This lab is based on the research done by Daniel Bohannon from FireEye.
C:\Users\mantvydas>set a=/c & set b=calcC:\Users\mantvydas>cmd %a% %b%
Note though that the commandline logging (dynamic detection) still works as the commandline needs to be expanded before it can get executed, but static detection could be bypassed:
Note how double quotes can actually make both static and dynamic detection a bit more difficult:
Commandline logging, same as with using environment variables, is not affected, however static detection could be affected:
A very interesting technique. Let's look at this first without garbage delimiters:
PS C:\Users\mantvydas> cmd /c "set x=calc & echo %x% | cmd"
The above sets en environment variable x to
calc and then prints it and pipes it to the standard input of the cmd:
Introducing garbage delimiters
@ into the equation:
The above does the same as the earlier example, except that it introduces more filth into the command (
[email protected]). You can see from the below screenshot that Windows does not recognize such a command
[email protected], but the second attempt when the
%x:@=% removes the extraneous
@ symbol from the string, gets executed successfully:
If it is confusing, the below should help clear it up:
PS C:\Users\mantvydas> cmd /c "set [email protected] & echo %x:@=mantvydas% | cmd"
In the above, the value
mantvydas got inserted in the
[email protected] in place of @, suggesting that
:@= to be precise) is just a string replacement capability in the cmd.exe utility.
With this knowledge, the original obfuscated command
reads: replace the @ symbol with text that goes after the
= sign, which is empty in this case, which effectively means - remove @ from the value stored in the variable x.
Cmd.exe also has a substring capability. See below:
# this will take the C character from %programdata% and will launch the cmd prompt%programdata:~0,1%md
Note that this is only good for bypassing static detection:
We can use a builtin batch looping to extract the Powershell string from environment variables in order to launch it and bypass static detection that looks for a string "powershell" in program invocations:
Note how the
WindowsPowerShell string is present in the
PSModule environment variable - this mean we can extract it like so:
FOR /F "tokens=7 delims=s\" %g IN ('set^|findstr PSM') do %g
What the above command does:
set^|findstr PSM to get the PSModulePath variable value
Splits the string using delimiters
Prints out the 7th token, which happens to be the
Which effectively launches PowerShell
This may be used for both static and dynamic detection bypasses:
What happens below is essentially there is a loop that goes through the list of indexes (0 1 2 3 2 6 2 4 5 6 0 7) which are used to point to characters in the variable
unique which acts like an alphabet. This allows for the FOR loop to cycle through the index, pick out characters from the alphabet pointed to by the index and concatenate them into a final string that eventually gets called with
CALL %final% when the loop reaches the index 1337.
PS C:\Users\mantvydas> cmd /V /C "set unique=nets /ao&&FOR %A IN (0 1 2 3 2 6 2 4 5 6 0 7 1337) DO set final=!final!!unique:~%A,1!&& IF %A==1337 CALL %final:~-12%"
In verbose python this could look something like this:
forcoding.pyimport osdictionary = "nets -ao"indexes = [0, 1, 2, 3, 2, 6, 2, 4, 5, 6, 0, 7, 1337]final = ""for index in indexes:if index == 1337:breakfinal += dictionary[index]os.system(final)