rules/windows/process_creation/proc_creation_win_cmd_dosfuscation.yml

title: Potential Dosfuscation Activity
id: a77c1610-fc73-4019-8e29-0f51efc04a51
status: test
description: Detects possible payload obfuscation via the commandline
references:
    - https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/dosfuscation-report.pdf
    - https://github.com/danielbohannon/Invoke-DOSfuscation
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2022-02-15
modified: 2023-03-06
tags:
    - attack.execution
    - attack.t1059
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            - '^^'
            - '^|^'
            - ',;,'
            - ';;;;'
            - ';; ;;'
            - '(,(,'
            - '%COMSPEC:~'
            - ' c^m^d'
            - '^c^m^d'
            - ' c^md'
            - ' cm^d'
            - '^cm^d'
            - ' s^et '
            - ' s^e^t '
            - ' se^t '
            # - '%%'
            # - '&&'
            # - '""'
    condition: selection
falsepositives:
    - Unknown
level: medium
feat: update cmd based rules 2023-03-07 14:13:57 +01:00			`title: Potential Dosfuscation Activity`
$frack113$ add win_pc_cmd_dosfuscation 2022-02-15 17:58:39 +01:00			`id: a77c1610-fc73-4019-8e29-0f51efc04a51`
chore: promote older rules status from `experimental` to `test` (#4651 ) 2024-01-01 09:00:51 +01:00			`status: test`
New+Update 2022-09-02 09:15:21 +02:00			`description: Detects possible payload obfuscation via the commandline`
$frack113$ add win_pc_cmd_dosfuscation 2022-02-15 17:58:39 +01:00			`references:`
			`- https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/dosfuscation-report.pdf`
feat: update cmd based rules 2023-03-07 14:13:57 +01:00			`- https://github.com/danielbohannon/Invoke-DOSfuscation`
			`author: frack113, Nasreddine Bencherchali (Nextron Systems)`
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 2024-08-12 12:02:50 +02:00			`date: 2022-02-15`
			`modified: 2023-03-06`
$frack113$ order yaml 2022-10-28 15:06:36 +02:00			`tags:`
			`- attack.execution`
			`- attack.t1059`
$frack113$ add win_pc_cmd_dosfuscation 2022-02-15 17:58:39 +01:00			`logsource:`
			`category: process_creation`
			`product: windows`
			`detection:`
			`selection:`
			`CommandLine\|contains:`
			`- '^^'`
feat: update cmd based rules 2023-03-07 14:13:57 +01:00			`- '^\|^'`
$frack113$ add win_pc_cmd_dosfuscation 2022-02-15 17:58:39 +01:00			`- ',;,'`
feat: update cmd based rules 2023-03-07 14:13:57 +01:00			`- ';;;;'`
			`- ';; ;;'`
			`- '(,(,'`
$frack113$ add win_pc_cmd_dosfuscation 2022-02-15 17:58:39 +01:00			`- '%COMSPEC:~'`
feat: update cmd based rules 2023-03-07 14:13:57 +01:00			`- ' c^m^d'`
			`- '^c^m^d'`
			`- ' c^md'`
			`- ' cm^d'`
			`- '^cm^d'`
add common "set" expressions 2022-02-16 17:33:33 +01:00			`- ' s^et '`
			`- ' s^e^t '`
			`- ' se^t '`
feat: update cmd based rules 2023-03-07 14:13:57 +01:00			`# - '%%'`
			`# - '&&'`
			`# - '""'`
$frack113$ add win_pc_cmd_dosfuscation 2022-02-15 17:58:39 +01:00			`condition: selection`
			`falsepositives:`
feat: update cmd based rules 2023-03-07 14:13:57 +01:00			`- Unknown`
$frack113$ add win_pc_cmd_dosfuscation 2022-02-15 17:58:39 +01:00			`level: medium`