Detect Command Obfuscation in IBM QRadar
Adversaries may obfuscate content during command execution to impede detection. Command-line obfuscation makes strings and patterns within commands and scripts more difficult to signature and analyze. Techniques include: Base64 encoding, string splitting ('Wor'+'d.Application'), character reordering with rev, caret insertion (p^o^w^e^r^s^h^e^l^l), environment variable substitution (%COMSPEC%), directory traversal to binary paths, XOR encryption, and ROT13. Tools like Invoke-Obfuscation and Invoke-DOSfuscation automate obfuscation. Adversaries including APT32, APT29, MuddyWater, Kimsuky, QakBot, FIN6, Wizard Spider, Cobalt Group, and many ransomware operators use command obfuscation extensively.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1027 Obfuscated Files or Information
- Sub-technique
- T1027.010 Command Obfuscation
- Canonical reference
- https://attack.mitre.org/techniques/T1027/010/
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
sourceip,
username,
"HOSTNAME" AS host,
"Process Name" AS process_name,
"Command" AS command_line,
CASE WHEN REGEXP_MATCH("Command", '(\^[a-zA-Z0-9]){3,}') THEN 1 ELSE 0 END AS caret_obfusc,
CASE WHEN LOWER("Command") LIKE '%-encodedcommand%' OR LOWER("Command") LIKE '%-enc %' OR LOWER("Command") LIKE '%frombase64%' THEN 1 ELSE 0 END AS base64_obfusc,
CASE WHEN LOWER("Command") LIKE '%invoke-expression%' OR LOWER("Command") LIKE '%iex(%' OR LOWER("Command") LIKE '%iex (%' THEN 1 ELSE 0 END AS invoke_expr,
CASE WHEN "Command" LIKE '%%comspec%%' OR "Command" LIKE '%%systemroot%%' THEN 1 ELSE 0 END AS env_var_subst,
CASE WHEN REGEXP_MATCH("Command", '''[a-z]+''\s*\+\s*''[a-z]+''') THEN 1 ELSE 0 END AS string_split
FROM events
WHERE
LOGSOURCETYPEID IN (12, 13, 14, 15)
AND QIDNAME(qid) IN ('Process Create', 'Sysmon Process Create', 'Windows Security Process Creation')
AND ("Process Name" LIKE '%cmd.exe' OR "Process Name" LIKE '%powershell.exe' OR "Process Name" LIKE '%pwsh.exe' OR "Process Name" LIKE '%wscript.exe' OR "Process Name" LIKE '%cscript.exe')
AND (
REGEXP_MATCH("Command", '(\^[a-zA-Z0-9]){3,}')
OR LOWER("Command") LIKE '%-encodedcommand%'
OR LOWER("Command") LIKE '%-enc %'
OR LOWER("Command") LIKE '%frombase64%'
OR LOWER("Command") LIKE '%invoke-expression%'
OR LOWER("Command") LIKE '%iex(%'
OR "Command" LIKE '%%comspec%%'
OR REGEXP_MATCH("Command", '''[a-z]+''\s*\+\s*''[a-z]+''')
OR LOWER("Command") LIKE '%[char]%'
)
LAST 24 HOURS
ORDER BY starttime DESCQRadar AQL query detecting command obfuscation patterns in Windows process creation events from Security, Sysmon, and endpoint log sources. Scores multiple obfuscation techniques to surface multi-technique obfuscation chains.
Data Sources
Required Tables
False Positives & Tuning
- Automated deployment systems using encoded PowerShell commands to pass configuration payloads through remote execution frameworks
- Legitimate IT management tools (e.g., ConnectWise, Kaseya) that encode inline scripts for transmission to endpoints
- Red team and penetration testing engagements using Invoke-Obfuscation or Invoke-DOSfuscation in authorized scope
Other platforms for T1027.010
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1PowerShell Caret Obfuscation (Invoke-DOSfuscation Style)
Expected signal: Sysmon Event ID 1: cmd.exe with caret-obfuscated command line. The Sysmon CommandLine field will contain the raw obfuscated command. Security Event ID 4688 (if enabled) with the obfuscated command. PowerShell ScriptBlock Log will contain the deobfuscated 'Write-Host caret-obfuscation-test'.
- Test 2PowerShell String Splitting Obfuscation
Expected signal: Sysmon Event ID 1: powershell.exe with string splitting in command line. PowerShell ScriptBlock Log Event ID 4104: will show both the obfuscated and deobfuscated versions. The ScriptBlock log captures the assembled 'Invoke-Expression' call after string joining.
- Test 3Environment Variable Substring Extraction (cmd.exe Level Obfuscation)
Expected signal: Sysmon Event ID 1: cmd.exe with /V:ON flag (enables delayed variable expansion) and environment variable manipulation syntax. The !a:~0,7! syntax extracts a substring from the variable, demonstrating the character assembly obfuscation technique.
- Test 4Base64 Double-Encoding Obfuscation
Expected signal: Sysmon Event ID 1: first powershell.exe with -Command flag and Base64 operations. Sysmon Event ID 1: second powershell.exe with -EncodedCommand flag. PowerShell ScriptBlock Log Event ID 4104: two entries — the outer decoder and the inner decoded command.
References (6)
- https://attack.mitre.org/techniques/T1027/010/
- https://github.com/danielbohannon/Invoke-Obfuscation
- https://github.com/danielbohannon/Invoke-DOSfuscation
- https://web.archive.org/web/20170923102302/https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html
- https://redcanary.com/threat-detection-report/techniques/powershell/
- https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_powershell_exe?view=powershell-5.1
Unlock Pro Content
Get the full detection package for T1027.010 including response playbook, investigation guide, and atomic red team tests.