Earlier this fall we released a clever shell GLOBbing technique being leveraged by STEEP#MAVERICK and this month we’re bringing you another nifty command-line obfuscation emulation! Command-line obfuscation is not a new technique and at its core arises from a lack of standardization in command-line parsing practices and multiple character encoding options available. As a result, many Windows applications have multiple ways a single command can be expressed (either for ease of use or compatibility reasons). Security researchers Wietze Beukema and Daniel Bohannon both have wonderful whitepapers that outline multiple different ways to leverage command-line obfuscation and the resulting implications in detection.
While this technique doesn’t obfuscate the actual process name or process execution it is likely enough to bypass rigid detection rules. From a defense perspective, most detections for cmd.exe focus on looking for cmd.exe with specific arguments, parent/child process relationships, or more rarely - cmd.exe as a source of action such as registry modification or file modification. The tricky issue with cmd.exe is that it is used so frequently that oftentimes it is legitimate. Filtering through the noise to determine when it is malicious is not necessarily an easy task. The key to achieving effective detections, as is true in most cases, will be a defense-in-depth strategy. Our emulation showcases just one of many possible command obfuscation techniques that could be stacked or used independently.
SCYTHE customers can find this month’s emulation and walkthrough in our new Customer Portal! Our AES customers get to see this technique in action with a new Qakbot-VHD emulation!
Happy Hunting!
–SCYTHE AES Team