Obfuscated Files or Information: Command Obfuscation (T1027.010)
Tactic: Stealth · Platforms: Linux, macOS, Windows
The interactive view maps 1 detection strategy, 2 mitigations, 29 threat groups, 35 software entries, 6 campaigns to this technique, alongside D3FEND countermeasures and data-component coverage.
Sub-technique of Obfuscated Files or Information (T1027).
Overview
Adversaries may obfuscate content during command execution to impede detection. Command-line obfuscation is a method of making strings and patterns within commands and scripts more difficult to signature and analyze. This type of obfuscation can be included within commands executed by delivered payloads (e.g., Phishing and Drive-by Compromise) or interactively via Command and Scripting Interpreter.
For example, adversaries may abuse syntax that utilizes various symbols and escape characters (such as spacing, `^`, `+`. `
Adversaries may also use tricks such as directory traversals to obfuscate references to the binary being invoked by a command (`C:\voi\pcw\..\..\Windows\tei\qs\k\..\..\..\system32\erool\..\wbem\wg\je\..\..\wmic.exe shadowcopy delete`).
Tools such as Invoke-Obfuscation and Invoke-DOSfucation have also been used to obfuscate commands.