Listen to this Post
By making minor changes to command-line arguments, it is possible to bypass EDR/AV detections. Research comprising ~70 Windows executables found that all were vulnerable to this technique to varying degrees.
👉 Full https://wietzebeukema.nl/bypassing-detections-with-command-line-obfuscation
You Should Know:
1. Common Command-Line Obfuscation Techniques
Attackers manipulate command-line arguments to evade detection. Below are some methods and how to test them:
A. Argument Reordering
Original:
[cmd]
program.exe /install /silent /log C:\temp\log.txt
[/cmd]
Obfuscated:
[cmd]
program.exe /log C:\temp\log.txt /silent /install
[/cmd]
B. Case Manipulation
[cmd]
Program.ExE /InStAlL /sIlEnT
[/cmd]
C. Whitespace Insertion
[cmd]
program.exe /install /silent
[/cmd]
D. Using Shortened Arguments
[cmd]
prog.exe -i -s
[/cmd]
E. Using Environment Variables
[cmd]
set ARG=/install
program.exe %ARG% /silent
[/cmd]
2. Detection & Mitigation Techniques
Windows Defender (PowerShell)
Check suspicious command-line arguments:
Get-CimInstance Win32_Process | Select-Object CommandLine | Where-Object { $_ -match "install" -or $_ -match "silent" }
Sysmon Configuration (Detect Obfuscation)
Add a rule in `sysmon-config.xml`:
<RuleGroup name="Command Obfuscation" groupRelation="or"> <CommandLine condition="contains"> </CommandLine> <CommandLine condition="contains"> / </CommandLine> <CommandLine condition="contains"> -i -s </CommandLine> </RuleGroup>
Linux (Auditd for Command Monitoring)
auditctl -a always,exit -F arch=b64 -S execve -k cmdline_tampering
3. Testing Your Own Binaries
Use Process Monitor to log command-line changes:
1. Open ProcMon
2. Filter: `Process Name` = `yourbinary.exe`
3. Check `Command Line` column for anomalies.
What Undercode Say
Command-line obfuscation remains a simple yet effective bypass technique. Defenders must:
– Normalize commands before detection (lowercase, strip whitespace).
– Use behavioral analysis (e.g., detecting `install` + `silent` regardless of order).
– Log all process executions (Sysmon, Auditd).
– Test EDRs by obfuscating benign commands.
Relevant Commands Recap:
<h1>Check running processes</h1> Get-WmiObject Win32_Process | Select-Object Name, CommandLine <h1>Linux process audit</h1> ps aux | grep -i "suspicious" <h1>Sysmon log analysis</h1> grep -i "cmdline" /var/log/sysmon.log
Expected Output:
A structured analysis of command-line obfuscation techniques with detection methods for both Windows and Linux systems.
References:
Reported By: Wjbbeukema Bypassing – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
