KQL Search

Query Details

HomeAI ToolsDevice Query

KQL Obfus Guard Detecting Arg Fuscator Obfuscation

Query

// KQLObfusGuard - Detecting ArgFuscator Obfuscation
// https://argfuscator.net/

let KQLObfusGuard=externaldata(RawData:string)
[h'https://raw.githubusercontent.com/SlimKQL/Hunting-Queries-Detection-Rules/refs/heads/main/IOC/argfuscator.txt']
| parse RawData with ArgfuscatorCommand :string;
let ArgfuscatorCmds =
KQLObfusGuard
| project ArgfuscatorCommand;
DeviceEvents
| where Timestamp > ago(1h)
| extend ParsedCommandLine = parse_command_line(tolower(InitiatingProcessCommandLine), "windows")
| extend IPCL_Length = strlen(InitiatingProcessCommandLine)
| extend PCL_Length = strlen(tostring(ParsedCommandLine))-2-(2*array_length(ParsedCommandLine))+(array_length(ParsedCommandLine)-1)
| where (IPCL_Length - PCL_Length > 1) and ParsedCommandLine has_any(ArgfuscatorCmds)

Explanation

This KQL (Kusto Query Language) query is designed to detect the use of ArgFuscator, a tool used for obfuscating command lines, which can be a sign of malicious activity. Here's a simplified breakdown of what the query does:

  1. Load External Data: It starts by loading a list of known ArgFuscator commands from an external source (a GitHub repository).

  2. Parse the Data: The raw data from the external source is parsed to extract the specific ArgFuscator commands.

  3. Filter Device Events: The query then looks at device events that have occurred in the last hour.

  4. Parse Command Lines: For each event, it parses the command line of the initiating process to a standardized format and calculates the length of both the original and parsed command lines.

  5. Detect Obfuscation: It checks for discrepancies in the lengths of the original and parsed command lines, which could indicate obfuscation. Specifically, it looks for cases where the original command line is significantly longer than the parsed version.

  6. Match Against Known Commands: Finally, it checks if the parsed command line contains any known ArgFuscator commands.

In essence, this query is trying to identify processes that might be using ArgFuscator to hide their true intentions by comparing the command line lengths and looking for known obfuscation patterns.

Details

Steven Lim profile picture

Steven Lim

Released: February 16, 2025

Tables

KQLObfusGuardDeviceEvents

Keywords

DeviceEvents

Operators

letexternaldataparsewithprojectwhereextendparse_command_linetolowerstrlentostringarray_lengthhas_anyago

Actions