TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Tried and True Hacker Technique: DOS Obfuscation | Huntress

2020-11-24 · Read original ↗

ATT&CK techniques detected

11 predictions
T1059.003Windows Command Shell
100%
“, that this ever - lasting and ever - present technology is a prime target for hackers. cmd. exe allows an interactive interface for a user to run commands, start programs, create or move or delete files on the system … just about anything on a computer! batch scripts the command…”
T1059.001PowerShell
98%
“tried and true hacker technique : dos obfuscation | huntress in this blog post we shine the spotlight on an obfuscation technique that we see being used in the latest “ 100th version ” of the trickbot malware. what program is built - in and available on every microsoft windows ma…”
T1059.003Windows Command Shell
94%
“command is used to display data out on the screen. if we didn ’ t include the echo command, and just ran % varname %, we would see an interesting error message : ' value ' is not recognized as an internal or external command, operable program or batch file. that is the same error…”
T1027.010Command Obfuscation
78%
“crammed together. so that means that all those distinct lines of code earlier, that were just creating small, one - letter or two - character variable values, really did serve a purpose! all those variables were just small chunks, or tiny slivers of the “ final payload ” or the r…”
T1027.010Command Obfuscation
70%
“##utable code. you ’ ve heard the old adage before : “ security is a cat and mouse game. ” one technique hackers use to hide and cover up their efforts is to obfuscate their malicious code. obfuscation is the obscuring of the intended meaning of communication by making the messag…”
T1027.010Command Obfuscation
68%
“. exe program ( ergo, trickbot ) does isn ’ t what we will focus on here. the interesting thing to unravel here is just how this obfuscation works. variables and % values % cmd. exe does offer scripting like any other scripting language ( well, in a somewhat limited way ) — so th…”
T1059Command and Scripting Interpreter
41%
“. exe program ( ergo, trickbot ) does isn ’ t what we will focus on here. the interesting thing to unravel here is just how this obfuscation works. variables and % values % cmd. exe does offer scripting like any other scripting language ( well, in a somewhat limited way ) — so th…”
T1059Command and Scripting Interpreter
38%
“proves this is a peculiar and “ valuable ” obfuscation technique. human analysis at huntress, we shout from the rooftops the value of having a real person look at malware and suspicious code. we have a whole threatops department that manually explores persistent footholds, irregu…”
T1027Obfuscated Files or Information
34%
“who cares? now i know what you ’ re thinking. you could just slap an echo command at the very start of the last line and see, right on your screen, what that code is trying to do. and you are absolutely right. you can do that, because you understand the context and know how to fi…”
T1055.001Dynamic-link Library Injection
34%
“##o % ipatx % * * % wjdk % % gwdoy % drwc % ipatx % 131 % wjdk % % gwdoy % skmxb % ipatx % use % wjdk % % gwdoy % wttahx % ipatx % st % wjdk % % gwdoy % nmdl % ipatx % 5 % wjdk % % gwdoy % rulr % ipatx % e % wjdk % % gwdoy % opflr % ipatx % o % wjdk % % gwdoy % blel % ipatx % ti …”
T1059Command and Scripting Interpreter
31%
“command is used to display data out on the screen. if we didn ’ t include the echo command, and just ran % varname %, we would see an interesting error message : ' value ' is not recognized as an internal or external command, operable program or batch file. that is the same error…”

Summary

In this blog, we dissect a sample of malware that makes clever use of batch scripting obfuscation—turns out it was a launcher for TrickBot!