Obfuscated Files or Information: Command Obfuscation

Adversaries may obfuscate content during command execution to impede detection. Command-line obfuscation is a method of making strings and patterns within commands and scripts more difficult to signature and analyze. This type of obfuscation can be included within commands executed by delivered payloads (e.g., Phishing and Drive-by Compromise) or interactively via Command and Scripting Interpreter.[1][2]

For example, adversaries may abuse syntax that utilizes various symbols and escape characters (such as spacing, ^, +. $, and %) to make commands difficult to analyze while maintaining the same intended functionality.[3] Many languages support built-in obfuscation in the form of base64 or URL encoding.[4] Adversaries may also manually implement command obfuscation via string splitting ("Wor"+"d.Application"), order and casing of characters (rev <<<'dwssap/cte/ tac'), globing (mkdir -p '/tmp/:&$NiA'), as well as various tricks involving passing strings through tokens/environment variables/input streams.[5][6]

Adversaries may also use tricks such as directory traversals to obfuscate references to the binary being invoked by a command (C:\voi\pcw\..\..\Windows\tei\qs\k\..\..\..\system32\erool\..\wbem\wg\je\..\..\wmic.exe shadowcopy delete).[7]

Tools such as Invoke-Obfuscation and Invoke-DOSfucation have also been used to obfuscate commands.[8][9]

ID: T1027.010
Sub-technique of:  T1027
Tactic: Defense Evasion
Platforms: Linux, Windows, macOS
Contributors: George Thomas; Tim Peck; TruKno
Version: 1.0
Created: 14 March 2023
Last Modified: 24 March 2023

Procedure Examples

ID Name Description
G0073 APT19

APT19 used Base64 to obfuscate executed commands.[10]

G0050 APT32

APT32 has used the Invoke-Obfuscation framework to obfuscate their PowerShell.[11][12][13]

G0143 Aquatic Panda

Aquatic Panda has encoded PowerShell commands in Base64.[14]

S0373 Astaroth

Astaroth has obfuscated and randomized parts of the JScript code it is initiating.[15]

S0475 BackConfig

BackConfig has used compressed and decimal encoded VBS scripts.[16]

S1081 BADHATCH

BADHATCH malicious PowerShell commands can be encoded with base64.[17]

C0018 C0018

During C0018, the threat actors used Base64 to encode their PowerShell scripts.[18][19]

C0021 C0021

During C0021, the threat actors used encoded PowerShell commands.[20][21]

S0462 CARROTBAT

CARROTBAT has the ability to execute obfuscated commands on the infected host.[22]

G0114 Chimera

Chimera has encoded PowerShell commands.[23]

G0080 Cobalt Group

Cobalt Group obfuscated several scriptlets and code used on the victim’s machine, including through use of XOR and RC4.[24][25]

S0126 ComRAT

ComRAT has used encryption and base64 to obfuscate its orchestrator code in the Registry. ComRAT has also used encoded PowerShell scripts.[26][27]

S0492 CookieMiner

CookieMiner has used base64 encoding to obfuscate scripts on the system.[28]

S0673 DarkWatchman

DarkWatchman has used Base64 to encode PowerShell commands.[29]

S0354 Denis

Denis has encoded its PowerShell commands in Base64.[13]

G1003 Ember Bear

Ember Bear has obfuscated malicious scripts to help avoid detection.[30]

S0367 Emotet

Emotet has obfuscated macros within malicious documents to hide the URLs hosting the malware, CMD.exe arguments, and PowerShell scripts. [31][32][33][34]

S0363 Empire

Empire has the ability to obfuscate commands using Invoke-Obfuscation.[35]

G0037 FIN6

FIN6 has used encoded PowerShell commands.[36]

G0046 FIN7

FIN7 has used fragmented strings, environment variables, standard input (stdin), and native character-replacement functionalities to obfuscate commands.[6][37][38]

G0061 FIN8

FIN8 has used environment variables and standard input (stdin) to obfuscate command-line arguments. FIN8 also obfuscates malicious macros delivered as payloads.[6][39][40]

G0117 Fox Kitten

Fox Kitten has base64 encoded scripts to avoid detection.[41]

C0001 Frankenstein

During Frankenstein, the threat actors ran encoded commands from the command line.[42]

S0277 FruitFly

FruitFly executes and stores obfuscated Perl scripts.[43]

G0047 Gamaredon Group

Gamaredon Group has used obfuscated or encrypted scripts.[44][45]

G0115 GOLD SOUTHFIELD

GOLD SOUTHFIELD has executed base64 encoded PowerShell scripts on compromised hosts.[46]

G1001 HEXANE

HEXANE has used Base64-encoded scripts.[47]

S1022 IceApple

IceApple can use Base64 and "junk" JavaScript code to obfuscate information.[48]

S0669 KOCTOPUS

KOCTOPUS has obfuscated scripts with the BatchEncryption tool.[49]

G0140 LazyScripter

LazyScripter has leveraged the BatchEncryption tool to perform advanced batch script obfuscation and encoding techniques.[49]

G0077 Leafminer

Leafminer obfuscated scripts that were used on victim machines.[50]

S0451 LoudMiner

LoudMiner has obfuscated various scripts.[51]

S0409 Machete

Machete has used pyobfuscate, zlib compression, and base64 encoding for obfuscation. Machete has also used some visual obfuscation techniques by naming variables as combinations of letters to hinder analysis.[52][53]

G0059 Magic Hound

Magic Hound has used base64-encoded commands.[54][55]

G0069 MuddyWater

MuddyWater has used Daniel Bohannon’s Invoke-Obfuscation framework and obfuscated PowerShell scripts.[56][12] The group has also used other obfuscation methods, including Base64 obfuscation of VBScripts and PowerShell commands.[56][57][58][59][60][61][62]

S0457 Netwalker

Netwalker's PowerShell script has been obfuscated with multiple layers including base64 and hexadecimal encoding and XOR-encryption, as well as obfuscated PowerShell functions and variables.[63][64]

C0012 Operation CuckooBees

During Operation CuckooBees, the threat actors executed an encoded VBScript file.[65]

C0014 Operation Wocao

During Operation Wocao, threat actors executed PowerShell commands which were encoded or compressed using Base64, zlib, and XOR.[66]

G0040 Patchwork

Patchwork has obfuscated a script with Crypto Obfuscator.[67]

S0428 PoetRAT

PoetRAT has pyminifier to obfuscate scripts.[68]

S0685 PowerPunch

PowerPunch can use Base64-encoded scripts.[45]

S0194 PowerSploit

PowerSploit contains a collection of ScriptModification modules that compress and encode scripts and payloads.[69][70]

S0223 POWERSTATS

POWERSTATS uses character replacement, PowerShell environment variables, and XOR encoding to obfuscate code. POWERSTATS's backdoor code is a multi-layer obfuscated, encoded, and compressed blob. [57][71] POWERSTATS has used PowerShell code with custom string obfuscation [72]

S0650 QakBot

QakBot can use obfuscated and encoded scripts.[73][74]

S0269 QUADAGENT

QUADAGENT was likely obfuscated using Invoke-Obfuscation.[75][12]

S0270 RogueRobin

The PowerShell script with the RogueRobin payload was obfuscated using the COMPRESS technique in Invoke-Obfuscation.[76][12]

G0034 Sandworm Team

Sandworm Team has used ROT13 encoding, AES encryption and compression with the zlib library for their Python-based backdoor.[77]

S1085 Sardonic

Sardonic PowerShell scripts can be encrypted with RC4 and compressed using Gzip.[78]

S0450 SHARPSTATS

SHARPSTATS has used base64 encoding and XOR to obfuscate PowerShell scripts.[72]

S0589 Sibot

Sibot has obfuscated scripts used in execution.[79]

G0121 Sidewinder

Sidewinder has used base64 encoding for scripts.[80][81]

G0091 Silence

Silence has used environment variable string substitution for obfuscation.[82]

S0390 SQLRat

SQLRat has used a character insertion obfuscation technique, making the script appear to contain Chinese characters.[83]

G0092 TA505

TA505 has used base64 encoded PowerShell commands.[84][85]

G0127 TA551

TA551 has used obfuscated variable names in a JavaScript configuration file.[86]

G0010 Turla

Turla has used encryption (including salted 3DES via PowerSploit's Out-EncryptedScript.ps1), random variable names, and base64 encoding to obfuscate PowerShell commands and payloads.[87]

S0386 Ursnif

Ursnif droppers execute base64 encoded PowerShell commands.[88]

G0102 Wizard Spider

Wizard Spider used Base64 encoding to obfuscate an Empire service and PowerShell commands.[89][90]

S0330 Zeus Panda

Zeus Panda obfuscates the macro commands in its initial payload.[91]

Mitigations

ID Mitigation Description
M1049 Antivirus/Antimalware

Consider utilizing the Antimalware Scan Interface (AMSI) on Windows 10+ to analyze commands after being processed/interpreted.

M1040 Behavior Prevention on Endpoint

On Windows 10+, enable Attack Surface Reduction (ASR) rules to block execution of potentially obfuscated scripts.[92]

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments for indicators of obfuscation and potentially suspicious syntax such as uninterpreted escape characters (e.g., ^).

Also monitor command-lines for syntax-specific signs of obfuscation, such as variations of arguments associated with encoding.

DS0022 File File Metadata

Scripts containing obfuscated content may have higher entropy of characters/strings.

DS0012 Script Script Execution

Monitor executed scripts for indicators of obfuscation and potentially suspicious command syntax, such as uninterpreted escape characters (e.g., ^).

Also monitor commands within scripts for syntax-specific signs of obfuscation, such as encoded or otherwise unreadable blobs of characters.

References

  1. Katz, O. (2020, October 26). Catch Me if You Can—JavaScript Obfuscation. Retrieved March 17, 2023.
  2. Bromiley, M. (2016, December 27). Malware Monday: VBScript and VBE Files. Retrieved March 17, 2023.
  3. Red Canary. (n.d.). 2022 Threat Detection Report: PowerShell. Retrieved March 17, 2023.
  4. Microsoft. (2023, February 8). about_PowerShell_exe: EncodedCommand. Retrieved March 17, 2023.
  5. LeFevre, A. (n.d.). Bashfuscator Command Obfuscators. Retrieved March 17, 2023.
  6. Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018.
  7. Ackroyd, R. (2023, March 24). Twitter. Retrieved March 24, 2023.
  8. Bohannon, D. (2018, March 19). Invoke-DOSfuscation. Retrieved March 17, 2023.
  9. Bohannon, D. (2016, September 24). Invoke-Obfuscation. Retrieved March 17, 2023.
  10. Ahl, I. (2017, June 06). Privileges and Credentials: Phished at the Request of Counsel. Retrieved May 17, 2018.
  11. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
  12. Bohannon, D.. (2017, March 13). Invoke-Obfuscation - PowerShell Obfuscator. Retrieved June 18, 2017.
  13. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  14. Wiley, B. et al. (2021, December 29). OverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt. Retrieved January 18, 2022.
  15. Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019.
  16. Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020.
  17. Vrabie, V., et al. (2021, March 10). FIN8 Returns with Improved BADHATCH Toolkit. Retrieved September 8, 2021.
  18. Venere, G. Neal, C. (2022, June 21). Avos ransomware group expands with new attack arsenal. Retrieved January 11, 2023.
  19. Costa, F. (2022, May 1). RaaS AvosLocker Incident Response Analysis. Retrieved January 11, 2023.
  20. Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018.
  21. Microsoft Defender Research Team. (2018, December 3). Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers. Retrieved April 15, 2019.
  22. Grunzweig, J. and Wilhoit, K. (2018, November 29). The Fractured Block Campaign: CARROTBAT Used to Deliver Malware Targeting Southeast Asia. Retrieved June 2, 2020.
  23. Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020.
  24. Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018.
  25. Gorelik, M. (2018, October 08). Cobalt Group 2.0. Retrieved November 5, 2018.
  26. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
  27. CISA. (2020, October 29). Malware Analysis Report (AR20-303A). Retrieved December 9, 2020.
  28. Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved July 22, 2020.
  29. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.
  30. Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.
  31. Brumaghin, E.. (2019, January 15). Emotet re-emerges after the holidays. Retrieved March 25, 2019.
  32. Trend Micro. (2019, January 16). Exploring Emotet's Activities . Retrieved March 25, 2019.
  33. Özarslan, S. (2018, December 21). The Christmas Card you never wanted - A new wave of Emotet is back to wreak havoc. Retrieved March 25, 2019.
  34. Perez, D.. (2018, December 28). Analysis of the latest Emotet propagation campaign. Retrieved April 16, 2019.
  35. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  36. Visa Public. (2019, February). FIN6 Cybercrime Group Expands Threat to eCommerce Merchants. Retrieved September 16, 2019.
  37. Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018.
  38. Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.
  39. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
  40. Martin Zugec. (2021, July 27). Deep Dive Into a FIN8 Attack - A Forensic Investigation. Retrieved September 1, 2021.
  41. CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020.
  42. Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020.
  43. Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
  44. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.
  45. Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022.
  46. Tetra Defense. (2020, March). CAUSE AND EFFECT: SODINOKIBI RANSOMWARE ANALYSIS. Retrieved December 14, 2020.
  1. Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022.
  2. CrowdStrike. (2022, May). ICEAPPLE: A NOVEL INTERNET INFORMATION SERVICES (IIS) POST-EXPLOITATION FRAMEWORK. Retrieved June 27, 2022.
  3. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021.
  4. Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018.
  5. Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020.
  6. The Cylance Threat Research Team. (2017, March 22). El Machete's Malware Attacks Cut Through LATAM. Retrieved September 13, 2019.
  7. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
  8. Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
  9. MSTIC. (2021, November 16). Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021. Retrieved January 12, 2023.
  10. Lancaster, T.. (2017, November 14). Muddying the Water: Targeted Attacks in the Middle East. Retrieved March 15, 2018.
  11. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
  12. Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018.
  13. Adamitis, D. et al. (2019, May 20). Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques. Retrieved June 5, 2019.
  14. ClearSky. (2019, June). Iranian APT group ‘MuddyWater’ Adds Exploits to Their Arsenal. Retrieved May 14, 2020.
  15. Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.
  16. Malhortra, A and Ventura, V. (2022, January 31). Iranian APT MuddyWater targets Turkish users via malicious PDFs, executables. Retrieved June 22, 2022.
  17. Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020.
  18. Szappanos, G., Brandt, A.. (2020, May 27). Netwalker ransomware tools give insight into threat actor. Retrieved May 27, 2020.
  19. Cybereason Nocturnus. (2022, May 4). Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques. Retrieved September 22, 2022.
  20. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  21. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
  22. Mercer, W. Rascagneres, P. Ventura, V. (2020, October 6). PoetRAT: Malware targeting public and private sector in Azerbaijan evolves . Retrieved April 9, 2021.
  23. PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018.
  24. PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018.
  25. ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.
  26. Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020.
  27. Cyberint. (2021, May 25). Qakbot Banking Trojan. Retrieved September 27, 2021.
  28. Kenefick, I. et al. (2022, October 12). Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike. Retrieved February 6, 2023.
  29. Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.
  30. Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018.
  31. Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020.
  32. Budaca, E., et al. (2021, August 25). FIN8 Threat Actor Goes Agile with New Sardonic Backdoor. Retrieved August 9, 2023.
  33. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.
  34. Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021.
  35. Rewterz. (2020, April 20). Sidewinder APT Group Campaign Analysis. Retrieved January 29, 2021.
  36. Skulkin, O.. (2019, January 20). Silence: Dissecting Malicious CHM Files and Performing Forensic Analysis. Retrieved May 24, 2019.
  37. Platt, J. and Reeves, J.. (2019, March). FIN7 Revisited: Inside Astra Panel and SQLRat Malware. Retrieved June 18, 2019.
  38. Salem, E. (2019, April 25). Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware. Retrieved May 28, 2019.
  39. Vilkomir-Preisman, S. (2019, April 2). New ServHelper Variant Employs Excel 4.0 Macro to Drop Signed Payload. Retrieved May 28, 2019.
  40. Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020.
  41. Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019.
  42. Holland, A. (2019, March 7). Tricks and COMfoolery: How Ursnif Evades Detection. Retrieved June 10, 2019.
  43. Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020.
  44. The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020.
  45. Brumaghin, E., et al. (2017, November 02). Poisoning the Well: Banking Trojan Targets Google Search Results. Retrieved November 5, 2018.
  46. Microsoft. (2023, February 22). Attack surface reduction (ASR) rules reference: Block execution of potentially obfuscated scripts. Retrieved March 17, 2023.