Detect Command Obfuscation in CrowdStrike LogScale
Adversaries may obfuscate content during command execution to impede detection. Command-line obfuscation makes strings and patterns within commands and scripts more difficult to signature and analyze. Techniques include: Base64 encoding, string splitting ('Wor'+'d.Application'), character reordering with rev, caret insertion (p^o^w^e^r^s^h^e^l^l), environment variable substitution (%COMSPEC%), directory traversal to binary paths, XOR encryption, and ROT13. Tools like Invoke-Obfuscation and Invoke-DOSfuscation automate obfuscation. Adversaries including APT32, APT29, MuddyWater, Kimsuky, QakBot, FIN6, Wizard Spider, Cobalt Group, and many ransomware operators use command obfuscation extensively.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1027 Obfuscated Files or Information
- Sub-technique
- T1027.010 Command Obfuscation
- Canonical reference
- https://attack.mitre.org/techniques/T1027/010/
LogScale Detection Query
#event_simpleName=ProcessRollup2
| ImageFileName = /(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe)$/
| CommandLine = /./
| eval caret_obfusc = if(match(CommandLine, /(\^[a-zA-Z0-9]){3,}/), 1, 0)
| eval backtick_obfusc = if(match(CommandLine, /(`[a-zA-Z0-9]){3,}/), 1, 0)
| eval base64_obfusc = if(match(lower(CommandLine), /(-encodedcommand|-enc\s|-ec\s|frombase64|\[convert\])/), 1, 0)
| eval invoke_expr = if(match(lower(CommandLine), /(invoke-expression|iex\(|iex\s)/), 1, 0)
| eval env_var_subst = if(match(CommandLine, /(%comspec%|%systemroot%|%windir%)/i), 1, 0)
| eval string_split = if(match(CommandLine, /'[a-z]{2,}'\s*\+\s*'[a-z]{2,}'/), 1, 0)
| eval xor_obfusc = if(match(lower(CommandLine), /(-bxor|-band|-bnot|xor\s+0x)/), 1, 0)
| eval char_construct = if(match(CommandLine, /\[char\]/i), 1, 0)
| eval obfusc_score = caret_obfusc + backtick_obfusc + base64_obfusc + invoke_expr + env_var_subst + string_split + xor_obfusc + char_construct
| where obfusc_score > 0
| table(["@timestamp", ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName,
obfusc_score, caret_obfusc, backtick_obfusc, base64_obfusc, invoke_expr,
env_var_subst, string_split, xor_obfusc, char_construct])
| sort(field=obfusc_score, order=desc)CrowdStrike LogScale (CQL) query detecting T1027.010 command obfuscation via Falcon ProcessRollup2 telemetry. Scores eight distinct obfuscation techniques and surfaces multi-technique chains with the highest composite score. Leverages Falcon's rich process lineage fields for parent process context.
Data Sources
Required Tables
False Positives & Tuning
- CrowdStrike RTR (Real Time Response) scripts that administrators run interactively may contain encoded payloads or Invoke-Expression calls as part of legitimate incident response actions
- Software packaging tools and MSI wrappers that call PowerShell with -EncodedCommand to execute embedded post-install configuration scripts
- Vulnerability scanners and compliance assessment tools (e.g., Tenable, Qualys agents) that invoke encoded PowerShell for WMI-based host inventory collection
Other platforms for T1027.010
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1PowerShell Caret Obfuscation (Invoke-DOSfuscation Style)
Expected signal: Sysmon Event ID 1: cmd.exe with caret-obfuscated command line. The Sysmon CommandLine field will contain the raw obfuscated command. Security Event ID 4688 (if enabled) with the obfuscated command. PowerShell ScriptBlock Log will contain the deobfuscated 'Write-Host caret-obfuscation-test'.
- Test 2PowerShell String Splitting Obfuscation
Expected signal: Sysmon Event ID 1: powershell.exe with string splitting in command line. PowerShell ScriptBlock Log Event ID 4104: will show both the obfuscated and deobfuscated versions. The ScriptBlock log captures the assembled 'Invoke-Expression' call after string joining.
- Test 3Environment Variable Substring Extraction (cmd.exe Level Obfuscation)
Expected signal: Sysmon Event ID 1: cmd.exe with /V:ON flag (enables delayed variable expansion) and environment variable manipulation syntax. The !a:~0,7! syntax extracts a substring from the variable, demonstrating the character assembly obfuscation technique.
- Test 4Base64 Double-Encoding Obfuscation
Expected signal: Sysmon Event ID 1: first powershell.exe with -Command flag and Base64 operations. Sysmon Event ID 1: second powershell.exe with -EncodedCommand flag. PowerShell ScriptBlock Log Event ID 4104: two entries — the outer decoder and the inner decoded command.
References (6)
- https://attack.mitre.org/techniques/T1027/010/
- https://github.com/danielbohannon/Invoke-Obfuscation
- https://github.com/danielbohannon/Invoke-DOSfuscation
- https://web.archive.org/web/20170923102302/https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html
- https://redcanary.com/threat-detection-report/techniques/powershell/
- https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_powershell_exe?view=powershell-5.1
Unlock Pro Content
Get the full detection package for T1027.010 including response playbook, investigation guide, and atomic red team tests.