Command flag and Base64 operations. Sysmon Event ID 1: second powershell.exe with -EncodedCommand flag. PowerShell ScriptBlock Log Event ID 4104: two entries — the outer decoder and the inner decoded command.

Last updated: 2026-04-13 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1027.010 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1027Obfuscated Files or Information

Related Sub-techniques

T1027.001Binary PaddingT1027.002Software PackingT1027.003SteganographyT1027.004Compile After DeliveryT1027.005Indicator Removal from ToolsT1027.006HTML SmugglingT1027.007Dynamic API ResolutionT1027.008Stripped PayloadsT1027.009Embedded PayloadsT1027.011Fileless StorageT1027.012LNK Icon SmugglingT1027.013Encrypted/Encoded FileT1027.014Polymorphic CodeT1027.015CompressionT1027.016Junk Code InsertionT1027.017SVG Smuggling

Related Techniques

T1027Obfuscated Files or InformationT1059.001PowerShellT1059.003Windows Command ShellT1562.001Disable or Modify ToolsT1140Deobfuscate/Decode Files or InformationT1055Process InjectionT1566.001Spearphishing Attachment

Same Tactic: Defense Evasion

Popular Detections