Invoke-DOSfuscation is a PowerShell v2.0+ compatible cmd.exe command obfuscation framework. (White paper: https://www.fireeye.com/blog/threat-research/2018/03/dosfuscation-exploring-obfuscation-and-detection-techniques.html)
Over the past several years we witnessed a myriad of obfuscation and evasion techniques employed by several threat actors. Some of these techniques are incredibly complex while others are tastefully simple, but both categories are employed to evade detection, the information security training expert said. In the experience, we have found APT32 and FIN7 to pull out the most alluring obfuscation techniques and their creativity is noteworthy.
Attackers are increasingly using obfuscation techniques to evade detections based heavily on command line argument values. To counter this, an information security training expert spent five months researching and developing obfuscation and encoding techniques native to cmd.exe so that we could create robust detections for these core techniques that we have not yet seen in the wild.
This framework’s purpose is to enable defenders to randomly generate thousands of uniquely obfuscated sample commands to test and tune their detection capabilities against these techniques. The information security training professional included a full test harness in this release to automate this detection testing process.
In many ways this framework enables defenders to fuzz cmd.exe’s obfuscation techniques, and in building this tool he discovered numerous additional obfuscation opportunities that he did not uncover in the initial research.
He shared this information with Microsoft in November 2017 and inquired about opportunities to expose additional visibility into the inner workings of cmd.exe’s usage of the core techniques that are the building blocks of all of the obfuscation functions built into this framework.
While all of the obfuscation components are built out into standalone formal functions, most users will find the Invoke-DOSfuscation function to be the easiest way to explorer and visualize the obfuscation techniques that this framework supports. For fuzzing and deep exploration of the numerous tuning options for each obfuscation category, though, it is recommended that the individual functions be used directly outside of the Invoke-DOSfuscation function wrapper.
To enable defenders to easily begin fuzzing and testing detection ideas, this framework also includes an additional module, Invoke-DOSfuscationTestHarness.psm1 that is automatically imported with the rest of the project. The two key functions in this module for defenders are:
Invoke-DosTestHarness – Generates (with default argument settings) over 1000 randomly-obfuscated commands from a list of test commands for both payload integrity and detection purposes, each test harness iteration randomizes all available function arguments and calls the four obfuscation functions directly instead of using the more standardized -ObfuscationLevel values (1-3) that the Invoke-DOSfuscation menu-driven function uses by default. This produces a significantly wider range of obfuscation output against which one can build more thorough detections. Each obfuscated command is then checked against the second function:
Get-DosDetectionMatch – Checks an input command (string) against all regex detection values input into the $regexDetectionTerms array in the function. This is automatically called by Invoke-DosTestHarness but can be called in a stand-alone fashion as well.
At the end of each test harness invocation statistics for proper command execution and detection will be displayed so defenders can quickly identify which commands have 0 or only 1-2 detection matches and which might need better coverage.
Finally, to avoid requiring defenders to have to run the test harness to get started, the information security training expert have provided 1000 sample commands in the Samples directory broken out across each of the four obfuscation functions. The formats include .txt files, and Security and Sysmon .evtx files. The expert included a couple sample detection rules in the $regexDetectionTerms array in Invoke-DOSfuscationTestHarness.psm1, but you will want to add and test many more rules as you test the sample obfuscated commands). In addition to .txt files with the raw commands there are .evtx files containing the process execution logs (Sysmon EID 1 events) for each of the 1000 sample commands. These event logs are tremendously helpful for building indicators based on nuanced child process executions that are byproducts of several building block techniques upon which Invoke-DOSfuscation is built.