Skip to content
Threat Feed
medium advisory

Detection of Obfuscated IP Addresses via Command Line Tools

The use of command-line tools like ping.exe or arp.exe with obfuscated IP addresses (hex, octal, etc.) in the command line can indicate reconnaissance activity or attempts to evade security controls by masking the true destination.

Attackers may attempt to obscure their activities by using obfuscated IP addresses within command-line tools. This is done to bypass simple pattern matching or detection rules that rely on standard IP address formats. The Sigma rule “Obfuscated IP Via CLI” published on 2022-08-03 and modified on 2026-03-16, focuses on detecting this behavior by identifying command lines containing hexadecimal, octal, or other encoded representations of IP addresses used with ping.exe or arp.exe. This activity can indicate reconnaissance, command and control communication, or lateral movement attempts where attackers are trying to hide the true destination of their network traffic.

Attack Chain

  1. An attacker gains initial access to a Windows system.
  2. The attacker opens a command prompt (cmd.exe) or PowerShell.
  3. The attacker uses ping.exe or arp.exe to test network connectivity.
  4. The attacker crafts a command line that includes an obfuscated IP address (e.g., hexadecimal, octal). For example: ping 0121.04.0174.012
  5. The command is executed, attempting to resolve or connect to the obfuscated IP address.
  6. If the obfuscation bypasses security controls, the tool resolves the address.
  7. The attacker gathers information about the target system (if ping is successful) or network.
  8. The attacker uses this information for further exploitation or lateral movement.

Impact

Successful exploitation of obfuscated IPs can lead to undetected reconnaissance, lateral movement, and data exfiltration. By hiding the true destination of network traffic, attackers can bypass traditional security measures and gain a foothold within the network. The impact includes potential data breaches, system compromise, and disruption of services.

Recommendation

  • Deploy the “Obfuscated IP Via CLI” Sigma rule to your SIEM to detect command-line execution with obfuscated IP addresses.
  • Enable process creation logging for ping.exe and arp.exe to ensure the Sigma rule has the necessary data.
  • Investigate any alerts generated by the Sigma rule to determine if the activity is malicious.
  • Implement network segmentation to limit the scope of potential lateral movement.
  • Monitor command-line activity for unusual patterns or arguments.

Detection coverage 3

Detect Ping with Octal IP Address

medium

Detects ping.exe being used with an octal representation of an IP address.

sigma tactics: discovery techniques: T1018 sources: process_creation, windows

Detect Arp with Hex IP Address

medium

Detects arp.exe being used with a hex representation of an IP address.

sigma tactics: discovery techniques: T1018 sources: process_creation, windows

Detect Suspicious IP Obfuscation via URL Encoding

medium

Detects the use of URL encoding to obfuscate IP addresses within command-line arguments.

sigma tactics: discovery techniques: T1018 sources: process_creation, windows

Detection queries are kept inside the platform. Get full rules →