Obfuscated Commands - Command Shell

 1title: Obfuscated Commands - Command Shell
 2id: b58b6c4b-0f79-407e-b2ab-76de16a6cd79
 3status: experimental
 4description: |
 5    Detecting obfuscation in the command shell is relatively straightforward, but 
 6    there are a lot of variations to consider when you’re developing detection 
 7    coverage. Of course, the process you’re looking for will always be cmd.exe, 
 8    but the corresponding command line can contain a variety of suspicious characters. 
 9    The trick is finding the thresholds where the inclusion of obfuscation characters 
10    go from normal to anomalous (but benign) to suspicious enough to warrant alerting. 
11    The following pseudo-detection logic offers a good starting point for developing 
12    detection coverage for obfuscation in the command line. Part of the RedCanary 2024 
13    Threat Detection Report.    
14references:
15    - https://redcanary.com/threat-detection-report/techniques/windows-command-shell/
16author: RedCanary, Sigma formatting by Micah Babinski
17date: 2024/03/21
18tags:
19    - attack.execution
20    - attack.t1059
21    - attack.t1059.003
22    - attack.defense_evasion
23    - attack.t1027
24logsource:
25    category: process_creation
26    product: windows
27detection:
28    selection:
29        Image|endswith: '\cmd.exe'
30        # regex below looks for eight or more total instances of the suspicious characters
31        CommandLine|re: '^([^^=%![(; ]*[\^=%![(; ]){8,}[^^=%![(; ]*$'
32    condition: selection
33falsepositives:
34    - Unknown
35level: low```