Detecting Obfuscated Command-lines with a Large Language Model

In the security industry, there is a constant, undeniable fact that practitioners must contend with: criminals are working overtime to constantly change the threat landscape to their advantage. Their techniques are many, and they go out of their way to avoid detection and obfuscate their actions. In fact, one element of obfuscation – command-line obfuscation – is the process of intentionally disguising command-lines, which hinders automated detection and seeks to hide the true intention of the adversary’s scripts.

Types of Obfuscation

There are a few tools publicly available on GitHub that give us a glimpse of what techniques are used by adversaries. One of such tools is Invoke-Obfuscation, a PowerShell script that aims to help defenders simulate obfuscated payloads. After analyzing some of the examples in Invoke-Obfuscation, we identified different levels of the technique:

Each of the colors in the image represents a different technique, and while there are various types ...