EXPLORE

← Back to Explore

T1027.010

Command Obfuscation

Adversaries may obfuscate content during command execution to impede detection. Command-line obfuscation is a method of making strings and patterns within commands and scripts more difficult to signature and analyze. This type of obfuscation can be included within commands executed by delivered payloads (e.g., [Phishing](https://attack.mitre.org/techniques/T1566) and [Drive-by Compromise](https://attack.mitre.org/techniques/T1189)) or interactively via [Command and Scripting Interpreter](https:/...

LinuxmacOSWindows

31

Detections

4

Sources

28

Threat Actors

BY SOURCE

23elastic6sigma1crowdstrike_cql1splunk_escu

PROCEDURES (19)

Amsi4 detections

Auto-extracted: 4 detections for amsi

Bypass4 detections

Auto-extracted: 4 detections for bypass

Registry2 detections

Auto-extracted: 2 detections for registry

Script Block2 detections

Auto-extracted: 2 detections for script block

Obfuscat2 detections

Auto-extracted: 2 detections for obfuscat

Http2 detections

Auto-extracted: 2 detections for http

Token2 detections

Auto-extracted: 2 detections for token

Base642 detections

Auto-extracted: 2 detections for base64

Token1 detections

Auto-extracted: 1 detections for token

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Command Line Monitoring1 detections

Auto-extracted: 1 detections for command line monitoring

Base641 detections

Auto-extracted: 1 detections for base64

Script Execution Monitoring1 detections

Auto-extracted: 1 detections for script execution monitoring

Obfuscat1 detections

Auto-extracted: 1 detections for obfuscat

Obfuscat1 detections

Auto-extracted: 1 detections for obfuscat

Amsi1 detections

Auto-extracted: 1 detections for amsi

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Phish1 detections

Auto-extracted: 1 detections for phish

Unusual1 detections

Auto-extracted: 1 detections for unusual

DETECTIONS (31)

Command Line Obfuscation via Whitespace Padding

Command Obfuscation via Unicode Modifier Letters

Decoded Payload Piped to Interpreter Detected via Defend for Containers

Deprecated - Potential PowerShell Obfuscated Script

Dynamic IEX Reconstruction via Method String Access

Multi-Base64 Decoding Attempt from Suspicious Location

Obfuscated PowerShell MSI Install via WindowsInstaller COM

Potential Antimalware Scan Interface Bypass via PowerShell

Potential Dynamic IEX Reconstruction via Environment Variables

Potential Hex Payload Execution via Command-Line

Potential Obfuscated Ordinal Call Via Rundll32

Potential PowerShell Obfuscated Script via High Entropy

Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion

Potential PowerShell Obfuscation via Character Array Reconstruction

Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation

Potential PowerShell Obfuscation via High Numeric Character Proportion

Potential PowerShell Obfuscation via Invalid Escape Sequences

Potential PowerShell Obfuscation via Reverse Keywords

Potential PowerShell Obfuscation via Special Character Overuse

Potential PowerShell Obfuscation via String Concatenation

Potential PowerShell Obfuscation via String Reordering

Powershell Command Length Anomaly Detection

crowdstrike_cql

PowerShell Obfuscation via Negative Index String Reversal

Suspicious Execution with NodeJS

Suspicious Explorer Process with Whitespace Padding - ClickFix/FileFix

Suspicious Powershell Script

Suspicious Space Characters in RunMRU Registry Path - ClickFix

Suspicious Space Characters in TypedPaths Registry Path - FileFix

Suspicious Usage of For Loop with Recursive Directory Search in CMD

Suspicious Windows Powershell Arguments

Windows PowerShell Process Implementing Manual Base64 Decoder