expand.exe

• Character Substitution: Some command-line arguments allow characters to be replaced with Unicode equivalents.
  Example: -D is functionally equivalent to -D
• Character Insertion: Some command-line arguments allow specific characters to be inserted without altering the meaning of the original command line.
  Example: -D is functionally equivalent to -D
• Option Character Substitution: Command-line option characters, such as those starting with a forward slash or hyphen, have (unicode) alternatives that are also accepted.
  Example: -D is functionally equivalent to -D
• Quote Insertion: It is possible to add double quotes (in multiples of two) to some of the command-line options. This may obfuscate keywords used on the command line.
  Example: -D is functionally equivalent to -D
• File Path Transformations: When file paths are supplied to the executable, it is possible to apply transformations to the file path that may obscure the real path.
  Example: c:\windows\temp\input.cab is functionally equivalent to c:\windows\temp\input.cab
• RaNdOmCaSe: Part of the command line is case insensitive, meaning it is possible to use upper- and lowercase characters interchangably. This may frustrate case-sensitive detections.
  Example: -D is functionally equivalent to -D

Obfuscate expand.exe commands

Related

FAQs

What is command-line obfuscation?

Command-Line obfuscation is an attempt to masquerade or otherwise hide the true intention of a program execution. Particularly, in a cyber security context, this usually involves rewriting a process' arguments to something that is functionally equivalent to the original, but bypasses detection systems. This may enable an attacker to execute a malicious command with a lower chance of being detected.

Why would I need to obfuscate command lines?

The obfuscated command did not work, what do I do?

Command lines generated by ArgFuscator sometimes may not work as expected; one reason for this may be that the targeted program may have been updated since the obfuscation options were originally determined. Another reason may be that the obfuscation model created for ArgFuscator was incorrect. Command lines are complicated as every program has their own way of parsing and interpreting the provided arguments; we may therefore get small things wrong. If you believe this is the case, please raise an issue on ArgFuscator's GitHub repository so this can be looked into.