Daniel Bohannon

Talk Title

Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To) D""e`Tec`T 'Th'+'em'

Abstract

The very best attackers hide their commands from A/V and application whitelisting technologies using encoded commands and memory-only payloads to evade detection. These techniques thwart Blue Teams from determining what was executed on a target system. However, network defenders are catching on, and state-of-the-art detection tools now monitor the command line arguments for powershell.exe either in real-time or from event logs.

This talk will highlight a dozen never-before-seen techniques for obfuscating PowerShell command line arguments. Incident responders at Mandiant have already seen attackers use a handful of these methods to evade basic command line detection mechanisms.

This presentation will introduce three new layers of obfuscation that can be applied to any PowerShell command or script. One can use each layer independently, or stack them together to prevent any one technique becoming an easy signature for defenders. The first layer directly manipulates PowerShell and .Net cmdlets, functions and arguments. The second string manipulation layer can then be applied to a single command or an entire script. The final layer consists of several techniques for content execution using PowerShell command input parameters that hide command line arguments from appearing for powershell.exe.

Attempting to detect every possible obfuscated version of particular commands is not an efficient means of detection. Updated PowerShell event logging mitigates many of the detection challenges that obfuscation introduces. However, many organizations do not enable this PowerShell logging and rely primarily on command line logging.

This presentation will conclude with a demonstration of Invoke-Obfuscation. This open source tool applies the aforementioned obfuscation techniques to user-provided PowerShell commands and scripts to evade command line argument detection mechanisms.

Speaker Bio

Daniel Bohannon is an Incident Response Consultant at MANDIANT with over six years of operations and information security experience. His particular areas of expertise include enterprise-wide incident response investigations, host-based security monitoring, data aggregation and anomaly detection, and PowerShell-based attack research and detection techniques.

As an incident response consultant, Mr. Bohannon provides emergency services to clients when security breaches occur. He also develops new methods for detecting malicious PowerShell usage at both the host- and network-level while researching obfuscation techniques for PowerShell-based attacks that are being used by numerous threat groups.

Prior to joining MANDIANT, Mr. Bohannon spent five years working in both IT operations and information security roles in the private retail industry. There he developed operational processes for the automated aggregation and detection of host- and network-based anomalies in a large PCI environment. Mr. Bohannon also programmed numerous tools for host-based hunting while leading the organization’s incident response team.

Mr. Bohannon received a Master of Science in Information Security from the Georgia Institute of Technology and a Bachelor of Science in Computer Science from The University of Georgia.