Detects possible payload obfuscation via the commandline
title: Potential Dosfuscation Activity
id: a77c1610-fc73-4019-8e29-0f51efc04a51
status: test
description: Detects possible payload obfuscation via the commandline
references:
- https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/dosfuscation-report.pdf
- https://github.com/danielbohannon/Invoke-DOSfuscation
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2022-02-15
modified: 2023-03-06
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- '^^'
- '^|^'
- ',;,'
- ';;;;'
- ';; ;;'
- '(,(,'
- '%COMSPEC:~'
- ' c^m^d'
- '^c^m^d'
- ' c^md'
- ' cm^d'
- '^cm^d'
- ' s^et '
- ' s^e^t '
- ' se^t '
# - '%%'
# - '&&'
# - '""'
condition: selection
falsepositives:
- Unknown
level: medium
imProcessCreate
| where TargetProcessCommandLine contains "^^" or TargetProcessCommandLine contains "^|^" or TargetProcessCommandLine contains ",;," or TargetProcessCommandLine contains ";;;;" or TargetProcessCommandLine contains ";; ;;" or TargetProcessCommandLine contains "(,(," or TargetProcessCommandLine contains "%COMSPEC:~" or TargetProcessCommandLine contains " c^m^d" or TargetProcessCommandLine contains "^c^m^d" or TargetProcessCommandLine contains " c^md" or TargetProcessCommandLine contains " cm^d" or TargetProcessCommandLine contains "^cm^d" or TargetProcessCommandLine contains " s^et " or TargetProcessCommandLine contains " s^e^t " or TargetProcessCommandLine contains " se^t "| Sentinel Table | Notes |
|---|---|
imProcessCreate | Ensure this data connector is enabled |