Obfuscated Files or Information: Command Obfuscation
Other sub-techniques of Obfuscated Files or Information (17)
Adversaries may obfuscate content during command execution to impede detection. Command-line obfuscation is a method of making strings and patterns within commands and scripts more difficult to signature and analyze. This type of obfuscation can be included within commands executed by delivered payloads (e.g., Phishing and Drive-by Compromise) or interactively via Command and Scripting Interpreter.(Citation: Akamai JS)(Citation: Malware Monday VBE)
For example, adversaries may abuse syntax that utilizes various symbols and escape characters (such as spacing, `^`, `+`. `$`, and `%`) to make commands difficult to analyze while maintaining the same intended functionality.(Citation: RC PowerShell) Many languages support built-in obfuscation in the form of base64 or URL encoding.(Citation: Microsoft PowerShellB64) Adversaries may also manually implement command obfuscation via string splitting (`“Wor”+“d.Application”`), order and casing of characters (`rev <<<'dwssap/cte/ tac'`), globing (`mkdir -p '/tmp/:&$NiA'`), as well as various tricks involving passing strings through tokens/environment variables/input streams.(Citation: Bashfuscator Command Obfuscators)(Citation: FireEye Obfuscation June 2017)
Adversaries may also use tricks such as directory traversals to obfuscate references to the binary being invoked by a command (`C:\voi\pcw\..\..\Windows\tei\qs\k\..\..\..\system32\erool\..\wbem\wg\je\..\..\wmic.exe shadowcopy delete`).(Citation: Twitter Richard WMIC)
Tools such as Invoke-Obfuscation and Invoke-DOSfucation have also been used to obfuscate commands.(Citation: Invoke-DOSfuscation)(Citation: Invoke-Obfuscation)
Примеры процедур |
|
| Название | Описание |
|---|---|
| Sardonic |
Sardonic PowerShell scripts can be encrypted with RC4 and compressed using Gzip.(Citation: Bitdefender Sardonic Aug 2021) |
| PowerSploit |
PowerSploit contains a collection of ScriptModification modules that compress and encode scripts and payloads.(Citation: GitHub PowerSploit May 2012)(Citation: PowerSploit Documentation) |
| Ursnif |
Ursnif droppers execute base64 encoded PowerShell commands.(Citation: Bromium Ursnif Mar 2017) |
| Zeus Panda |
Zeus Panda obfuscates the macro commands in its initial payload.(Citation: Talos Zeus Panda Nov 2017) |
| CARROTBAT |
CARROTBAT has the ability to execute obfuscated commands on the infected host.(Citation: Unit 42 CARROTBAT November 2018) |
| Emotet |
Emotet has obfuscated macros within malicious documents to hide the URLs hosting the malware, CMD.exe arguments, and PowerShell scripts. (Citation: Talos Emotet Jan 2019)(Citation: Trend Micro Emotet Jan 2019)(Citation: Picus Emotet Dec 2018)(Citation: ESET Emotet Dec 2018) |
| Empire |
Empire has the ability to obfuscate commands using |
| BADHATCH |
BADHATCH malicious PowerShell commands can be encoded with base64.(Citation: BitDefender BADHATCH Mar 2021) |
| Machete |
Machete has used pyobfuscate, zlib compression, and base64 encoding for obfuscation. Machete has also used some visual obfuscation techniques by naming variables as combinations of letters to hinder analysis.(Citation: Cylance Machete Mar 2017)(Citation: ESET Machete July 2019) |
| FruitFly |
FruitFly executes and stores obfuscated Perl scripts.(Citation: objsee mac malware 2017) |
| DarkWatchman |
DarkWatchman has used Base64 to encode PowerShell commands.(Citation: Prevailion DarkWatchman 2021) |
| SHARPSTAT | |