Detection of command-line activity exhibiting syntactic obfuscation patterns, such as excessive escape characters, base64 encoding, command concatenation, or outlier command length and entropy.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Security | EventCode=4688 |
| Field | Description |
|---|---|
| CommandLineEntropyThreshold | Used to flag base64 or token-heavy command-line strings |
| SuspiciousCharacterCount | Escape character and symbol frequency in command-line strings |
| TimeWindow | Window between command execution and follow-up child or file write behavior |
Detection of shell commands that leverage encoded execution, command chaining, excessive piping, or unusual token patterns indicative of obfuscation.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve |
| Command Execution (DC0064) | linux:osquery | process_events.command_line |
| Field | Description |
|---|---|
| CommandLineTokenCount | Tuning value for token or argument count in shell invocations |
| EncodedExecRegex | Environment-specific regex patterns for encoded or eval'd command lines |
| GlobPatternAnomalies | Shell-specific globbing or directory traversal string detection |
Detection of obfuscated commands via shell, osascript, or AppleScript interpreters using unusual tokens, encoding, variable substitution, or runtime string reconstruction.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | macos:unifiedlog | process:spawn, process:exec |
| Process Creation (DC0032) | macos:endpointsecurity | ES_EVENT_TYPE_NOTIFY_EXEC |
| Field | Description |
|---|---|
| InterpreterParentFilter | Limits detection scope to shell or scripting interpreters like zsh, bash, osascript |
| ScriptEntropyThreshold | Minimum entropy required to consider the command or script obfuscated |
| ArgumentLengthDeviation | Deviation from baseline for long or highly nested arguments |