Command Obfuscation
Recently a great resource was released for command obfuscation - https://argfuscator.net/
Which came about from a really good article (https://www.wietzebeukema.nl/blog/bypassing-detections-with-command-line-obfuscation) diving into command line obfuscation and gathering everything up into a single resource.
Most of the techniques are pretty well known but still might require changes to command line detections, with the most annoying one being the character insertion where you can add an emoji character into the command in a manner which still allows for the command to execute while being logged into the process creation logs.
All the below commands execute fine, it's interesting though that not all emojis will work. The "sa⚽ve HKLM\SAM out.reg" works fine but "sa🧨ve HKLM\SAM out.reg" does not.
CerTUtIl -"e"N߿co⭛DE⭜ࢯ dc.html Te"S"t.h"tm"l
nltest ∕dĈlℐsT:bsides.canberra
aUDitpoL /"S"ET -c"A"te"g"ory:"A"ccOuN"t Lo"g"oN" /sU"cCe"sS:DI"S"A"b"Le /"F"AIl"ur"E:dI"s"aBl"e"
"C:\WINDOWS\system32\reg.exe" sa⚽ve HKLM\SAM out.reg
They even look nice in the event viewer;
Luckily for us the more obfuscation that is applied to a command the easier it is to find. The below KQL will match non-ASCII characters coming in on the command line, there may be some false positives but once these are weeded out it's probably worth detecting the rest.
SecurityEvent
| where TimeGenerated > ago(30d)
| where EventID in (4688)
| where CommandLine matches regex "(?i)[^\x00-\x7F]+"