Detect Command Obfuscation in Microsoft Sentinel
Adversaries may obfuscate content during command execution to impede detection. Command-line obfuscation makes strings and patterns within commands and scripts more difficult to signature and analyze. Techniques include: Base64 encoding, string splitting ('Wor'+'d.Application'), character reordering with rev, caret insertion (p^o^w^e^r^s^h^e^l^l), environment variable substitution (%COMSPEC%), directory traversal to binary paths, XOR encryption, and ROT13. Tools like Invoke-Obfuscation and Invoke-DOSfuscation automate obfuscation. Adversaries including APT32, APT29, MuddyWater, Kimsuky, QakBot, FIN6, Wizard Spider, Cobalt Group, and many ransomware operators use command obfuscation extensively.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1027 Obfuscated Files or Information
- Sub-technique
- T1027.010 Command Obfuscation
- Canonical reference
- https://attack.mitre.org/techniques/T1027/010/
KQL Detection Query
let ObfuscationPatterns = dynamic([
"^p^o^w^e^r", "^c^m^d", "^w^s^c^r^i^p^t",
"`p`o`w`e`r", "`c`m`d",
"po`w`er", "po^w^er",
"\"cmd\"", "\"powershell\"",
"eNVComspec", "%COMSPEC%",
"[char]", "[Convert]::FromBase64",
"iex(", "iex (",
"Invoke-Expression",
"$env:ComSpec"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe")
| where ProcessCommandLine has_any (ObfuscationPatterns)
or ProcessCommandLine matches regex @"(\^[a-zA-Z0-9]\^[a-zA-Z0-9]){3,}"
or ProcessCommandLine matches regex @"[\"\'][a-z]{2,4}[\"\'][\+\s]+[\"\'][a-z]{2,4}[\"\'][\+\s]+"
| extend CaretObfuscation = ProcessCommandLine matches regex @"(\^[a-zA-Z0-9]\^[a-zA-Z0-9]){3,}"
| extend StringSplitting = ProcessCommandLine matches regex @"[\"\'][a-z]{2,}[\"\'][\+\s]+[\"\'][a-z]+[\"\'\
]"
| extend Base64Encoded = ProcessCommandLine has_any ("[Convert]::FromBase64", "EncodedCommand", "-enc ")
| extend InvokeExpr = ProcessCommandLine has_any ("iex(", "Invoke-Expression")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, CaretObfuscation, StringSplitting, Base64Encoded, InvokeExpr
| sort by Timestamp descDetects command-line obfuscation patterns including caret insertion (^p^o^w^e^r^s^h^e^l^l), string splitting concatenation, Base64 encoding with IEX, and environment variable substitution. Uses regex matching for caret obfuscation patterns (3+ ^character pairs) which are characteristic of Invoke-DOSfuscation output. Also detects PowerShell-specific obfuscation indicators like [Convert]::FromBase64 and Invoke-Expression.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate Base64 encoding in PowerShell for handling binary data in scripts, such as certificate operations or data serialization
- IT automation scripts using Invoke-Expression to evaluate dynamically-constructed commands for valid operational reasons
- String concatenation patterns in legitimate PowerShell scripts where variable names or paths are assembled from components
- Log parsing scripts that process logs containing caret or special characters
Other platforms for T1027.010
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1PowerShell Caret Obfuscation (Invoke-DOSfuscation Style)
Expected signal: Sysmon Event ID 1: cmd.exe with caret-obfuscated command line. The Sysmon CommandLine field will contain the raw obfuscated command. Security Event ID 4688 (if enabled) with the obfuscated command. PowerShell ScriptBlock Log will contain the deobfuscated 'Write-Host caret-obfuscation-test'.
- Test 2PowerShell String Splitting Obfuscation
Expected signal: Sysmon Event ID 1: powershell.exe with string splitting in command line. PowerShell ScriptBlock Log Event ID 4104: will show both the obfuscated and deobfuscated versions. The ScriptBlock log captures the assembled 'Invoke-Expression' call after string joining.
- Test 3Environment Variable Substring Extraction (cmd.exe Level Obfuscation)
Expected signal: Sysmon Event ID 1: cmd.exe with /V:ON flag (enables delayed variable expansion) and environment variable manipulation syntax. The !a:~0,7! syntax extracts a substring from the variable, demonstrating the character assembly obfuscation technique.
- Test 4Base64 Double-Encoding Obfuscation
Expected signal: Sysmon Event ID 1: first powershell.exe with -Command flag and Base64 operations. Sysmon Event ID 1: second powershell.exe with -EncodedCommand flag. PowerShell ScriptBlock Log Event ID 4104: two entries — the outer decoder and the inner decoded command.
References (6)
- https://attack.mitre.org/techniques/T1027/010/
- https://github.com/danielbohannon/Invoke-Obfuscation
- https://github.com/danielbohannon/Invoke-DOSfuscation
- https://web.archive.org/web/20170923102302/https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html
- https://redcanary.com/threat-detection-report/techniques/powershell/
- https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_powershell_exe?view=powershell-5.1
Unlock Pro Content
Get the full detection package for T1027.010 including response playbook, investigation guide, and atomic red team tests.