Command-Line — CraftedSignal Threat Feed

Long Base64 Encoded Command via Scripting Interpreter

hello@craftedsignal.io — Wed, 03 Jan 2024 17:00:00 +0000

This rule identifies the execution of scripting interpreters (Python, PowerShell, Node.js, and Deno) with unusually long command lines containing base64 encoded payloads. The rule focuses on scenarios where the initial process.command_line field is ignored due to its excessive length, but the complete command line is still available in process.command_line.text. Attackers leverage this technique to evade traditional command-line inspection and execute malicious content across Windows, macOS, and Linux systems. This approach allows attackers to embed and execute code without writing it to disk, making it harder to detect. The rule is designed to detect this behavior, allowing for closer inspection of the executed commands and their intent.

Attack Chain

An attacker gains initial access to a system (e.g., via phishing or exploiting a vulnerability).
The attacker uses PowerShell, Python, Node.js, or Deno to execute commands.
A long, base64-encoded string is crafted, designed to evade detection.
The interpreter is invoked with the encoded string passed as an argument, exceeding typical command-line limits.
The process.command_line field is truncated due to its length, but the full command line is available in process.command_line.text.
The interpreter decodes and executes the payload from the process.command_line.text.
The decoded payload performs malicious actions such as downloading malware, establishing persistence, or exfiltrating data.
The attacker achieves their objective, such as gaining control of the system or stealing sensitive information.

Impact

Successful exploitation can lead to a wide range of malicious activities, including malware installation, data theft, privilege escalation, and system compromise. Due to the defense evasion capabilities, it is difficult to identify and prevent. The impact includes potential data breaches, financial losses, and reputational damage. The rule’s detection helps defenders identify this attack vector and prevent further exploitation of affected systems.

Recommendation

Deploy the Sigma rule Detect Long Base64 Encoded Command via Scripting Interpreter to your SIEM to detect this behavior.
Investigate any alerts generated by this rule, focusing on the process.command_line.text field to understand the full command being executed.
Review parent processes and execution chains of the interpreter to understand the initial attack vector.
Implement controls to restrict the execution of scripting interpreters from untrusted sources.
Monitor process execution logs for command lines exceeding a certain length threshold.
Improve logging coverage to capture the full command line even when it exceeds standard limits.

Detection of Obfuscated IP Addresses via Command Line Tools

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

Attackers may attempt to obscure their activities by using obfuscated IP addresses within command-line tools. This is done to bypass simple pattern matching or detection rules that rely on standard IP address formats. The Sigma rule “Obfuscated IP Via CLI” published on 2022-08-03 and modified on 2026-03-16, focuses on detecting this behavior by identifying command lines containing hexadecimal, octal, or other encoded representations of IP addresses used with ping.exe or arp.exe. This activity can indicate reconnaissance, command and control communication, or lateral movement attempts where attackers are trying to hide the true destination of their network traffic.

Attack Chain

An attacker gains initial access to a Windows system.
The attacker opens a command prompt (cmd.exe) or PowerShell.
The attacker uses ping.exe or arp.exe to test network connectivity.
The attacker crafts a command line that includes an obfuscated IP address (e.g., hexadecimal, octal). For example: ping 0121.04.0174.012
The command is executed, attempting to resolve or connect to the obfuscated IP address.
If the obfuscation bypasses security controls, the tool resolves the address.
The attacker gathers information about the target system (if ping is successful) or network.
The attacker uses this information for further exploitation or lateral movement.

Impact

Successful exploitation of obfuscated IPs can lead to undetected reconnaissance, lateral movement, and data exfiltration. By hiding the true destination of network traffic, attackers can bypass traditional security measures and gain a foothold within the network. The impact includes potential data breaches, system compromise, and disruption of services.

Recommendation

Deploy the “Obfuscated IP Via CLI” Sigma rule to your SIEM to detect command-line execution with obfuscated IP addresses.
Enable process creation logging for ping.exe and arp.exe to ensure the Sigma rule has the necessary data.
Investigate any alerts generated by the Sigma rule to determine if the activity is malicious.
Implement network segmentation to limit the scope of potential lateral movement.
Monitor command-line activity for unusual patterns or arguments.

Command Obfuscation via Unicode Modifier Letters

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

Attackers are increasingly employing Unicode modifier letters to obfuscate command-line arguments, thereby bypassing traditional string-based detection mechanisms. This technique involves replacing standard ASCII characters with visually similar Unicode characters, making it difficult for simple pattern-matching rules to identify malicious commands. The obfuscation targets common Windows utilities such as reg.exe, net.exe, certutil.exe, PowerShell.exe, cmd.exe, and others frequently abused in post-exploitation scenarios. Defenders need to implement more sophisticated detection methods that account for Unicode normalization or character range analysis to identify and mitigate this threat. This technique has become more prevalent in the last year as attackers seek to evade common detection strategies.

Attack Chain

Initial Access: An attacker gains initial access to a Windows system, potentially through phishing or exploiting a vulnerability.
Execution: The attacker executes a command-line utility like cmd.exe or powershell.exe to perform malicious actions.
Obfuscation: The command-line arguments are obfuscated by replacing ASCII characters with Unicode modifier letters.
Defense Evasion: The obfuscation allows the attacker to evade simple string-based detections that would normally flag the command as malicious.
Privilege Escalation: The attacker may use the obfuscated command to escalate privileges or gain access to sensitive resources.
Persistence: The attacker may establish persistence by creating a scheduled task or modifying the registry using obfuscated commands.
Lateral Movement: The attacker may use the obfuscated command to move laterally to other systems on the network.

Impact

Successful command obfuscation can lead to a significant compromise of Windows systems. Attackers can bypass security controls and execute malicious code undetected, potentially leading to data theft, system disruption, or ransomware deployment. The obfuscation makes it harder for security teams to identify and respond to attacks, increasing the dwell time and potential damage.

Recommendation

Deploy the Sigma rule provided below to detect the presence of Unicode modifier letters in command lines (references: Sigma rules).
Enable Sysmon process creation logging to capture command-line arguments for analysis (references: Sysmon setup instructions).
Investigate any alerts triggered by the Sigma rule and analyze the raw command lines to identify the true intent of the command (references: Triage and Analysis section of the source).
Consider implementing Unicode normalization techniques to remove the obfuscation before analyzing command lines.
Monitor the listed processes (reg.exe, net.exe, certutil.exe, etc.) more closely for suspicious activity.