|T1027.004||Compile After Delivery|
|T1027.005||Indicator Removal from Tools|
|T1027.007||Dynamic API Resolution|
|T1027.012||LNK Icon Smuggling|
Adversaries may obfuscate content during command execution to impede detection. Command-line obfuscation is a method of making strings and patterns within commands and scripts more difficult to signature and analyze. This type of obfuscation can be included within commands executed by delivered payloads (e.g., Phishing and Drive-by Compromise) or interactively via Command and Scripting Interpreter.
For example, adversaries may abuse syntax that utilizes various symbols and escape characters (such as spacing,
%) to make commands difficult to analyze while maintaining the same intended functionality. Many languages support built-in obfuscation in the form of base64 or URL encoding. Adversaries may also manually implement command obfuscation via string splitting (
"Wor"+"d.Application"), order and casing of characters (
rev <<<'dwssap/cte/ tac'), globing (
mkdir -p '/tmp/:&$NiA'), as well as various tricks involving passing strings through tokens/environment variables/input streams.
Adversaries may also use tricks such as directory traversals to obfuscate references to the binary being invoked by a command (
C:\voi\pcw\..\..\Windows\tei\qs\k\..\..\..\system32\erool\..\wbem\wg\je\..\..\wmic.exe shadowcopy delete).
Machete has used pyobfuscate, zlib compression, and base64 encoding for obfuscation. Machete has also used some visual obfuscation techniques by naming variables as combinations of letters to hinder analysis.
MuddyWater has used Daniel Bohannon’s Invoke-Obfuscation framework and obfuscated PowerShell scripts. The group has also used other obfuscation methods, including Base64 obfuscation of VBScripts and PowerShell commands.
POWERSTATS uses character replacement, PowerShell environment variables, and XOR encoding to obfuscate code. POWERSTATS's backdoor code is a multi-layer obfuscated, encoded, and compressed blob.  POWERSTATS has used PowerShell code with custom string obfuscation 
Consider utilizing the Antimalware Scan Interface (AMSI) on Windows 10+ to analyze commands after being processed/interpreted.
|M1040||Behavior Prevention on Endpoint||
On Windows 10+, enable Attack Surface Reduction (ASR) rules to block execution of potentially obfuscated scripts.
|ID||Data Source||Data Component||Detects|
Monitor executed commands and arguments for indicators of obfuscation and potentially suspicious syntax such as uninterpreted escape characters (e.g.,
Also monitor command-lines for syntax-specific signs of obfuscation, such as variations of arguments associated with encoding.
Scripts containing obfuscated content may have higher entropy of characters/strings.
Monitor executed scripts for indicators of obfuscation and potentially suspicious command syntax, such as uninterpreted escape characters (e.g.,
Also monitor commands within scripts for syntax-specific signs of obfuscation, such as encoded or otherwise unreadable blobs of characters.