Commandline Obfusaction
Commandline obfuscation
This lab is based on the research done by Daniel Bohannon from FireEye.
Environment variables
Note though that the commandline logging (dynamic detection) still works as the commandline needs to be expanded before it can get executed, but static detection could be bypassed:
Double quotes
Note how double quotes can actually make both static and dynamic detection a bit more difficult:
Carets
Commandline logging, same as with using environment variables, is not affected, however static detection could be affected:
Garbage delimiters
A very interesting technique. Let's look at this first without garbage delimiters:
The above sets en environment variable x to calc
and then prints it and pipes it to the standard input of the cmd:
Introducing garbage delimiters @
into the equation:
The above does the same as the earlier example, except that it introduces more filth into the command (c@lc
). You can see from the below screenshot that Windows does not recognize such a command c@lc
, but the second attempt when the %x:@=%
removes the extraneous @
symbol from the string, gets executed successfully:
If it is confusing, the below should help clear it up:
In the above, the value mantvydas
got inserted in the c@lc
in place of @, suggesting that %x:@=%
(:@=
to be precise) is just a string replacement capability in the cmd.exe utility.
With this knowledge, the original obfuscated command
reads: replace the @ symbol with text that goes after the =
sign, which is empty in this case, which effectively means - remove @ from the value stored in the variable x.
Substring
Cmd.exe also has a substring capability. See below:
Note that this is only good for bypassing static detection:
Batch FOR, DELIMS + TOKENS
We can use a builtin batch looping to extract the Powershell string from environment variables in order to launch it and bypass static detection that looks for a string "powershell" in program invocations:
Note how the WindowsPowerShell
string is present in the PSModule
environment variable - this mean we can extract it like so:
What the above command does:
Executes
set^|findstr PSM
to get the PSModulePath variable valueSplits the string using delimiters
s
&\
Prints out the 7th token, which happens to be the
PowerShell
Which effectively launches PowerShell
Comma, semicolon
This may be used for both static and dynamic detection bypasses:
FORCoding
What happens below is essentially there is a loop that goes through the list of indexes (0 1 2 3 2 6 2 4 5 6 0 7) which are used to point to characters in the variable unique
which acts like an alphabet. This allows for the FOR loop to cycle through the index, pick out characters from the alphabet pointed to by the index and concatenate them into a final string that eventually gets called with CALL %final%
when the loop reaches the index 1337.
In verbose python this could look something like this:
References
Last updated