Potential Dosfuscation Activity

 1title: Potential Dosfuscation Activity
 2id: a77c1610-fc73-4019-8e29-0f51efc04a51
 3status: test
 4description: Detects possible payload obfuscation via the commandline
 5references:
 6    - https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/dosfuscation-report.pdf
 7    - https://github.com/danielbohannon/Invoke-DOSfuscation
 8author: frack113, Nasreddine Bencherchali (Nextron Systems)
 9date: 2022/02/15
10modified: 2023/03/06
11tags:
12    - attack.execution
13    - attack.t1059
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection:
19        CommandLine|contains:
20            - '^^'
21            - '^|^'
22            - ',;,'
23            - ';;;;'
24            - ';; ;;'
25            - '(,(,'
26            - '%COMSPEC:~'
27            - ' c^m^d'
28            - '^c^m^d'
29            - ' c^md'
30            - ' cm^d'
31            - '^cm^d'
32            - ' s^et '
33            - ' s^e^t '
34            - ' se^t '
35            # - '%%'
36            # - '&&'
37            # - '""'
38    condition: selection
39falsepositives:
40    - Unknown
41level: medium

References

• https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/dosfuscation-report.pdf

  
  Read More

• GitHub - danielbohannon/Invoke-DOSfuscation: Cmd.exe Command Obfuscation Generator & Detection Test Harness

  

  Cmd.exe Command Obfuscation Generator & Detection Test Harness - danielbohannon/Invoke-DOSfuscation

  
  Read More

Related rules

• HackTool - Sliver C2 Implant Activity Pattern
• PUA - Wsudo Suspicious Execution
• Python Inline Command Execution
• Suspicious Installer Package Child Process
• Add Potential Suspicious New Download Source To Winget