Adversaries may obfuscate content during command execution to impede detection. Command-line obfuscation is a method of making strings and patterns within commands and scripts more difficult to signature and analyze. This type of obfuscation can be included within commands executed by delivered payloads (e.g., Phishing and Drive-by Compromise) or interactively via Command and Scripting Interpreter.(Citation: Akamai JS)(Citation: Malware Monday VBE)
For example, adversaries may abuse syntax that utilizes various symbols and escape characters (such as spacing, ^, +. $, and %) to make commands difficult to analyze while maintaining the same intended functionality.(Citation: RC PowerShell) Many languages support built-in obfuscation in the form of base64 or URL encoding.(Citation: Microsoft PowerShellB64) Adversaries may also manually implement command obfuscation via string splitting (“Wor”+“d.Application”), order and casing of characters (rev <<<'dwssap/cte/ tac'), globing (mkdir -p '/tmp/:&$NiA'), as well as various tricks involving passing strings through tokens/environment variables/input streams.(Citation: Bashfuscator Command Obfuscators)(Citation: FireEye Obfuscation June 2017)
Adversaries may also use tricks such as directory traversals to obfuscate references to the binary being invoked by a command (C:\voi\pcw\..\..\Windows\tei\qs\k\..\..\..\system32\erool\..\wbem\wg\je\..\..\wmic.exe shadowcopy delete).(Citation: Twitter Richard WMIC)
Tools such as <code>Invoke-Obfuscation</code> and <code>Invoke-DOSfucation</code> have also been used to obfuscate commands.(Citation: Invoke-DOSfuscation)(Citation: Invoke-Obfuscation)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.IR-01.08 | End-user device access | Mitigates | T1027.010 | Command Obfuscation |
Comments
This diagnostic statement implements technical controls (e.g., VPN, antivirus software) to address the risks of end-user personal computing devices accessing the organization’s network and resources.
References
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1027.010 | Command Obfuscation |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
References
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1027.010 | Command Obfuscation |
Comments
This diagnostic statement provides protections for endpoints from obfuscated files or information through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity.
References
|
| PR.PS-05.01 | Malware prevention | Mitigates | T1027.010 | Command Obfuscation |
Comments
Antivirus/Antimalware software can be utilized to detect and quarantine suspicious Windows 10+ commands that adversaries have made difficult to discover by encrypting, encoding or obfuscating.
References
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1027.010 | Command Obfuscation |
Comments
This diagnostic statement protects against Command Obfuscation through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CM-06 | Configuration Settings | mitigates | T1027.010 | Command Obfuscation | |
| SI-10 | Information Input Validation | mitigates | T1027.010 | Command Obfuscation | |
| SI-03 | Malicious Code Protection | mitigates | T1027.010 | Command Obfuscation | |
| SI-04 | System Monitoring | mitigates | T1027.010 | Command Obfuscation |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Evade Defenses | Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. | related-to | T1027.010 | Command Obfuscation | |
| action.hacking.vector.Command shell | Remote shell | related-to | T1027.010 | Command Obfuscation | |
| action.malware.variety.Destroy data | Destroy or corrupt stored data | related-to | T1027.010 | Command Obfuscation |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| alerts_for_linux_machines | Alerts for Linux Machines | technique_scores | T1027.010 | Command Obfuscation |
Comments
This control can detect command obsfucation attacks.
References
|
| alerts_for_windows_machines | Alerts for Windows Machines | technique_scores | T1027.010 | Command Obfuscation |
Comments
This control can detect command obsfucation attacks.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | technique_scores | T1027.010 | Command Obfuscation |
Comments
This control can protect against command obfuscation attacks.
References
|
| microsoft_antimalware_for_azure | Microsoft Antimalware for Azure | technique_scores | T1027.010 | Command Obfuscation |
Comments
This control can protect against command obfuscation attacks.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| google_secops | Google Security Operations | technique_scores | T1027.010 | Command Obfuscation |
Comments
Google Security Operations can can be configured to detect suspicious syntax or characters in commands.
References
|