Obfuscation base64 with CMD

[MarineLeM]

The Base64 obfuscation works well with PowerShell and sh executors, but it does not seem to work with the cmd executor.

When I checked the code, I found that the functions responsible for obfuscating commands are implemented specifically for psh and sh, but not for cmd.
To further investigate, I analyzed the network traffic and observed the HTTP requests between Caldera and the agent. For PowerShell, the command was obfuscated

powershell -Enc ZQBjAGgAbwAgAGgAZQBsAGwAbwAgAHcAbwByAGwAZAA=

However, for cmd, the command was in plain text.

echo hello world

My questions are:

• Does the Base64 obfuscation feature support the cmd executor?
• If not, is it technically possible to implement Base64 obfuscation for cmd commands?

[github-actions]

Looks like your first issue -- we aim to respond to issues as quickly as possible. In the meantime, check out our documentation here: http://caldera.readthedocs.io/

[elegantmoose]

Does the Base64 obfuscation feature support the cmd executor?

Looks like it is not specified (https://github.com/mitre/stockpile/blob/master/app/obfuscators/base64_basic.py). Not sure why was left off the list.

Presumably not too hard to add. Not sure if you have identified appropriate python 1 liner that correctly encodes for CMD.

[MarineLeM]

@elegantmoose If you have an idea on how to achieve this, I'd be curious to know, as I couldn’t find a way myself.

What I did find involves using CMD to call PowerShell or a tool like certutil to decode the command first before executing it. However, my understanding of obfuscation is not about decoding and then executing the command, but rather executing a command that remains encoded throughout. If you decode first and then execute, the obfuscation becomes useless since the EDR will catch the command in plain-text.

[uruwhy]

The goal of this obfuscator is to base64 the command line where feasibly possible for command interpreters. For cmd, the most straightforward way would be to run cmd /c powershell -enc ..., but at that point you're really executing via powershell and cmd just an unnecessary node in the process tree. Which is probably why it wasn't included to begin with, since at that point users would just execute via base64-encoded powershell.

As for commands that remain encoded throughout... right now the only ideas that come to mind have more to do with the executable that gets executed and not with the actual command-line process (cmd, powershell, etc):

• command-line spoofing by editing the process environment block (requires custom malware, since you can't directly do this using cmd AFAIK)

Even if you somehow could keep the command encoded, cmd will still create a process, and the parameters passed to the associated API call can be seen by any EDR that has hooked into those APIs. So Even if you have cmd some_way_to_encode_executing_mimikatz.exe an EDR would see the CreateProcess API call (and underlying ntdll API calls9 with unencoded parameters passed to it. So unless you're writing your own custom replacements of undocumented native APIs and hooking them into cmd, you still run into the problem of unencoded arguments getting passed into API calls that EDR tools can see.

[uruwhy]

Closing unless further discussion points come up later