Overview
Explore advanced CMD obfuscation techniques in this 43-minute talk from Hack in Paris. Delve into the evolving landscape of attack vectors and obfuscation methods used by skilled attackers to evade detection. Learn about the shift in tradecraft towards languages offering less visibility to defenders, and examine real-world examples from APT and FIN threat actors. Discover cmd.exe's unexplored obfuscation capabilities, including string replacement, argument hiding, and novel encoding techniques. Gain insights into obfuscating binary names and lesser-known cmd.exe replacement binaries. Witness a live demonstration of the Invoke-DOSfuscation framework, which implements multi-layered obfuscation techniques for cmd.exe payloads. Conclude with a discussion on detection implications and approaches for this genre of obfuscation.
Syllabus
HIP18 - Talk 07 - Invoke-DOSfuscation: Techniques FOR %F IN (-style) DO (S-level CMD Obfuscation)
Taught by
Hack in Paris