DOSfuscation – Exploring the Depths of Cmd.exe Obfuscation and Detection Techniques by FireEye

Skilled attackers continually seek out new attack vectors while employing evasion techniques to maintain the effectiveness of old vectors in an ever-changing defensive landscape. Numerous threat actors employ obfuscation frameworks for common scripting languages like JavaScript and PowerShell to thwart signature-based detections of common offensive tradecraft written in these languages.

However, as defenders’ visibility into these popular scripting languages increases through better logging
practices1 and inline inspection of the execution phases of these languages via Microsoft’s Antimalware Scan Interface2, some stealthy attackers have shifted their tradecraft to languages that do not support this additional visibility. At a minimum, determined attackers are adding dashes of simple obfuscation to previously detected payloads and commands to break rigid detection rules.

FireEye’s Advanced Practices Team is dedicated to developing detection capabilities for advanced TTPs
(Tools, Techniques and Procedures) that attackers use in the wild. The author’s role as a Senior Applied Security Researcher on this team entails researching existing and new areas of obfuscation and evasion to ultimately build more robust detection capabilities. Enumerating new problem spaces empowers one to more effectively detect the elusive tricks used by today’s threat actors. This approach also drives forward detection capabilities for obfuscation techniques not yet identified in the wild.

In June 2017, the Advanced Practices Team identified FIN7 (a financially-motivated threat actor also known as Carbanak) testing a novel obfuscation technique native to cmd.exe. Prompted by this discovery, the author began researching obfuscation techniques supported by cmd.exe and hunting for their usage across client and customer environments and in public and private file repositories. These findings represent nine months of dedicated research, detection development and threat hunting across 10+ million endpoints all around the world.

The goal of this research is to enumerate the problem space of cmd.exe-supported obfuscation techniques to stay ahead of the next obfuscation trick that FIN7 or other threat actors might employ. It is with this defensive mindset that the author presents these research findings so other defenders can more effectively detect these obfuscation and evasion techniques.

Leave a Reply

Your email address will not be published.