{ "id": "47016401-d3ff-495c-91cc-c14e25454a4d", "created_at": "2026-04-06T00:08:22.775415Z", "updated_at": "2026-04-10T13:12:23.759621Z", "deleted_at": null, "sha1_hash": "d021f64586cf8999c5eda65cdc014c4287642aa0", "title": "GitHub - danielbohannon/Invoke-DOSfuscation: Cmd.exe Command Obfuscation Generator \u0026 Detection Test Harness", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 157521, "plain_text": "GitHub - danielbohannon/Invoke-DOSfuscation: Cmd.exe\r\nCommand Obfuscation Generator \u0026 Detection Test Harness\r\nBy Daniel Bohannon\r\nArchived: 2026-04-05 17:09:16 UTC\r\nIntroduction\r\nInvoke-DOSfuscation is a PowerShell v2.0+ compatible cmd.exe command obfuscation framework. (White paper:\r\nhttps://www.fireeye.com/blog/threat-research/2018/03/dosfuscation-exploring-obfuscation-and-detection-techniques.html)\r\nhttps://github.com/danielbohannon/Invoke-DOSfuscation\r\nPage 1 of 4\n\nBackground\r\nOver the past several years as an Incident Response consultant I have witnessed a myriad of obfuscation and\r\nevasion techniques employed by several threat actors. Some of these techniques are incredibly complex while\r\nothers are tastefully simple, but both categories are employed to evade detection. In my experience, I have found\r\nAPT32 and FIN7 to pull out the most alluring obfuscation techniques and their creativity is noteworthy.\r\nIn June 2017 after a slew of incremental command line obfuscation techniques, FIN7 used an environment\r\nvariable string substitution capability native to cmd.exe that at the time I did not know even existed. Spurred by\r\nthis discovery I co-authored a blog post with Nick Carr (@ItsReallyNick) called Obfuscation in the Wild: Targeted\r\nAttackers Lead the Way in Evasion Techniques where we highighted numerous groups' obfuscation techniques we\r\nidentified in the wild.\r\nThe following weekend I explored this native cmd.exe substitution functionality and built and released a simple\r\nProof-of-Concept tool called Out-FINcodedCommand. As soon as I released this POC I stepped back and thought,\r\n\"Maybe there are more obfuscation capabilities within cmd.exe that I should explore and build detections for\r\nbefore we discover it being used in the wild.\"\r\nThat was the inception of my research that eventually led me to develop this Invoke-DOSfuscation framework.\r\nPurpose\r\nAttackers are increasingly using obfuscation techniques to evade detections based heavily on command line\r\nargument values. To counter this I spent five months researching and developing obfuscation and encoding\r\ntechniques native to cmd.exe so that I could create robust detections for these core techniques that I have not yet\r\nseen in the wild.\r\nThis framework's sole purpose is to enable defenders to randomly generate thousands of uniquely\r\nobfuscated sample commands to test and tune their detection capabilities against these techniques. I\r\nincluded my full test harness in this release to automate this detection testing process.\r\nIn many ways this framework enables defenders to fuzz cmd.exe's obfuscation techniques, and in building this\r\ntool I discovered numerous additional obfuscation opportunities that I did not uncover in my initial research.\r\nI also shared this information with Microsoft in November 2017 and inquired about opportunities to expose\r\nadditional visibility into the inner workings of cmd.exe's usage of the core techniques that are the building blocks\r\nof all of the obfuscation functions built into this framework.\r\nAs a defender the end goal of this research and development is to raise awareness and drive change that will help\r\nend users better protect themselves against attackers' ever-changing TTPs (Tools, Techniques and Procedures).\r\nUsage\r\nWhile all of the obfuscation components are built out into standalone formal functions, most users will find the\r\nInvoke-DOSfuscation function to be the easiest way to explorer and visualize the obfuscation techniques that\r\nthis framework supports. For fuzzing and deep exploration of the numerous tuning options for each obfuscation\r\nhttps://github.com/danielbohannon/Invoke-DOSfuscation\r\nPage 2 of 4\n\ncategory, though, it is recommended that the individual functions be used directly outside of the Invoke-DOSfuscation function wrapper.\r\nTo enable defenders to easily begin fuzzing and testing detection ideas, this framework also includes an additional\r\nmodule, Invoke-DOSfuscationTestHarness.psm1 that is automatically imported with the rest of the project. The\r\ntwo key functions in this module for defenders are:\r\n1. Invoke-DosTestHarness - Generates (with default argument settings) over 1000 randomly-obfuscated\r\ncommands from a list of test commands for both payload integrity and detection purposes. Each test\r\nharness iteration randomizes all available function arguments and calls the four obfuscation functions\r\ndirectly instead of using the more standardized -ObfuscationLevel values (1-3) that the Invoke-DOSfuscation menu-driven function uses by default. This produces a significantly wider range of\r\nobfuscation output against which one can build more thorough detections. Each obfuscated command is\r\nthen checked against the second function:\r\n2. Get-DosDetectionMatch - Checks an input command (string) against all regex detection values input into\r\nthe $regexDetectionTerms array in the function. This is automatically called by Invoke-DosTestHarness\r\nbut can be called in a stand-alone fashion as well.\r\nAt the end of each test harness invocation statistics for proper command execution and detection will be displayed\r\nso defenders can quickly identify which commands have 0 or only 1-2 detection matches and which might need\r\nbetter coverage.\r\nFinally, to avoid requiring defenders to have to run the test harness to get started, I have provided 1000 sample\r\ncommands in the Samples directory broken out across each of the four obfuscation functions. The formats include\r\n.txt files, and Security and Sysmon .evtx files. I included a couple sample detection rules in the\r\n$regexDetectionTerms array in Invoke-DOSfuscationTestHarness.psm1 , but you will want to add and test\r\nmany more rules as you test the sample obfuscated commands). In addition to .txt files with the raw commands\r\nthere are .evtx files containing the process execution logs (Sysmon EID 1 events) for each of the 1000 sample\r\ncommands. These event logs are tremendously helpful for building indicators based on nuanced child process\r\nexecutions that are byproducts of several building block techniques upon which Invoke-DOSfuscation is built.\r\nTo get started, display sample obfuscated commands that do not match any of your current detection rules by\r\nsimply running:\r\n(Get-Content .\\Samples\\STATIC_1-of-4_Out-DosConcatenatedCommand.txt) | where-object { -not (Get-DosDetectionMatch -Command $_).Detected }\r\nTo test both obfuscated commands and child processes from execution event logs recorded in Security EID 4688,\r\nsimply run:\r\n(Get-WinEvent -Path .\\Samples\\DYNAMIC_SECURITY_EID4688_1-of-4_Out-DosConcatenatedCommand.evtx) |\r\nwhere-object { $_.Message } | foreach-object { ($_.Message.Split(\"`n\") | select-string '^\\tProcess\r\nCommand Line:\\t') -replace '^\\tProcess Command Line:\\t','' } | where-object { -not (Get-DosDetectionMatch -Command $_).Detected }\r\nhttps://github.com/danielbohannon/Invoke-DOSfuscation\r\nPage 3 of 4\n\nInstallation\r\nThe source code for Invoke-DOSfuscation is hosted at Github, and you may download, fork and review it from\r\nthis repository (https://github.com/danielbohannon/Invoke-DOSfuscation). Please report issues or feature requests\r\nthrough Github's bug tracker associated with this project.\r\nTo install:\r\nImport-Module .\\Invoke-DOSfuscation.psd1\r\nInvoke-DOSfuscation\r\nLicense\r\nInvoke-DOSfuscation is released under the Apache 2.0 license.\r\nRelease Notes\r\nv1.0 - 2018-03-23 Black Hat Asia (Singapore): PUBLIC Release of Invoke-DOSfuscation.\r\nSource: https://github.com/danielbohannon/Invoke-DOSfuscation\r\nhttps://github.com/danielbohannon/Invoke-DOSfuscation\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://github.com/danielbohannon/Invoke-DOSfuscation" ], "report_names": [ "Invoke-DOSfuscation" ], "threat_actors": [ { "id": "af509bbb-8d18-4903-a9bd-9e94099c6b30", "created_at": "2023-01-06T13:46:38.585525Z", "updated_at": "2026-04-10T02:00:03.030833Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "OceanLotus", "ATK17", "G0050", "APT-C-00", "APT-32", "Canvas Cyclone", "SeaLotus", "Ocean Buffalo", "OceanLotus Group", "Cobalt Kitty", "Sea Lotus", "APT 32", "POND LOACH", "TIN WOODLAWN", "Ocean Lotus" ], "source_name": "MISPGALAXY:APT32", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "870f6f62-84f5-48ca-a18e-cf2902cd6924", "created_at": "2022-10-25T15:50:23.303818Z", "updated_at": "2026-04-10T02:00:05.301184Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "APT32", "SeaLotus", "OceanLotus", "APT-C-00", "Canvas Cyclone" ], "source_name": "MITRE:APT32", "tools": [ "Mimikatz", "ipconfig", "Kerrdown", "Cobalt Strike", "SOUNDBITE", "OSX_OCEANLOTUS.D", "KOMPROGO", "netsh", "RotaJakiro", "PHOREAL", "Arp", "Denis", "Goopy" ], "source_id": "MITRE", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "5da6b5fd-1955-412a-81aa-069fb50b6e31", "created_at": "2025-08-07T02:03:25.116085Z", "updated_at": "2026-04-10T02:00:03.668978Z", "deleted_at": null, "main_name": "TIN WOODLAWN", "aliases": [ "APT32 ", "Cobalt Kitty", "OceanLotus", "WOODLAWN " ], "source_name": "Secureworks:TIN WOODLAWN", "tools": [ "Cobalt Strike", "Denis", "Goopy", "JEShell", "KerrDown", "Mimikatz", "Ratsnif", "Remy", "Rizzo", "RolandRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434102, "ts_updated_at": 1775826743, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d021f64586cf8999c5eda65cdc014c4287642aa0.pdf", "text": "https://archive.orkl.eu/d021f64586cf8999c5eda65cdc014c4287642aa0.txt", "img": "https://archive.orkl.eu/d021f64586cf8999c5eda65cdc014c4287642aa0.jpg" } }