Command Line Obfuscation (CLOB) has been proved to be a non-negligible factor in fileless malware or malicious actors that are "living off the land". With dozens of obfuscation tools seen in the wild, by contrast few proper countermeasures can be found. In this talk, we present Flerken, an obfuscation detection approach that works for both Windows (Powershell and CMD) and Linux (Bash) commands. To the best of our knowledge, Flerken is the first solution that supports cross-platform obfuscation detection feature.
This talk first shares some key observations on CLOB such as its attack vectors and analyzing strategies. Then we give a detailed design of Flerken. The description is divided in two parts, namely Kindle (for Windows) and Octopus (for Linux). Respectively, we will show how human readability can serve as an effective statistical feature against PS/CMD obfuscation, and how dynamic syntax parsing can be adopted to eliminate false positives/negatives against Bash CLOB. The effectiveness of Flerken is evaluated via representative black/white command samples and performance experiments.
Hereby, we highlight the functional properties Flerken basically satisfies as follows:
• Scalability. Flerken supports cross-platform obfuscation detection. Furthermore, Flerken can help achieve real-time obfuscation bubbling in server EDR systems (with a scale on the order of millions).
• Accuracy. Flerken is adequate to correctly distinguish most Windows/Linux command obfuscations. Therefore, Flerken can be adopted by enterprises in many security investigations of server endpoints.
• Availability. Flerken now is accessible through its official webpage. All you have to do is to paste into the command string and test what you want to analyze. No specific input file format is required. We have also open-sourced Flerken on Github so you can build your own detector on demand.
- De-Obfuscated-Bash Tool: An image of the octopusbash-embedded docker.
- A Web Manage Platform to monitor, config workflow of Flerken, also analysis the workflow ouput results.
Web Demo Source Code
Please checkout our another branch web-demo.
If you have any question or feedbacks on Flerken. Please create an issue and choose a suitable label for it. We will solve it as soon as possible.
Please see our CHANGELOG.md
We would like to thank all the contributors to this research project and all the members in Tencent Blade Team. In addition, we would like to thank security researchers Daniel Bohannon and Andrew LeFevre for their valuable feedback and discussion.
Flerken is released under the Apache 2.0 license.