Description
Adversaries may obfuscate content during command execution to impede detection. Command-line obfuscation is a method of making strings and patterns within commands and scripts more difficult to signature and analyze. This type of obfuscation can be included within commands executed by delivered payloads (e.g., Phishing and Drive-by Compromise) or interactively via Command and Scripting Interpreter.(Citation: Akamai JS)(Citation: Malware Monday VBE)
For example, adversaries may abuse syntax that utilizes various symbols and escape characters (such as spacing, ^, +. $, and %) to make commands difficult to analyze while maintaining the same intended functionality.(Citation: RC PowerShell) Many languages support built-in obfuscation in the form of base64 or URL encoding.(Citation: Microsoft PowerShellB64) Adversaries may also manually implement command obfuscation via string splitting (“Wor”+“d.Application”), order and casing of characters (rev <<<'dwssap/cte/ tac'), globing (mkdir -p '/tmp/:&$NiA'), as well as various tricks involving passing strings through tokens/environment variables/input streams.(Citation: Bashfuscator Command Obfuscators)(Citation: FireEye Obfuscation June 2017)
Adversaries may also use tricks such as directory traversals to obfuscate references to the binary being invoked by a command (C:\voi\pcw\..\..\Windows\tei\qs\k\..\..\..\system32\erool\..\wbem\wg\je\..\..\wmic.exe shadowcopy delete).(Citation: Twitter Richard WMIC)
Tools such as Invoke-Obfuscation and Invoke-DOSfucation have also been used to obfuscate commands.(Citation: Invoke-DOSfuscation)(Citation: Invoke-Obfuscation)
Platforms
Mitigations (2)
Behavior Prevention on EndpointM1040
On Windows 10+, enable Attack Surface Reduction (ASR) rules to block execution of potentially obfuscated scripts.(Citation: Microsoft ASR Obfuscation)
Antivirus/AntimalwareM1049
Consider utilizing the Antimalware Scan Interface (AMSI) on Windows 10+ to analyze commands after being processed/interpreted.
Threat Groups (29)
| ID | Group | Context |
|---|---|---|
| G0143 | Aquatic Panda | [Aquatic Panda](https://attack.mitre.org/groups/G0143) has encoded PowerShell commands in Base64.(Citation: CrowdStrike AQUATIC PANDA December 2021) |
| G0034 | Sandworm Team | [Sandworm Team](https://attack.mitre.org/groups/G0034) has used ROT13 encoding, AES encryption and compression with the zlib library for their Python-... |
| G1001 | HEXANE | [HEXANE](https://attack.mitre.org/groups/G1001) has used Base64-encoded scripts.(Citation: Kaspersky Lyceum October 2021) |
| G0077 | Leafminer | [Leafminer](https://attack.mitre.org/groups/G0077) obfuscated scripts that were used on victim machines.(Citation: Symantec Leafminer July 2018) |
| G0080 | Cobalt Group | [Cobalt Group](https://attack.mitre.org/groups/G0080) obfuscated several scriptlets and code used on the victim’s machine, including through use of XO... |
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has encoded malicious PowerShell scripts using Base64.(Citation: Securonix Kimsuky February 2025) |
| G1051 | Medusa Group | [Medusa Group](https://attack.mitre.org/groups/G1051) has obfuscated PowerShell scripts with Base64 encoding.(Citation: CISA Medusa Group Medusa Ranso... |
| G0117 | Fox Kitten | [Fox Kitten](https://attack.mitre.org/groups/G0117) has base64 encoded scripts to avoid detection.(Citation: CISA AA20-259A Iran-Based Actor September... |
| G0037 | FIN6 | [FIN6](https://attack.mitre.org/groups/G0037) has used encoded PowerShell commands.(Citation: Visa FIN6 Feb 2019) |
| G0050 | APT32 | [APT32](https://attack.mitre.org/groups/G0050) has used the `Invoke-Obfuscation` framework to obfuscate their PowerShell.(Citation: FireEye APT32 May ... |
| G1040 | Play | [Play](https://attack.mitre.org/groups/G1040) has used Base64-encoded PowerShell scripts for post exploit activities on compromised hosts.(Citation: T... |
| G0059 | Magic Hound | [Magic Hound](https://attack.mitre.org/groups/G0059) has used base64-encoded commands.(Citation: Unit 42 Magic Hound Feb 2017)(Citation: Microsoft Ira... |
| G0102 | Wizard Spider | [Wizard Spider](https://attack.mitre.org/groups/G0102) used Base64 encoding to obfuscate an [Empire](https://attack.mitre.org/software/S0363) service ... |
| G0069 | MuddyWater | [MuddyWater](https://attack.mitre.org/groups/G0069) has used Daniel Bohannon’s Invoke-Obfuscation framework and obfuscated PowerShell scripts.(Citatio... |
| G0040 | Patchwork | [Patchwork](https://attack.mitre.org/groups/G0040) has obfuscated a script with Crypto Obfuscator.(Citation: TrendMicro Patchwork Dec 2017) |
| G0114 | Chimera | [Chimera](https://attack.mitre.org/groups/G0114) has encoded PowerShell commands.(Citation: Cycraft Chimera April 2020) |
| G0091 | Silence | [Silence](https://attack.mitre.org/groups/G0091) has used environment variable string substitution for obfuscation.(Citation: Cyber Forensicator Silen... |
| G0061 | FIN8 | [FIN8](https://attack.mitre.org/groups/G0061) has used environment variables and standard input (stdin) to obfuscate command-line arguments. [FIN8](ht... |
| G0046 | FIN7 | [FIN7](https://attack.mitre.org/groups/G0046) has used fragmented strings, environment variables, standard input (stdin), and native character-replace... |
| G0127 | TA551 | [TA551](https://attack.mitre.org/groups/G0127) has used obfuscated variable names in a JavaScript configuration file.(Citation: Unit 42 Valak July 202... |
Associated Software (35)
| ID | Name | Type | Context |
|---|---|---|---|
| S1085 | Sardonic | Malware | [Sardonic](https://attack.mitre.org/software/S1085) PowerShell scripts can be encrypted with RC4 and compressed using Gzip.(Citation: Bitdefender Sard... |
| S0428 | PoetRAT | Malware | [PoetRAT](https://attack.mitre.org/software/S0428) has `pyminifier` to obfuscate scripts.(Citation: Talos PoetRAT October 2020) |
| S0451 | LoudMiner | Malware | [LoudMiner](https://attack.mitre.org/software/S0451) has obfuscated various scripts.(Citation: ESET LoudMiner June 2019) |
| S0363 | Empire | Tool | [Empire](https://attack.mitre.org/software/S0363) has the ability to obfuscate commands using <code>Invoke-Obfuscation</code>.(Citation: Github PowerS... |
| S1022 | IceApple | Malware | [IceApple](https://attack.mitre.org/software/S1022) can use Base64 and "junk" JavaScript code to obfuscate information.(Citation: CrowdStrike IceApple... |
| S0685 | PowerPunch | Malware | [PowerPunch](https://attack.mitre.org/software/S0685) can use Base64-encoded scripts.(Citation: Microsoft Actinium February 2022) |
| S9014 | PHASEJAM | Malware | [PHASEJAM](https://attack.mitre.org/software/S9014) has encoded commands with Base64.(Citation: Google UNC5221 Ivanti January 2025) |
| S1081 | BADHATCH | Malware | [BADHATCH](https://attack.mitre.org/software/S1081) malicious PowerShell commands can be encoded with base64.(Citation: BitDefender BADHATCH Mar 2021)... |
| S0354 | Denis | Malware | [Denis](https://attack.mitre.org/software/S0354) has encoded its PowerShell commands in Base64.(Citation: Cybereason Cobalt Kitty 2017) |
| S0589 | Sibot | Malware | [Sibot](https://attack.mitre.org/software/S0589) has obfuscated scripts used in execution.(Citation: MSTIC NOBELIUM Mar 2021) |
| S0126 | ComRAT | Malware | [ComRAT](https://attack.mitre.org/software/S0126) has used encryption and base64 to obfuscate its orchestrator code in the Registry. [ComRAT](https://... |
| S0194 | PowerSploit | Tool | [PowerSploit](https://attack.mitre.org/software/S0194) contains a collection of ScriptModification modules that compress and encode scripts and payloa... |
| S0650 | QakBot | Malware | [QakBot](https://attack.mitre.org/software/S0650) can use obfuscated and encoded scripts.(Citation: Cyberint Qakbot May 2021)(Citation: Trend Micro Bl... |
| S9029 | IronWind | Malware | [IronWind](https://attack.mitre.org/software/S9029) has used Base64 encoding and XOR encryption with the key “53” to obfuscate command strings.(Citati... |
| S0457 | Netwalker | Malware | [Netwalker](https://attack.mitre.org/software/S0457)'s PowerShell script has been obfuscated with multiple layers including base64 and hexadecimal enc... |
| S0673 | DarkWatchman | Malware | [DarkWatchman](https://attack.mitre.org/software/S0673) has used Base64 to encode PowerShell commands.(Citation: Prevailion DarkWatchman 2021) |
| S0269 | QUADAGENT | Malware | [QUADAGENT](https://attack.mitre.org/software/S0269) was likely obfuscated using `Invoke-Obfuscation`.(Citation: Unit 42 QUADAGENT July 2018)(Citation... |
| S0386 | Ursnif | Malware | [Ursnif](https://attack.mitre.org/software/S0386) droppers execute base64 encoded [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands... |
| S0270 | RogueRobin | Malware | The PowerShell script with the [RogueRobin](https://attack.mitre.org/software/S0270) payload was obfuscated using the COMPRESS technique in `Invoke-Ob... |
| S0462 | CARROTBAT | Malware | [CARROTBAT](https://attack.mitre.org/software/S0462) has the ability to execute obfuscated commands on the infected host.(Citation: Unit 42 CARROTBAT ... |
References
- Ackroyd, R. (2023, March 24). Twitter. Retrieved September 12, 2024.
- Bohannon, D. (2016, September 24). Invoke-Obfuscation. Retrieved March 17, 2023.
- Bohannon, D. (2018, March 19). Invoke-DOSfuscation. Retrieved March 17, 2023.
- Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018.
- Bromiley, M. (2016, December 27). Malware Monday: VBScript and VBE Files. Retrieved March 17, 2023.
- Katz, O. (2020, October 26). Catch Me if You Can—JavaScript Obfuscation. Retrieved March 17, 2023.
- LeFevre, A. (n.d.). Bashfuscator Command Obfuscators. Retrieved March 17, 2023.
- Microsoft. (2023, February 8). about_PowerShell_exe: EncodedCommand. Retrieved March 17, 2023.
- Red Canary. (n.d.). 2022 Threat Detection Report: PowerShell. Retrieved March 17, 2023.
Frequently Asked Questions
What is T1027.010 (Command Obfuscation)?
T1027.010 is a MITRE ATT&CK technique named 'Command Obfuscation'. It belongs to the Stealth tactic(s). Adversaries may obfuscate content during command execution to impede detection. Command-line obfuscation is a method of making strings and patterns within commands and scripts more difficult to signat...
How can T1027.010 be detected?
Detection of T1027.010 (Command Obfuscation) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1027.010?
There are 2 documented mitigations for T1027.010. Key mitigations include: Behavior Prevention on Endpoint, Antivirus/Antimalware.
Which threat groups use T1027.010?
Known threat groups using T1027.010 include: Aquatic Panda, Sandworm Team, HEXANE, Leafminer, Cobalt Group, Kimsuky, Medusa Group, Fox Kitten.