search
Ctrlk

Commandline Obfusaction

Commandline obfuscation

This lab is based on the research done by Daniel Bohannon from FireEye.

hashtag
Environment variables

C:\Users\mantvydas>set a=/c & set b=calc
C:\Users\mantvydas>cmd %a% %b%

Note though that the commandline logging (dynamic detection) still works as the commandline needs to be expanded before it can get executed, but static detection could be bypassed:

hashtag
Double quotes

Note how double quotes can actually make both static and dynamic detection a bit more difficult:

hashtag
Carets

Commandline logging, same as with using environment variables, is not affected, however static detection could be affected:

hashtag
Garbage delimiters

A very interesting technique. Let's look at this first without garbage delimiters:

The above sets en environment variable x to calc and then prints it and pipes it to the standard input of the cmd:

Introducing garbage delimiters @ into the equation:

The above does the same as the earlier example, except that it introduces more filth into the command (c@lc). You can see from the below screenshot that Windows does not recognize such a command c@lc, but the second attempt when the %x:@=% removes the extraneous @ symbol from the string, gets executed successfully:

If it is confusing, the below should help clear it up:

In the above, the value mantvydas got inserted in the c@lc in place of @, suggesting that %x:@=% (:@= to be precise) is just a string replacement capability in the cmd.exe utility.

With this knowledge, the original obfuscated command

reads: replace the @ symbol with text that goes after the = sign, which is empty in this case, which effectively means - remove @ from the value stored in the variable x.

hashtag
Substring

Cmd.exe also has a substring capability. See below:

Note that this is only good for bypassing static detection:

hashtag
Batch FOR, DELIMS + TOKENS

We can use a builtin batch looping to extract the Powershell string from environment variables in order to launch it and bypass static detection that looks for a string "powershell" in program invocations:

Note how the WindowsPowerShell string is present in the PSModule environment variable - this mean we can extract it like so:

What the above command does:

  1. Executes set^|findstr PSM to get the PSModulePath variable value

  2. Splits the string using delimiters s & \

  3. Prints out the 7th token, which happens to be the PowerShell

  4. Which effectively launches PowerShell

hashtag
Comma, semicolon

This may be used for both static and dynamic detection bypasses:

hashtag
FORCoding

What happens below is essentially there is a loop that goes through the list of indexes (0 1 2 3 2 6 2 4 5 6 0 7) which are used to point to characters in the variable unique which acts like an alphabet. This allows for the FOR loop to cycle through the index, pick out characters from the alphabet pointed to by the index and concatenate them into a final string that eventually gets called with CALL %final% when the loop reaches the index 1337.

In verbose python this could look something like this:

hashtag
References

LogoDOSfuscation: Exploring the Depths of Cmd.exe Obfuscation and Detection Techniques | Mandiant | Google Cloud BlogGoogle Cloud Blogchevron-right
PreviousMasquerading Processes in Userland via _PEBNextFile Smuggling with HTML and JavaScript

Last updated