Introduction

Command line obfuscation has been proved to be a non-negligible factor in fileless malware or malicious actors that are "living off the land". To bypass signature-based detection, dedicated obfuscation techniques are shown to be used by red-team penetrations and even APT activities. Meanwhile, numerous obfuscators (namely tools perform syntax transformation) are open sourced, thus making obfuscating given commands increasingly effortless.

However, the number of suitable defenses remains to be few. For Linux command line obfuscation,we can barely find any detection tools. Concerning defenses against Windows command obfuscation, existing schemes turn out to either lack of toolization, or only partially resolve the entire problem, sometimes even inaccurately.

To better facilitate obfuscation detection, we have proposed Flerken, a toolized platform that can be used to detect both Windows (CMD and Powershell) and Linux (Bash) commands. The name of Flerken is inspired by a cat-like yet extremely powerful creature from Marvel world. Flerken is build on the basis of carefully collection of black/white samples, and can be divided into two sub-schemes, namely Kindle (Windows obfuscation detector) and Octopus (Linux obfuscation detector). To help optimize Flerken's classification performance, we adopt techniques such as machine learning, bi-directional feature filter ring, and script sandboxing.

Documentation

For a detailed description of Flerken, please review our specification document here.

Quick start

• Installation

  Step 1: Ensure you have installed python 3.x on your server, you can use the following command to check it.

  [root@server:~$] python -V

  Step 2: Install the required components, all the prerequisite components have been declared in requirement.txt.

  [root@server:~$] pip install -r requirement.txt

  Step 3: Login in your MySQL console, and import database

  source /your path/Flerken/flerken/lib/flerken.sql

  Step4: Custom your Flerken APP config as you want.

  Path: flerken/config/global_config.py

  Step5: Now you can run it!

  [root@server:~$] python runApp.py

  Step 6(Optional): You can build your own whitelists for reducing false positive rate.

  Path: flerken/config/whitelists/

• How to use

  It's very easy to use as shown in the following picture, and we will also release API interfaces as soon.

Getting Help

If you have any question or feedbacks on Flerken. Please create an issue and choose a suitable label for it. We will solve it as soon as possible.

CHANGELOG

Please see our CHANGELOG.md

Build-in 3rd parties

• Flask
• Flask-WTF
• Flask-Limiter
• frankie-huang/pythonMySQL
• jQuery
• Swiper

Authors

• Yao Zhang
• Zhiyang Zeng

Acknowledgments

We would like to thank Bghost Zhu, Junbo Li, Haizhang Du, Conan Hu, and other colleagues of Tencent Blade Team for their insightful feedbacks throughout the project. In addition, we would like to thank Andrew LeFevre, the creator of Bashfuscator, for his valuable feedback and discussion on Linux obfuscation detection. We also thank Ning Liu, Junjun Luo, and Lake Hu for their helpful comments and support.

License

Flerken is released under the Apache 2.0 license.