DESCRIPTION

Threat actors more often than not rely on executing system-native processes and commands in order to achieve their objectives. It won’t come as a surprise to you that it is getting increasingly harder to do so without setting off defensive measures. Command-line obfuscation, the art of hiding a command’s true intention by manipulating it, has proven to be a successful way to evade detection mechanisms.

By looking at practical examples, this talk will discuss various techniques and show the impact of them as we will demonstrate how they successfully fool detection systems. Not only limiting ourself to Windows, we will see that command-line obfuscation poses a wide-spread problem/opportunity across the major operating systems. Finally, this talk will preview the release of an open-source tool that helps with generating obfuscated commands.

🔴 Red Teamers will see how command-line obfuscation can help you in your engagements, and how to successfully make it work;

🔵 Blue Teamers will question how robust their existing detections are as we look at common pitfalls, and discuss new ways to detect obfuscated command-line arguments.

WHY THE COMMITTEE CHOSE THIS TALK

Knowing the current state of command line obfuscation will help every defender looking into his logs or EDR console.

SPEAKER

Wietze Beukema