Skip to content

T1027.010 Command Obfuscation

Adversaries may obfuscate content during command execution to impede detection. Command-line obfuscation is a method of making strings and patterns within commands and scripts more difficult to signature and analyze. This type of obfuscation can be included within commands executed by delivered payloads (e.g., Phishing and Drive-by Compromise) or interactively via Command and Scripting Interpreter.65

For example, adversaries may abuse syntax that utilizes various symbols and escape characters (such as spacing, ^, +. $, and %) to make commands difficult to analyze while maintaining the same intended functionality.9 Many languages support built-in obfuscation in the form of base64 or URL encoding.8 Adversaries may also manually implement command obfuscation via string splitting (“Wor”+“d.Application”), order and casing of characters (rev <<<'dwssap/cte/ tac'), globing (mkdir -p '/tmp/:&$NiA'), as well as various tricks involving passing strings through tokens/environment variables/input streams.74

Adversaries may also use tricks such as directory traversals to obfuscate references to the binary being invoked by a command (C:\voi\pcw\..\..\Windows\tei\qs\k\..\..\..\system32\erool\..\wbem\wg\je\..\..\wmic.exe shadowcopy delete).1

Tools such as Invoke-Obfuscation and Invoke-DOSfucation have also been used to obfuscate commands.32

Item Value
ID T1027.010
Sub-techniques T1027.001, T1027.002, T1027.003, T1027.004, T1027.005, T1027.006, T1027.007, T1027.008, T1027.009, T1027.010, T1027.011
Tactics TA0005
Platforms Linux, Windows, macOS
Version 1.0
Created 14 March 2023
Last Modified 24 March 2023

Procedure Examples

ID Name Description
G0073 APT19 APT19 used Base64 to obfuscate executed commands.60
G0050 APT32 APT32 has used the Invoke-Obfuscation framework to obfuscate their PowerShell.632142
G0143 Aquatic Panda Aquatic Panda has encoded PowerShell commands in Base64.64
S0373 Astaroth Astaroth has obfuscated and randomized parts of the JScript code it is initiating.33
S0475 BackConfig BackConfig has used compressed and decimal encoded VBS scripts.25
C0018 C0018 During C0018, the threat actors used Base64 to encode their PowerShell scripts.8685
C0021 C0021 During C0021, the threat actors used encoded PowerShell commands.8990
S0462 CARROTBAT CARROTBAT has the ability to execute obfuscated commands on the infected host.14
G0114 Chimera Chimera has encoded PowerShell commands.48
G0080 Cobalt Group Cobalt Group obfuscated several scriptlets and code used on the victim’s machine, including through use of XOR and RC4.6261
S0126 ComRAT ComRAT has used encryption and base64 to obfuscate its orchestrator code in the Registry. ComRAT has also used encoded PowerShell scripts.3231
S0492 CookieMiner CookieMiner has used base64 encoding to obfuscate scripts on the system.39
S0673 DarkWatchman DarkWatchman has used Base64 to encode PowerShell commands.27
S0354 Denis Denis has encoded its PowerShell commands in Base64.42
G1003 Ember Bear Ember Bear has obfuscated malicious scripts to help avoid detection.69
S0367 Emotet Emotet has obfuscated macros within malicious documents to hide the URLs hosting the malware, CMD.exe arguments, and PowerShell scripts. 34373536
S0363 Empire Empire has the ability to obfuscate commands using Invoke-Obfuscation.13
G0037 FIN6 FIN6 has used encoded PowerShell commands.65
G0046 FIN7 FIN7 has used fragmented strings, environment variables, standard input (stdin), and native character-replacement functionalities to obfuscate commands.46768
G0061 FIN8 FIN8 has used environment variables and standard input (stdin) to obfuscate command-line arguments. FIN8 also obfuscates malicious macros delivered as payloads.47071
G0117 Fox Kitten Fox Kitten has base64 encoded scripts to avoid detection.66
C0001 Frankenstein During Frankenstein, the threat actors ran encoded commands from the command line.88
S0277 FruitFly FruitFly executes and stores obfuscated Perl scripts.20
G0047 Gamaredon Group Gamaredon Group has used obfuscated or encrypted scripts.8038
G0115 GOLD SOUTHFIELD GOLD SOUTHFIELD has executed base64 encoded PowerShell scripts on compromised hosts.59
G1001 HEXANE HEXANE has used Base64-encoded scripts.50
S1022 IceApple IceApple can use Base64 and “junk” JavaScript code to obfuscate information.46
S0669 KOCTOPUS KOCTOPUS has obfuscated scripts with the BatchEncryption tool.40
G0140 LazyScripter LazyScripter has leveraged the BatchEncryption tool to perform advanced batch script obfuscation and encoding techniques.40
G0077 Leafminer Leafminer obfuscated scripts that were used on victim machines.53
S0451 LoudMiner LoudMiner has obfuscated various scripts.47
S0409 Machete Machete has used pyobfuscate, zlib compression, and base64 encoding for obfuscation. Machete has also used some visual obfuscation techniques by naming variables as combinations of letters to hinder analysis.1615
G0059 Magic Hound Magic Hound has used base64-encoded commands.8182
G0069 MuddyWater MuddyWater has used Daniel Bohannon’s Invoke-Obfuscation framework and obfuscated PowerShell scripts.7521 The group has also used other obfuscation methods, including Base64 obfuscation of VBScripts and PowerShell commands.75197472737776
S0457 Netwalker Netwalker‘s PowerShell script has been obfuscated with multiple layers including base64 and hexadecimal encoding and XOR-encryption, as well as obfuscated PowerShell functions and variables.4544
C0012 Operation CuckooBees During Operation CuckooBees, the threat actors executed an encoded VBScript file.87
C0014 Operation Wocao During Operation Wocao, threat actors executed PowerShell commands which were encoded or compressed using Base64, zlib, and XOR.84
G0040 Patchwork Patchwork has obfuscated a script with Crypto Obfuscator.83
S0428 PoetRAT PoetRAT has pyminifier to obfuscate scripts.26
S0685 PowerPunch PowerPunch can use Base64-encoded scripts.38
S0194 PowerSploit PowerSploit contains a collection of ScriptModification modules that compress and encode scripts and payloads.1112
S0223 POWERSTATS POWERSTATS uses character replacement, PowerShell environment variables, and XOR encoding to obfuscate code. POWERSTATS‘s backdoor code is a multi-layer obfuscated, encoded, and compressed blob. 1917 POWERSTATS has used PowerShell code with custom string obfuscation 18
S0650 QakBot QakBot can use obfuscated and encoded scripts.2930
S0269 QUADAGENT QUADAGENT was likely obfuscated using Invoke-Obfuscation.2821
S0270 RogueRobin The PowerShell script with the RogueRobin payload was obfuscated using the COMPRESS technique in Invoke-Obfuscation.2221
G0034 Sandworm Team Sandworm Team has used ROT13 encoding, AES encryption and compression with the zlib library for their Python-based backdoor.54
S0450 SHARPSTATS SHARPSTATS has used base64 encoding and XOR to obfuscate PowerShell scripts.18
S0589 Sibot Sibot has obfuscated scripts used in execution.43
G0121 Sidewinder Sidewinder has used base64 encoding for scripts.5556
G0091 Silence Silence has used environment variable string substitution for obfuscation.51
S0390 SQLRat SQLRat has used a character insertion obfuscation technique, making the script appear to contain Chinese characters.41
G0092 TA505 TA505 has used base64 encoded PowerShell commands.7879
G0127 TA551 TA551 has used obfuscated variable names in a JavaScript configuration file.49
G0010 Turla Turla has used encryption (including salted 3DES via PowerSploit‘s Out-EncryptedScript.ps1), random variable names, and base64 encoding to obfuscate PowerShell commands and payloads.52
S0386 Ursnif Ursnif droppers execute base64 encoded PowerShell commands.24
G0102 Wizard Spider Wizard Spider used Base64 encoding to obfuscate an Empire service and PowerShell commands.5758
S0330 Zeus Panda Zeus Panda obfuscates the macro commands in its initial payload.23

Mitigations

ID Mitigation Description
M1049 Antivirus/Antimalware Consider utilizing the Antimalware Scan Interface (AMSI) on Windows 10+ to analyze commands after being processed/interpreted.
M1040 Behavior Prevention on Endpoint On Windows 10+, enable Attack Surface Reduction (ASR) rules to block execution of potentially obfuscated scripts.10

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0022 File File Metadata
DS0012 Script Script Execution

References

  1. Ackroyd, R. (2023, March 24). Twitter. Retrieved March 24, 2023. 

  2. Bohannon, D. (2016, September 24). Invoke-Obfuscation. Retrieved March 17, 2023. 

  3. Bohannon, D. (2018, March 19). Invoke-DOSfuscation. Retrieved March 17, 2023. 

  4. Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018. 

  5. Bromiley, M. (2016, December 27). Malware Monday: VBScript and VBE Files. Retrieved March 17, 2023. 

  6. Katz, O. (2020, October 26). Catch Me if You Can—JavaScript Obfuscation. Retrieved March 17, 2023. 

  7. LeFevre, A. (n.d.). Bashfuscator Command Obfuscators. Retrieved March 17, 2023. 

  8. Microsoft. (2023, February 8). about_PowerShell_exe: EncodedCommand. Retrieved March 17, 2023. 

  9. Red Canary. (n.d.). 2022 Threat Detection Report: PowerShell. Retrieved March 17, 2023. 

  10. Microsoft. (2023, February 22). Attack surface reduction (ASR) rules reference: Block execution of potentially obfuscated scripts. Retrieved March 17, 2023. 

  11. PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018. 

  12. PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018. 

  13. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016. 

  14. Grunzweig, J. and Wilhoit, K. (2018, November 29). The Fractured Block Campaign: CARROTBAT Used to Deliver Malware Targeting Southeast Asia. Retrieved June 2, 2020. 

  15. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019. 

  16. The Cylance Threat Research Team. (2017, March 22). El Machete’s Malware Attacks Cut Through LATAM. Retrieved September 13, 2019. 

  17. ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018. 

  18. Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020. 

  19. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018. 

  20. Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018. 

  21. Bohannon, D.. (2017, March 13). Invoke-Obfuscation - PowerShell Obfuscator. Retrieved June 18, 2017. 

  22. Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018. 

  23. Brumaghin, E., et al. (2017, November 02). Poisoning the Well: Banking Trojan Targets Google Search Results. Retrieved November 5, 2018. 

  24. Holland, A. (2019, March 7). Tricks and COMfoolery: How Ursnif Evades Detection. Retrieved June 10, 2019. 

  25. Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020. 

  26. Mercer, W. Rascagneres, P. Ventura, V. (2020, October 6). PoetRAT: Malware targeting public and private sector in Azerbaijan evolves . Retrieved April 9, 2021. 

  27. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022. 

  28. Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018. 

  29. Cyberint. (2021, May 25). Qakbot Banking Trojan. Retrieved September 27, 2021. 

  30. Kenefick, I. et al. (2022, October 12). Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike. Retrieved February 6, 2023. 

  31. CISA. (2020, October 29). Malware Analysis Report (AR20-303A). Retrieved December 9, 2020. 

  32. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020. 

  33. Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019. 

  34. Brumaghin, E.. (2019, January 15). Emotet re-emerges after the holidays. Retrieved March 25, 2019. 

  35. Özarslan, S. (2018, December 21). The Christmas Card you never wanted - A new wave of Emotet is back to wreak havoc. Retrieved March 25, 2019. 

  36. Perez, D.. (2018, December 28). Analysis of the latest Emotet propagation campaign. Retrieved April 16, 2019. 

  37. Trend Micro. (2019, January 16). Exploring Emotet’s Activities . Retrieved March 25, 2019. 

  38. Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022. 

  39. Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved July 22, 2020. 

  40. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021. 

  41. Platt, J. and Reeves, J.. (2019, March). FIN7 Revisited: Inside Astra Panel and SQLRat Malware. Retrieved June 18, 2019. 

  42. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018. 

  43. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021. 

  44. Szappanos, G., Brandt, A.. (2020, May 27). Netwalker ransomware tools give insight into threat actor. Retrieved May 27, 2020. 

  45. Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020. 

  46. CrowdStrike. (2022, May). ICEAPPLE: A NOVEL INTERNET INFORMATION SERVICES (IIS) POST-EXPLOITATION FRAMEWORK. Retrieved June 27, 2022. 

  47. Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020. 

  48. Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020. 

  49. Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020. 

  50. Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022. 

  51. Skulkin, O.. (2019, January 20). Silence: Dissecting Malicious CHM Files and Performing Forensic Analysis. Retrieved May 24, 2019. 

  52. Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019. 

  53. Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018. 

  54. Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020. 

  55. Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021. 

  56. Rewterz. (2020, April 20). Sidewinder APT Group Campaign Analysis. Retrieved January 29, 2021. 

  57. Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020. 

  58. The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020. 

  59. Tetra Defense. (2020, March). CAUSE AND EFFECT: SODINOKIBI RANSOMWARE ANALYSIS. Retrieved December 14, 2020. 

  60. Ahl, I. (2017, June 06). Privileges and Credentials: Phished at the Request of Counsel. Retrieved May 17, 2018. 

  61. Gorelik, M. (2018, October 08). Cobalt Group 2.0. Retrieved November 5, 2018. 

  62. Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018. 

  63. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017. 

  64. Wiley, B. et al. (2021, December 29). OverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt. Retrieved January 18, 2022. 

  65. Visa Public. (2019, February). FIN6 Cybercrime Group Expands Threat to eCommerce Merchants. Retrieved September 16, 2019. 

  66. CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020. 

  67. Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018. 

  68. Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021. 

  69. Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022. 

  70. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018. 

  71. Martin Zugec. (2021, July 27). Deep Dive Into a FIN8 Attack - A Forensic Investigation. Retrieved September 1, 2021. 

  72. Adamitis, D. et al. (2019, May 20). Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques. Retrieved June 5, 2019. 

  73. ClearSky. (2019, June). Iranian APT group ‘MuddyWater’ Adds Exploits to Their Arsenal. Retrieved May 14, 2020. 

  74. Kaspersky Lab’s Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018. 

  75. Lancaster, T.. (2017, November 14). Muddying the Water: Targeted Attacks in the Middle East. Retrieved March 15, 2018. 

  76. Malhortra, A and Ventura, V. (2022, January 31). Iranian APT MuddyWater targets Turkish users via malicious PDFs, executables. Retrieved June 22, 2022. 

  77. Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021. 

  78. Salem, E. (2019, April 25). Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware. Retrieved May 28, 2019. 

  79. Vilkomir-Preisman, S. (2019, April 2). New ServHelper Variant Employs Excel 4.0 Macro to Drop Signed Payload. Retrieved May 28, 2019. 

  80. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020. 

  81. Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017. 

  82. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018. 

  83. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. 

  84. Costa, F. (2022, May 1). RaaS AvosLocker Incident Response Analysis. Retrieved January 11, 2023. 

  85. Venere, G. Neal, C. (2022, June 21). Avos ransomware group expands with new attack arsenal. Retrieved January 11, 2023. 

  86. Cybereason Nocturnus. (2022, May 4). Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques. Retrieved September 22, 2022. 

  87. Adamitis, D. et al. (2019, June 4). It’s alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020. 

  88. Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018. 

  89. Microsoft Defender Research Team. (2018, December 3). Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers. Retrieved April 15, 2019.