blue tangle

    I noticed on Twitter a new, relatively novel obfuscation or anti-forensics technique that Qakbot (or qbot) have started using. It surprises me that more threat actors don't employ some basic command-line obfuscation techniques, as they can really screw with SIEM detections with a minimum of effort. Credit to Max_Malyutin on Twitter for flagging this and grabbing my attention:   I hadn't seen multiple path escape backslashes like this on the Windows command line, but sure enough, it works, here's what an event looks like in Splunk:     This takes advantage of the way that SIEMs like Splunk handle backslashes, they themselves need to be escaped, so to search for a normal file path for a file (in this case cmd.exe) would look like this in Splunk:     To look for our obfuscated command-line with extra backslashes we'll want to look for more than 4 backslashes in a row, escaped in Splunk we wind up with 8 backslashes in our search:   Or in SPL:   index=<your-index-he

  In part one of these blog entries on command line obfuscation in Windows ( which you can find here , if you haven't read it), we covered some real basic SPL for detecting the usage of double quotes to potentially circumvent SIEM detections. One of the things I forgot to mention then is that counting specific characters in fields has a lot of potential uses within Splunk searches if you are prepared to think outside the box a little. For instance let's say you were looking at Apache web logs and you were wanting to find instances of directory (or path) traversal, someone appending something like "../../../../../../../../../../../../etc/passwd%00" to a url to try to get at your valuable files, you could modify the SPL as follows:   index=apache sourcetype=access_combined | eval traversalCount=mvcount(split( uri,"."))-1 | where traversalCount >=4 | stats values(uri) BY traversalCount clientip status   This would give you any instances of uris containing

The only thing I find more fascinating than digital anti-forensics, obfuscation and defence evasion is coming up with ways to thwart those techniques as they are employed by adversaries in the wild. This will be a few posts about ways to detect Windows command line obfuscation using Splunk, but I'm sure that the SPL I'm going to include here could be adapted to create detections for other SIEM tools like elastic or Sentinel with relative ease. Think of this as a chance to look up a magician's sleeve for a little peek at the concealed dove. Before we look at detections though we need to define the problem itself, what is command line obfuscation (or “DOSfuscation”) and why is it a problem for defenders? I would urge anyone who is interested in learning more about this topic in depth to check out Wietze Beukema’s excellent SANS DFIR talk:   If you are following along with ATT&CK I think this technique is best mapped to T1027, Obfuscated Files or Information. One of t