← Back to Explore
sigmamediumHunting
Potential Dosfuscation Activity
Detects possible payload obfuscation via the commandline
Detection Query
selection:
CommandLine|contains:
- ^^
- ^|^
- ",;,"
- ;;;;
- ;; ;;
- (,(,
- "%COMSPEC:~"
- " c^m^d"
- ^c^m^d
- " c^md"
- " cm^d"
- ^cm^d
- " s^et "
- " s^e^t "
- " se^t "
condition: selection
Author
frack113, Nasreddine Bencherchali (Nextron Systems)
Created
2022-02-15
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.executionattack.t1059
Raw Content
title: Potential Dosfuscation Activity
id: a77c1610-fc73-4019-8e29-0f51efc04a51
status: test
description: Detects possible payload obfuscation via the commandline
references:
- https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/dosfuscation-report.pdf
- https://github.com/danielbohannon/Invoke-DOSfuscation
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2022-02-15
modified: 2023-03-06
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- '^^'
- '^|^'
- ',;,'
- ';;;;'
- ';; ;;'
- '(,(,'
- '%COMSPEC:~'
- ' c^m^d'
- '^c^m^d'
- ' c^md'
- ' cm^d'
- '^cm^d'
- ' s^et '
- ' s^e^t '
- ' se^t '
# - '%%'
# - '&&'
# - '""'
condition: selection
falsepositives:
- Unknown
level: medium