Detect Command Obfuscation in Sumo Logic CSE
Adversaries may obfuscate content during command execution to impede detection. Command-line obfuscation makes strings and patterns within commands and scripts more difficult to signature and analyze. Techniques include: Base64 encoding, string splitting ('Wor'+'d.Application'), character reordering with rev, caret insertion (p^o^w^e^r^s^h^e^l^l), environment variable substitution (%COMSPEC%), directory traversal to binary paths, XOR encryption, and ROT13. Tools like Invoke-Obfuscation and Invoke-DOSfuscation automate obfuscation. Adversaries including APT32, APT29, MuddyWater, Kimsuky, QakBot, FIN6, Wizard Spider, Cobalt Group, and many ransomware operators use command obfuscation extensively.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1027 Obfuscated Files or Information
- Sub-technique
- T1027.010 Command Obfuscation
- Canonical reference
- https://attack.mitre.org/techniques/T1027/010/
Sumo Detection Query
_sourceCategory=*windows*sysmon* OR _sourceCategory=*wineventlog*security*
| where EventID in ("1", "4688")
| json field=_raw "CommandLine" as command_line nodrop
| json field=_raw "Image" as image nodrop
| json field=_raw "NewProcessName" as new_process_name nodrop
| where (
matches(image, "(?i).*(cmd|powershell|pwsh|wscript|cscript)\.exe$")
or matches(new_process_name, "(?i).*(cmd|powershell|pwsh|wscript|cscript)\.exe$")
)
| where !isNull(command_line)
| eval caret_obfusc = if(matches(command_line, "(\\^[a-zA-Z0-9]){3,}"), 1, 0)
| eval base64_obfusc = if(
matches(toLowerCase(command_line), "(-encodedcommand|-enc\\s|-ec\\s|frombase64|\\[convert\\])"),
1, 0)
| eval invoke_expr = if(
matches(toLowerCase(command_line), "(invoke-expression|iex\\(|iex\\s)"),
1, 0)
| eval env_var_subst = if(matches(command_line, "(%comspec%|%systemroot%|%windir%)"), 1, 0)
| eval string_split = if(matches(command_line, "'[a-z]+'\\s*\\+\\s*'[a-z]+'"), 1, 0)
| eval xor_obfusc = if(matches(toLowerCase(command_line), "(-bxor|-band|-bnot|xor\\s+0x)"), 1, 0)
| eval obfusc_score = caret_obfusc + base64_obfusc + invoke_expr + env_var_subst + string_split + xor_obfusc
| where obfusc_score > 0
| fields _messageTime, Computer, User, image, new_process_name, command_line, obfusc_score,
caret_obfusc, base64_obfusc, invoke_expr, env_var_subst, string_split, xor_obfusc
| sort by obfusc_score descSumo Logic query detecting command obfuscation in Windows process creation events (Sysmon EventID 1 and Security EventID 4688). Computes a composite obfuscation score across caret insertion, Base64, Invoke-Expression, environment variable substitution, string splitting, and XOR patterns.
Data Sources
Required Tables
False Positives & Tuning
- Software installers and package managers that wrap PowerShell commands with encoding to handle special characters in file paths or product keys
- Group Policy preferences and login scripts that use environment variable substitution (%COMSPEC%, %WINDIR%) as a standard practice
- Monitoring agents and backup software that call encoded PowerShell for privileged operations under service accounts
Other platforms for T1027.010
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1PowerShell Caret Obfuscation (Invoke-DOSfuscation Style)
Expected signal: Sysmon Event ID 1: cmd.exe with caret-obfuscated command line. The Sysmon CommandLine field will contain the raw obfuscated command. Security Event ID 4688 (if enabled) with the obfuscated command. PowerShell ScriptBlock Log will contain the deobfuscated 'Write-Host caret-obfuscation-test'.
- Test 2PowerShell String Splitting Obfuscation
Expected signal: Sysmon Event ID 1: powershell.exe with string splitting in command line. PowerShell ScriptBlock Log Event ID 4104: will show both the obfuscated and deobfuscated versions. The ScriptBlock log captures the assembled 'Invoke-Expression' call after string joining.
- Test 3Environment Variable Substring Extraction (cmd.exe Level Obfuscation)
Expected signal: Sysmon Event ID 1: cmd.exe with /V:ON flag (enables delayed variable expansion) and environment variable manipulation syntax. The !a:~0,7! syntax extracts a substring from the variable, demonstrating the character assembly obfuscation technique.
- Test 4Base64 Double-Encoding Obfuscation
Expected signal: Sysmon Event ID 1: first powershell.exe with -Command flag and Base64 operations. Sysmon Event ID 1: second powershell.exe with -EncodedCommand flag. PowerShell ScriptBlock Log Event ID 4104: two entries — the outer decoder and the inner decoded command.
References (6)
- https://attack.mitre.org/techniques/T1027/010/
- https://github.com/danielbohannon/Invoke-Obfuscation
- https://github.com/danielbohannon/Invoke-DOSfuscation
- https://web.archive.org/web/20170923102302/https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html
- https://redcanary.com/threat-detection-report/techniques/powershell/
- https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_powershell_exe?view=powershell-5.1
Unlock Pro Content
Get the full detection package for T1027.010 including response playbook, investigation guide, and atomic red team tests.