T1027.010 Splunk · SPL

Detect Command Obfuscation in Splunk

Adversaries may obfuscate content during command execution to impede detection. Command-line obfuscation makes strings and patterns within commands and scripts more difficult to signature and analyze. Techniques include: Base64 encoding, string splitting ('Wor'+'d.Application'), character reordering with rev, caret insertion (p^o^w^e^r^s^h^e^l^l), environment variable substitution (%COMSPEC%), directory traversal to binary paths, XOR encryption, and ROT13. Tools like Invoke-Obfuscation and Invoke-DOSfuscation automate obfuscation. Adversaries including APT32, APT29, MuddyWater, Kimsuky, QakBot, FIN6, Wizard Spider, Cobalt Group, and many ransomware operators use command obfuscation extensively.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1027 Obfuscated Files or Information
Sub-technique
T1027.010 Command Obfuscation
Canonical reference
https://attack.mitre.org/techniques/T1027/010/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (Image="*\\cmd.exe" OR Image="*\\powershell.exe" OR Image="*\\pwsh.exe"
   OR Image="*\\wscript.exe" OR Image="*\\cscript.exe")
| eval cmdline=CommandLine
| eval CaretObfusc=if(match(cmdline, "(\^[a-zA-Z0-9]){3,}"), 1, 0)
| eval Base64Obfusc=if(match(lower(cmdline), "(-encodedcommand|-enc\s|-ec\s|frombase64|[convert])"), 1, 0)
| eval InvokeExpr=if(match(lower(cmdline), "(invoke-expression|iex\(|iex\s)"), 1, 0)
| eval XORObfusc=if(match(lower(cmdline), "(-bxor|-band|-bnot|xor\s+0x)"), 1, 0)
| eval EnvVarSubst=if(match(cmdline, "(%comspec%|%systemroot%|%windir%).*cmd\|powershell"), 1, 0)
| eval StringSplit=if(match(cmdline, "'[a-z]+'\s*\+\s*'[a-z]+'"), 1, 0)
| eval ObfuscScore=CaretObfusc+Base64Obfusc+InvokeExpr+XORObfusc+EnvVarSubst+StringSplit
| where ObfuscScore > 0
| table _time, host, User, Image, CommandLine, ParentImage, ObfuscScore,
        CaretObfusc, Base64Obfusc, InvokeExpr, XORObfusc, StringSplit
| sort - ObfuscScore
high severity high confidence

Multi-indicator command obfuscation detection with composite scoring. Assigns scores for: caret obfuscation (^c^m^d style), Base64 encoding, Invoke-Expression, XOR operations, environment variable substitution, and string splitting. Higher scores indicate more sophisticated obfuscation. Captures PowerShell, cmd, wscript, and cscript obfuscation patterns. Prioritizes alerts by score to surface the most complex obfuscation first.

Data Sources

Process: Process CreationCommand: Command ExecutionSysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Legitimate PowerShell scripts using Base64 for data handling in IT automation tools (Ansible, Chef, Puppet)
  • Software deployment scripts that encode parameters for transmission across management interfaces
  • Security monitoring scripts that use Invoke-Expression to evaluate dynamic queries
  • Database administrators using PowerShell string concatenation for dynamic SQL queries
Download portable Sigma rule (.yml)

Other platforms for T1027.010

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1PowerShell Caret Obfuscation (Invoke-DOSfuscation Style)

    Expected signal: Sysmon Event ID 1: cmd.exe with caret-obfuscated command line. The Sysmon CommandLine field will contain the raw obfuscated command. Security Event ID 4688 (if enabled) with the obfuscated command. PowerShell ScriptBlock Log will contain the deobfuscated 'Write-Host caret-obfuscation-test'.

  2. Test 2PowerShell String Splitting Obfuscation

    Expected signal: Sysmon Event ID 1: powershell.exe with string splitting in command line. PowerShell ScriptBlock Log Event ID 4104: will show both the obfuscated and deobfuscated versions. The ScriptBlock log captures the assembled 'Invoke-Expression' call after string joining.

  3. Test 3Environment Variable Substring Extraction (cmd.exe Level Obfuscation)

    Expected signal: Sysmon Event ID 1: cmd.exe with /V:ON flag (enables delayed variable expansion) and environment variable manipulation syntax. The !a:~0,7! syntax extracts a substring from the variable, demonstrating the character assembly obfuscation technique.

  4. Test 4Base64 Double-Encoding Obfuscation

    Expected signal: Sysmon Event ID 1: first powershell.exe with -Command flag and Base64 operations. Sysmon Event ID 1: second powershell.exe with -EncodedCommand flag. PowerShell ScriptBlock Log Event ID 4104: two entries — the outer decoder and the inner decoded command.

Last updated: 2026-04-13 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1027.010 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1027Obfuscated Files or Information

Related Sub-techniques

T1027.001Binary PaddingT1027.002Software PackingT1027.003SteganographyT1027.004Compile After DeliveryT1027.005Indicator Removal from ToolsT1027.006HTML SmugglingT1027.007Dynamic API ResolutionT1027.008Stripped PayloadsT1027.009Embedded PayloadsT1027.011Fileless StorageT1027.012LNK Icon SmugglingT1027.013Encrypted/Encoded FileT1027.014Polymorphic CodeT1027.015CompressionT1027.016Junk Code InsertionT1027.017SVG Smuggling

Related Techniques

T1027Obfuscated Files or InformationT1059.001PowerShellT1059.003Windows Command ShellT1562.001Disable or Modify ToolsT1140Deobfuscate/Decode Files or InformationT1055Process InjectionT1566.001Spearphishing Attachment

Same Tactic: Defense Evasion

Popular Detections