Overview
Explore advanced command-line obfuscation techniques in this 55-minute conference talk from NorthSec. Dive deep into cmd.exe's multi-faceted obfuscation capabilities, starting with basic methods like carets, quotes, and stdin argument hiding. Progress to more complex techniques, including string removal/replacement and novel full encoding methods performed entirely in memory. Learn about obfuscating binary names from static and dynamic analysis, and discover lesser-known cmd.exe replacement binaries. Witness a live demonstration of the Invoke-DOSfuscation framework, which implements these multi-layered obfuscation techniques. Gain insights into the detection implications and defensive approaches for combating this evolving form of obfuscation used by advanced threat actors.
Syllabus
Daniel Bohannon - Invoke-DOSfuscation: Techniques FOR %F IN (-style) DO (S-level CMD Obfuscation)
Taught by
NorthSec