blue tangle

    I noticed on Twitter a new, relatively novel obfuscation or anti-forensics technique that Qakbot (or qbot) have started using. It surprises me that more threat actors don't employ some basic command-line obfuscation techniques, as they can really screw with SIEM detections with a minimum of effort. Credit to Max_Malyutin on Twitter for flagging this and grabbing my attention:   I hadn't seen multiple path escape backslashes like this on the Windows command line, but sure enough, it works, here's what an event looks like in Splunk:     This takes advantage of the way that SIEMs like Splunk handle backslashes, they themselves need to be escaped, so to search for a normal file path for a file (in this case cmd.exe) would look like this in Splunk:     To look for our obfuscated command-line with extra backslashes we'll want to look for more than 4 backslashes in a row, escaped in Splunk we wind up with 8 backslashes in our search:   Or in SPL:   index=<your-index-he