HITB2018AMS — Invoke-DOSfuscation: Techniques FOR %F IN (-style) DO (S-level CMD Obfuscation)
By Daniel BohannonSenior Applied Security Researcher, MANDIANT
There is a race going between red an blue teams with regards to obfuscation. Obfuscation toolkits are getting better, but so are built in defense mechanisms in operating systems.
Daniel’s talk is about obfuscation of commands passed to cmd.exe in Windows.
Is this a real problem? Yes, the FIN8 APT group has used cmd.exe obfuscation as part of their attack toolkit, using standard input and environment variables to keep interesting stuff from the command line. APT32 (aka OceanLotus) used double quotes and Caret characters (^) as obfuscation. FIN7 (aka Carbanak) injected @-signs into command input and then removed it from standard input before passing it to cmd.exe for execution.
There three examples prompted Daniel to write a tool to perform other forms of command execution.
How does this obfuscation affect detection? It seems to effect both dynamic and static attack detection. And, the different obfuscations can be stacked.
First technique will be command name replacement. Daniel shows how he users the for loop, set, findstring to extract the executable name powershell from the PSM environment variable.
Next step is injecting “meaningless” characters to obfuscate the actual command line parameters. Caret and double quotes are know, but , and ; can be used to replace whitespace characters too and in batch files we can insert non-existant environment values too.
Restrospectively Daniel found samples from 2012 and before where this these techniques have actually been used and shows these examples.
E.g. Daniel changed %COMSPEC% to %coMSPec: \ = / % which still goes the same. He also show further techniques for obfuscating the rest of the command line.
Defenders sometimes detect the use of carets and double quotes just to see if something fishy is going on.
Other tricks discovered are:
- For command line arguments / and — are often interchangeable.
- Setting a command in a variable and then calling it via call.
- It is possible, via a four step process, to use n”e”tstat which is equal to n””e””tstat or netstat.
- Variable names can consist of special characters
In the end we end up with something like
,;c^Md;/^V^:O^N;,;/C “((sE^T coMMa^nD=ne^Z^sZ7^Z /⁷no))&& ,(; ( se^T s^Ub2^=!coM^MaNd:7^=a!);;,), &&; ;(((,S^eT SU^b1^=!sU^b2:Z^=t!);;),)&& ( (;;Ca^lL,,, %suB¹% );,)”
This is equal to ‘netstat /ano’
Daniel demonstrated his tool Invoke-DOSfuscation that includes all these techniques and allows you to create these crazy obfuscated values on your own without all the hard thinking.
So how do you detect this?
- look for long argument length
- Look for frequent obfuscation characters ( , ; ^ ( ) )
- Obfuscation of internal command
- Unusual execution flas
- Variable substitution on the command line
To help defenders, the tool also contains a DosTestHarness which defenders can use to test their detection for obfuscation rules.
Materials
Invoke-DOSfuscation can be obtained from GitHub: https://github.com/danielbohannon/Invoke-DOSfuscation
Paper published here: https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/dosfuscation-report.pdf
About the speaker
Daniel Bohannon is a Senior Applied Security Researcher with MANDIANT’s Advanced Practices group with over seven years of operations and information security experience. His particular areas of expertise include enterprise-wide incident response investigations, host-based and network-based detection capabilities research and development, and obfuscation and detection evasion research and tradecraft development.
He is the author of the Invoke-Obfuscation and Invoke-CradleCrafter PowerShell obfuscation frameworks and the co-author of the Revoke-Obfuscation PowerShell obfuscation detection framework.
Mr. Bohannon received a Master of Science in Information Security from the Georgia Institute of Technology and a Bachelor of Science in Computer Science from The University of Georgia.
This article is part of my coverage of the Hack in the Box security conference 2018 Amsterdam. This article is my recording of the talk as it was given at the conferences. Therefore any opinions expressed are not mine, but those of the speaker.
