Advanced Obfuscation

https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/dosfuscation-report.pdf

Cinderblock of Information

Caret ^ Insertion

Use the caret (^) escape character to avoid static/pattern searching

C:\WINDOWS\system32\cmd.exe /c
P^^o^^w^^e^^r^^S^^h^^e^^l^^l^^.^^e^^x^^e^^
-No^^Exit -Ex^^ec By^^pass -^^EC YwBhAG^^wAYwA=

Commas & Semicolons

The final obfuscation characters uncovered during this research are the comma and semicolon. The comma and semicolon are almost always interchangeable with one another and can be placed almost anywhere that whitespace is allowed in cmd.exe command line arguments. These characters can even serve as delimiters in places where whitespace delimiters are typically required (easily breaking the previous sample regular expression term echo\s):

,;,cmd.exe,;,/c,;,echo;Command 1&&echo,Command 2

Environment Variables and Substrings

The COMSPEC environment variable contains a 27-character value which is the full path to cmd.exe.

%coMSPec:~ -0, +27% /b /c start /b /min netstat -ano | findstr LISTENING