Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection. Command-line obfuscation is a method of making strings and patterns within commands and scripts more difficult to signature and analyze. This type of obfuscation can be included within commands executed by delivered payloads (e.g., Phishing and Drive-by Compromise) or interactively via Command and Scripting Interpreter. For example, adversaries may abuse syntax that utilizes various symbols and escape characters (such as spacing, `^`, `+`. `$`, and `%`) to make commands difficult to analyze while maintaining the same intended functionality. Many languages support built-in obfuscation in the form of base64 or URL encoding. Adversaries may also manually implement command obfuscation via string splitting (`“Wor”+“d.Application”`), order and casing of characters (`rev Invoke-Obfuscation and Invoke-DOSfucation have also been used to obfuscate commands.
Open detection, hunting, mitigation, and evidence workspace
Detection logic
Use behavior-focused telemetry and validate findings against surrounding activity.
Observed actors
G0040APT32
G0050MuddyWater
G0069FIN6
G0037Gamaredon Group
G0047Leafminer
G0077FIN7
G0046Sandworm Team
G0034Sidewinder
G0121Aquatic Panda
G0143Turla
G0010TA505
G0092Chimera
G0114TA551
G0127Ember Bear
G1003LazyScripter
G0140Fox Kitten
G0117GOLD SOUTHFIELD
G0115Silence
G0091Cobalt Group
G0080Wizard Spider
G0102Play
G1040HEXANE
G1001Magic Hound
G0059FIN8
G0061APT19
G0073
Correlated CTI and IR reports
1200km CTI repository · explicit report mentionCyber Threat Intelligence Dossier: Iranian and Hamas-Aligned Operations Targeting Israeli and Allied Ecosystems (2023-2026)
Israel Threat Actors CTI · explicit report mentionATT CK as a Working Tool Theory and Hands On Practical Usage
1200km Medium · authored report mention