DOSfuscation: Exploring the Depths of Cmd.exe Obfuscation and Detection Techniques

Skilled attackers continually seek out new attack vectors, while
employing evasion techniques to maintain the effectiveness of old
vectors, in an ever-changing defensive landscape. Many of these threat
actors employ obfuscation frameworks for common scripting languages
such as JavaScript and PowerShell to thwart signature-based detections
of common offensive tradecraft written in these languages.

However, as defenders’ visibility into these popular scripting
languages increases through better logging and defensive tooling, some
stealthy attackers have shifted their tradecraft to languages that do
not support this additional visibility. At a minimum, determined
attackers are adding dashes of simple obfuscation to previously
detected payloads and commands to break rigid detection rules.

In this DOSfuscation
white paper
, first presented at Black Hat Asia 2018, I showcase
nine months of research into several facets of command line argument
obfuscation that affect static and dynamic detection approaches.
Beginning with cataloguing a half-dozen characters with significant
obfuscation capabilities (only two of which I have identified being
used in the wild), I then highlight the static detection evasion
capabilities of environment variable substring encoding. Combining
these techniques, I unveil four never-before-seen payload obfuscation
approaches that are fully compatible with any input command on
cmd.exe’s command line. These obfuscation capabilities de-obfuscate in
the current cmd.exe session for both interactive and noninteractive
sessions, and avoid all command line logging. Finally, I discuss the
building blocks required for these new encoding and obfuscation
capabilities and outline several approaches that defenders can take to
begin detecting this genre of obfuscation.

As a Senior Applied Security Researcher with FireEye’s Advanced
Practices Team, I am tasked with researching, developing and deploying
new detection capabilities to FireEye’s detection platform to stay
ahead of advanced threat actors and their ever-changing tactics,
techniques and procedures. FireEye customers have been benefiting from
multiple layers of innovative obfuscation detection capabilities
developed and deployed over the past nine months as a direct result of
this research.

Download the DOSfuscation
white paper

Daniel Bohannon (@danielhbohannon) is a Senior Applied Security
Researcher on FireEye’s Advanced Practices Team.

This is a Security Bloggers Network syndicated blog post authored by Nick Harbour. Read the original post at: Threat Research Blog