title: Command Obfuscation (T1027.010)
id: df00tech-t1027-010
status: experimental
description: "Adversaries may obfuscate content during command execution to impede detection. Command-line obfuscation makes strings and patterns within commands and scripts more difficult to signature and analyze. Techniques include: Base64 encoding, string splitting ('Wor'+'d.Application'), character reordering with rev, caret insertion (p^o^w^e^r^s^h^e^l^l), environment variable substitution (%COMSPEC%), directory traversal to binary paths, XOR encryption, and ROT13. Tools like Invoke-Obfuscation and Invoke-DOSfuscation automate obfuscation. Adversaries including APT32, APT29, MuddyWater, Kimsuky, QakBot, FIN6, Wizard Spider, Cobalt Group, and many ransomware operators use command obfuscation extensively."
references:
  - https://attack.mitre.org/techniques/T1027/010/
  - https://df00tech.com/detections/T1027.010
author: df00tech
date: 2026/04/13
tags:
  - attack.t1027.010
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate Base64 encoding in PowerShell for handling binary data in scripts, such as certificate operations or data serialization"
  - IT automation scripts using Invoke-Expression to evaluate dynamically-constructed commands for valid operational reasons
  - String concatenation patterns in legitimate PowerShell scripts where variable names or paths are assembled from components
  - Log parsing scripts that process logs containing caret or special characters
level: high