Invoke-DOSfuscation: Techniques FOR %F IN (-style) DO (S-level CMD Obfuscation)

Skilled attackers continually seek out new attack vectors and effective ways of obfuscating old techniques to evade detection. Active defenders can attest to attackers’ prolific obfuscation of JavaScript, VBScript and PowerShell payloads given the ample availability of obfuscation frameworks and their effectiveness at evading many of today’s defenses.

However, advanced defenders are increasingly detecting this obfuscation with help from the data science community. This approach paired with deeper visibility into memory-resident payloads via interfaces like Microsoft’s Antimalware Scan Interface (AMSI) is causing some Red Teamers to shift tradecraft to languages that offer defenders less visibility. But what are attackers using in the wild?

In the past year numerous APT and FIN (Financial) threat actors have increasingly introduced obfuscation techniques into their usage of native Windows binaries like wscript.exe, regsvr32.exe and cmd.exe. Some simple approaches entail randomly adding cmd.exe’s caret (^) escape character to command arguments. More interesting techniques like those employed by APT32, FIN7 and FIN8 involve quotes, parentheses and standard input.

The most interesting obfuscation technique observed in the wild was FIN7’s use of cmd.exe’s string replacement functionality identified in June 2017. This discovery single-handedly initiated my research into cmd.exe’s surprisingly effective but vastly unexplored obfuscation capabilities.

In this presentation I will dive deep into cmd.exe’s multi-faceted obfuscation opportunities beginning with carets, quotes and stdin argument hiding. Next I will extrapolate more complex techniques including FIN7’s string removal/replacement concept and two never- before-seen obfuscation and full encoding techniques – all performed entirely in memory by cmd.exe. Finally, I will outline three approaches for obfuscating binary names from static and dynamic analysis while highlighting lesser-known cmd.exe replacement binaries.

I will conclude this talk by performing a live demo of my new cmd.exe obfuscation framework called Invoke-DOSfuscation that obfuscates payloads using these multi-layered techniques. I will also share detection implications and approaches for this genre of obfuscation.


Daniel (DBO) Bohannon Senior Applied Security Researcher, FireEye

Daniel Bohannon is a Senior Applied Security Researcher with FireEye’s Advanced Practices Team with over seven years of operations, security and Incident Response experience.

He is the author of Invoke-Obfuscation, Invoke-CradleCrafter, Invoke-DOSfuscation and co- author of the Revoke-Obfuscation detection framework. He has presented at numerous conferences including Black Hat USA, DEF CON, DerbyCon and BlueHat.

Mr. Bohannon received a Master of Science in Information Security from the Georgia Institute of Technology and a Bachelor of Science in Computer Science from The University of Georgia.