feat: add ArgFuscator command-line obfuscation detection query (T1027.010)

LasCC · LasCC · commit 85b280c11874 · 2026-03-27T16:13:38.000-04:00
diff --git a/s1_powerquery_hunting.json b/s1_powerquery_hunting.json
@@ -453,5 +453,10 @@
         "category": "Helper & Utilities",
         "name": "HELPER - Registry Modifications by Endpoint",
         "query": "(event.type in ('Registry Value Set', 'Registry Value Create')) AND endpoint.name contains \"ENDPOINT_NAME_HERE\"\n| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count(), UniqueValues=array_agg_distinct(registry.value) by endpoint.name, src.process.name, src.process.verified, registry.keyPath\n| let _firstSeenNs = _FirstSeenMs * 1000000\n| let _lastSeenNs = _LastSeenMs * 1000000\n| let AllValues = UniqueValues.to_string(', ')\n| columns  \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, endpoint.name, src.process.name, src.process.verified, registry.keyPath, AllValues, Count\n| sort -Count\n| limit 100000"
+    },
+    {
+        "category": "Defense Evasion",
+        "name": "ArgFuscator Command-Line Obfuscation (T1027.010)",
+        "query": "endpoint.os = \"windows\" AND (#cmdline contains (\"\u1d43\",\"\u1d47\",\"\u1d9c\",\"\u1d48\",\"\u1d49\",\"\u1da0\",\"\u1d4d\",\"\u02b0\",\"\u02b2\",\"\u1d4f\",\"\u02e1\",\"\u1d50\",\"\u207f\",\"\u1d52\",\"\u1d56\",\"\u02b3\",\"\u02e2\",\"\u1d57\",\"\u1d58\",\"\u1d5b\",\"\u02b7\",\"\u02e3\",\"\u02b8\",\"\u1dbb\") OR (#cmdline contains (\"\u2013\",\"\u2014\",\"\u2212\") AND src.process.name in (\"certutil.exe\",\"bitsadmin.exe\",\"msiexec.exe\",\"regsvr32.exe\",\"cscript.exe\",\"wscript.exe\",\"msbuild.exe\",\"schtasks.exe\",\"sc.exe\",\"net.exe\",\"netsh.exe\",\"reg.exe\",\"powershell.exe\",\"pwsh.exe\",\"wmic.exe\",\"cmstp.exe\",\"forfiles.exe\",\"expand.exe\",\"extrac32.exe\",\"runas.exe\",\"nltest.exe\",\"cmd.exe\",\"ftp.exe\",\"makecab.exe\",\"robocopy.exe\",\"xcopy.exe\",\"regedit.exe\",\"secedit.exe\",\"dism.exe\",\"pnputil.exe\")))\n| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count(), UniqueSrcCmdlines=array_agg_distinct(src.process.cmdline), UniqueTgtCmdlines=array_agg_distinct(tgt.process.cmdline) by endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.verified\n| let _firstSeenNs = _FirstSeenMs * 1000000\n| let _lastSeenNs = _LastSeenMs * 1000000\n| let AllSrcCmdlines = UniqueSrcCmdlines.to_string(', '), AllTgtCmdlines = UniqueTgtCmdlines.to_string(', ')\n| columns  \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.verified, AllSrcCmdlines, AllTgtCmdlines, Count\n| sort -Count\n| limit 100000"
     }
 ]

Original file line number	Diff line number	Diff line change
`@@ -453,5 +453,10 @@`
`453`	`453`	`"category": "Helper & Utilities",`
`454`	`454`	`"name": "HELPER - Registry Modifications by Endpoint",`
`455`	`455`	"query": "(event.type in ('Registry Value Set', 'Registry Value Create')) AND endpoint.name contains \"ENDPOINT_NAME_HERE\"\n\| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count(), UniqueValues=array_agg_distinct(registry.value) by endpoint.name, src.process.name, src.process.verified, registry.keyPath\n\| let _firstSeenNs = _FirstSeenMs * 1000000\n\| let _lastSeenNs = _LastSeenMs * 1000000\n\| let AllValues = UniqueValues.to_string(', ')\n\| columns \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, endpoint.name, src.process.name, src.process.verified, registry.keyPath, AllValues, Count\n\| sort -Count\n\| limit 100000"
	`456`	`+ },`
	`457`	`+ {`
	`458`	`+ "category": "Defense Evasion",`
	`459`	`+ "name": "ArgFuscator Command-Line Obfuscation (T1027.010)",`
	`460`	+ "query": "endpoint.os = \"windows\" AND (#cmdline contains (\"\u1d43\",\"\u1d47\",\"\u1d9c\",\"\u1d48\",\"\u1d49\",\"\u1da0\",\"\u1d4d\",\"\u02b0\",\"\u02b2\",\"\u1d4f\",\"\u02e1\",\"\u1d50\",\"\u207f\",\"\u1d52\",\"\u1d56\",\"\u02b3\",\"\u02e2\",\"\u1d57\",\"\u1d58\",\"\u1d5b\",\"\u02b7\",\"\u02e3\",\"\u02b8\",\"\u1dbb\") OR (#cmdline contains (\"\u2013\",\"\u2014\",\"\u2212\") AND src.process.name in (\"certutil.exe\",\"bitsadmin.exe\",\"msiexec.exe\",\"regsvr32.exe\",\"cscript.exe\",\"wscript.exe\",\"msbuild.exe\",\"schtasks.exe\",\"sc.exe\",\"net.exe\",\"netsh.exe\",\"reg.exe\",\"powershell.exe\",\"pwsh.exe\",\"wmic.exe\",\"cmstp.exe\",\"forfiles.exe\",\"expand.exe\",\"extrac32.exe\",\"runas.exe\",\"nltest.exe\",\"cmd.exe\",\"ftp.exe\",\"makecab.exe\",\"robocopy.exe\",\"xcopy.exe\",\"regedit.exe\",\"secedit.exe\",\"dism.exe\",\"pnputil.exe\")))\n\| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count(), UniqueSrcCmdlines=array_agg_distinct(src.process.cmdline), UniqueTgtCmdlines=array_agg_distinct(tgt.process.cmdline) by endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.verified\n\| let _firstSeenNs = _FirstSeenMs * 1000000\n\| let _lastSeenNs = _LastSeenMs * 1000000\n\| let AllSrcCmdlines = UniqueSrcCmdlines.to_string(', '), AllTgtCmdlines = UniqueTgtCmdlines.to_string(', ')\n\| columns \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.verified, AllSrcCmdlines, AllTgtCmdlines, Count\n\| sort -Count\n\| limit 100000"
`456`	`461`	`}`
`457`	`462`	`]`