Today, the majority antiviruses and edr-systems monitor the commands launched in the system. Protective solutions analyze the command line to differentiate between normal processes and malicious ones. However, attackers have developed a technique known as command line obfuscation, enabling them to deceive these checks by altering the type of command while maintaining its essence.
In the past, threats were detected in malicious files like viruses and Trojans. Nowadays, many attacks employ ordinary system utilities such as PowerShell, Curl, Msiexec, or Taskkill, a tactic referred to as Malwareless Intrusions. These attacks mimic regular computer usage, making them less suspicious.
To combat these actions, protective systems now focus on the arguments of the commands. For instance, while “Taskkill /F /IM Winword.exe” may be harmless, “Taskkill /F /IM Security_Process.exe” could be seen as an attempt to disable security. Attackers can modify commands to appear different but function the same, known as obfuscation.
This masking technique involves changing characters, adding extra elements, using unique quotes, or altering letter case within commands. This manipulation makes commands appear different, making it harder for antivirus software to detect threats.
Windows systems are particularly vulnerable to these tactics, with tricks such as replacing “/f” with “-f”, using special characters, inserting invisible symbols, changing argument order, or obfuscating paths. Similar techniques exist for Linux and MacOS, like truncating arguments or formatting IP addresses unconventionally.
To assess the vulnerabilities of system utilities, the project’s author tested 68 popular Windows programs including Curl, Taskkill, Reg, PowerShell, and MSIEXEC. An Analyse_obfuscation tool was developed to automatically verify if altered commands behave similarly to the original ones, with an Invoke-Argfuscator tool created to generate masked commands based on established patterns.
For detailed results, visit the site.