{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/command-line/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Endpoint"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","execution","scripting-interpreter","base64","command-line"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis rule identifies the execution of scripting interpreters (Python, PowerShell, Node.js, and Deno) with unusually long command lines containing base64 encoded payloads. The rule focuses on scenarios where the initial \u003ccode\u003eprocess.command_line\u003c/code\u003e field is ignored due to its excessive length, but the complete command line is still available in \u003ccode\u003eprocess.command_line.text\u003c/code\u003e. Attackers leverage this technique to evade traditional command-line inspection and execute malicious content across Windows, macOS, and Linux systems. This approach allows attackers to embed and execute code without writing it to disk, making it harder to detect. The rule is designed to detect this behavior, allowing for closer inspection of the executed commands and their intent.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system (e.g., via phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker uses PowerShell, Python, Node.js, or Deno to execute commands.\u003c/li\u003e\n\u003cli\u003eA long, base64-encoded string is crafted, designed to evade detection.\u003c/li\u003e\n\u003cli\u003eThe interpreter is invoked with the encoded string passed as an argument, exceeding typical command-line limits.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eprocess.command_line\u003c/code\u003e field is truncated due to its length, but the full command line is available in \u003ccode\u003eprocess.command_line.text\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe interpreter decodes and executes the payload from the \u003ccode\u003eprocess.command_line.text\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe decoded payload performs malicious actions such as downloading malware, establishing persistence, or exfiltrating data.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as gaining control of the system or stealing sensitive information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to a wide range of malicious activities, including malware installation, data theft, privilege escalation, and system compromise. Due to the defense evasion capabilities, it is difficult to identify and prevent. The impact includes potential data breaches, financial losses, and reputational damage. The rule\u0026rsquo;s detection helps defenders identify this attack vector and prevent further exploitation of affected systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Long Base64 Encoded Command via Scripting Interpreter\u003c/code\u003e to your SIEM to detect this behavior.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this rule, focusing on the \u003ccode\u003eprocess.command_line.text\u003c/code\u003e field to understand the full command being executed.\u003c/li\u003e\n\u003cli\u003eReview parent processes and execution chains of the interpreter to understand the initial attack vector.\u003c/li\u003e\n\u003cli\u003eImplement controls to restrict the execution of scripting interpreters from untrusted sources.\u003c/li\u003e\n\u003cli\u003eMonitor process execution logs for command lines exceeding a certain length threshold.\u003c/li\u003e\n\u003cli\u003eImprove logging coverage to capture the full command line even when it exceeds standard limits.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T17:00:00Z","date_published":"2024-01-03T17:00:00Z","id":"/briefs/2024-01-03-long-base64-interpreter-cmdline/","summary":"Detection of oversized command lines used by Python, PowerShell, Node.js, or Deno interpreters containing base64 decoding or encoded-command patterns, indicating potential evasion and malicious execution.","title":"Long Base64 Encoded Command via Scripting Interpreter","url":"https://feed.craftedsignal.io/briefs/2024-01-03-long-base64-interpreter-cmdline/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["reconnaissance","evasion","command-line"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers may attempt to obscure their activities by using obfuscated IP addresses within command-line tools. This is done to bypass simple pattern matching or detection rules that rely on standard IP address formats. The Sigma rule \u0026ldquo;Obfuscated IP Via CLI\u0026rdquo; published on 2022-08-03 and modified on 2026-03-16, focuses on detecting this behavior by identifying command lines containing hexadecimal, octal, or other encoded representations of IP addresses used with \u003ccode\u003eping.exe\u003c/code\u003e or \u003ccode\u003earp.exe\u003c/code\u003e. This activity can indicate reconnaissance, command and control communication, or lateral movement attempts where attackers are trying to hide the true destination of their network traffic.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system.\u003c/li\u003e\n\u003cli\u003eThe attacker opens a command prompt (cmd.exe) or PowerShell.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003eping.exe\u003c/code\u003e or \u003ccode\u003earp.exe\u003c/code\u003e to test network connectivity.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a command line that includes an obfuscated IP address (e.g., hexadecimal, octal). For example: \u003ccode\u003eping 0121.04.0174.012\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003eThe command is executed, attempting to resolve or connect to the obfuscated IP address.\u003c/li\u003e\n\u003cli\u003eIf the obfuscation bypasses security controls, the tool resolves the address.\u003c/li\u003e\n\u003cli\u003eThe attacker gathers information about the target system (if ping is successful) or network.\u003c/li\u003e\n\u003cli\u003eThe attacker uses this information for further exploitation or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of obfuscated IPs can lead to undetected reconnaissance, lateral movement, and data exfiltration. By hiding the true destination of network traffic, attackers can bypass traditional security measures and gain a foothold within the network. The impact includes potential data breaches, system compromise, and disruption of services.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Obfuscated IP Via CLI\u0026rdquo; Sigma rule to your SIEM to detect command-line execution with obfuscated IP addresses.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging for \u003ccode\u003eping.exe\u003c/code\u003e and \u003ccode\u003earp.exe\u003c/code\u003e to ensure the Sigma rule has the necessary data.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine if the activity is malicious.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the scope of potential lateral movement.\u003c/li\u003e\n\u003cli\u003eMonitor command-line activity for unusual patterns or arguments.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-obfuscated-ip-cli/","summary":"The use of command-line tools like ping.exe or arp.exe with obfuscated IP addresses (hex, octal, etc.) in the command line can indicate reconnaissance activity or attempts to evade security controls by masking the true destination.","title":"Detection of Obfuscated IP Addresses via Command Line Tools","url":"https://feed.craftedsignal.io/briefs/2024-01-03-obfuscated-ip-cli/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Sysmon","Elastic Endgame","Elastic Defend","SentinelOne Cloud Funnel","Crowdstrike"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","command-line","unicode","obfuscation"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eAttackers are increasingly employing Unicode modifier letters to obfuscate command-line arguments, thereby bypassing traditional string-based detection mechanisms. This technique involves replacing standard ASCII characters with visually similar Unicode characters, making it difficult for simple pattern-matching rules to identify malicious commands. The obfuscation targets common Windows utilities such as \u003ccode\u003ereg.exe\u003c/code\u003e, \u003ccode\u003enet.exe\u003c/code\u003e, \u003ccode\u003ecertutil.exe\u003c/code\u003e, \u003ccode\u003ePowerShell.exe\u003c/code\u003e, \u003ccode\u003ecmd.exe\u003c/code\u003e, and others frequently abused in post-exploitation scenarios. Defenders need to implement more sophisticated detection methods that account for Unicode normalization or character range analysis to identify and mitigate this threat. This technique has become more prevalent in the last year as attackers seek to evade common detection strategies.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: An attacker gains initial access to a Windows system, potentially through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eExecution: The attacker executes a command-line utility like \u003ccode\u003ecmd.exe\u003c/code\u003e or \u003ccode\u003epowershell.exe\u003c/code\u003e to perform malicious actions.\u003c/li\u003e\n\u003cli\u003eObfuscation: The command-line arguments are obfuscated by replacing ASCII characters with Unicode modifier letters.\u003c/li\u003e\n\u003cli\u003eDefense Evasion: The obfuscation allows the attacker to evade simple string-based detections that would normally flag the command as malicious.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: The attacker may use the obfuscated command to escalate privileges or gain access to sensitive resources.\u003c/li\u003e\n\u003cli\u003ePersistence: The attacker may establish persistence by creating a scheduled task or modifying the registry using obfuscated commands.\u003c/li\u003e\n\u003cli\u003eLateral Movement: The attacker may use the obfuscated command to move laterally to other systems on the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful command obfuscation can lead to a significant compromise of Windows systems. Attackers can bypass security controls and execute malicious code undetected, potentially leading to data theft, system disruption, or ransomware deployment. The obfuscation makes it harder for security teams to identify and respond to attacks, increasing the dwell time and potential damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to detect the presence of Unicode modifier letters in command lines (references: Sigma rules).\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture command-line arguments for analysis (references: Sysmon setup instructions).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule and analyze the raw command lines to identify the true intent of the command (references: Triage and Analysis section of the source).\u003c/li\u003e\n\u003cli\u003eConsider implementing Unicode normalization techniques to remove the obfuscation before analyzing command lines.\u003c/li\u003e\n\u003cli\u003eMonitor the listed processes (\u003ccode\u003ereg.exe\u003c/code\u003e, \u003ccode\u003enet.exe\u003c/code\u003e, \u003ccode\u003ecertutil.exe\u003c/code\u003e, etc.) more closely for suspicious activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-unicode-cmd-obfuscation/","summary":"Adversaries use Unicode modifier letters to obfuscate command-line arguments, evading string-based detections on common Windows utilities like PowerShell and cmd.exe.","title":"Command Obfuscation via Unicode Modifier Letters","url":"https://feed.craftedsignal.io/briefs/2024-01-unicode-cmd-obfuscation/"}],"language":"en","title":"CraftedSignal Threat Feed — Command-Line","version":"https://jsonfeed.org/version/1.1"}