Invoke-DOSfuscation: Cmd.exe Command Obfuscation Generator & Detection

by do son · Published March 25, 2018 · Updated October 25, 2022

Invoke-DOSfuscation v1.0

Invoke-DOSfuscation is a PowerShell v2.0+ compatible cmd.exe command obfuscation framework.

Over the past several years as an Incident Response consultant, I have witnessed a myriad of obfuscation and evasion techniques employed by several threat actors. Some of these techniques are incredibly complex while others are tastefully simple, but both categories are employed to evade detection. In my experience, I have found APT32 and FIN7 to pull out the most alluring obfuscation techniques and their creativity is noteworthy.

In June 2017 after a slew of incremental command line obfuscation techniques, FIN7 used an environment variable string substitution capability native to cmd.exe that at the time I did not know even existed. Spurred by this discovery I co-authored a blog post with Nick Carr (@ItsReallyNick) called Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques where we highlighted numerous groups’ obfuscation techniques we identified in the wild.

The following weekend I explored this native cmd.exe substitution functionality and built and released a simple Proof-of-Concept tool called Out-FINcodedCommand. As soon as I released this POC I stepped back and thought, “Maybe there are more obfuscation capabilities within cmd.exe that I should explore and build detections for before we discover it being used in the wild.”

Purpose

Attackers are increasingly using obfuscation techniques to evade detections based heavily on command line argument values. To counter this I spent five months researching and developing obfuscation and encoding techniques native to cmd.exe so that I could create robust detections for these core techniques that I have not yet seen in the wild.

This framework’s sole purpose is to enable defenders to randomly generate thousands of uniquely obfuscated sample commands to test and tune their detection capabilities against these techniques. I included my full test harness in this release to automate this detection testing process.

In many ways, this framework enables defenders to fuzz cmd.exe’s obfuscation techniques, and in building this tool I discovered numerous additional obfuscation opportunities that I did not uncover in my initial research.

I also shared this information with Microsoft in November 2017 and inquired about opportunities to expose additional visibility into the inner workings of cmd.exe’s usage of the core techniques that are the building blocks of all of the obfuscation functions built into this framework.

As a defender, the end goal of this research and development is to raise awareness and drive change that will help end users better protect themselves against attackers’ ever-changing TTPs (Tools, Techniques, and Procedures).