Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,000 --> 00:00:02,280 many people expressed their interest to 2 00:00:02,280 --> 00:00:03,959 learn more about obfuscation techniques 3 00:00:03,959 --> 00:00:06,060 so I decided to create a repository of 4 00:00:06,060 --> 00:00:08,099 all the tricks I know and use in 5 00:00:08,099 --> 00:00:10,019 penetration testings to obfuscate powers 6 00:00:10,019 --> 00:00:11,940 and scripts this repository has a little 7 00:00:11,940 --> 00:00:14,340 bit of theory in it as well so before we 8 00:00:14,340 --> 00:00:16,320 dive into practical examples let's talk 9 00:00:16,320 --> 00:00:18,359 a little bit about entropy a 10 00:00:18,359 --> 00:00:20,340 generalization of entropy's definition 11 00:00:20,340 --> 00:00:23,580 is the measure of Randomness or disorder 12 00:00:23,580 --> 00:00:25,560 of a system okay and in information 13 00:00:25,560 --> 00:00:28,019 Theory this actually means the measure 14 00:00:28,019 --> 00:00:31,140 of Randomness in a set of data and you 15 00:00:31,140 --> 00:00:32,880 might be wondering what the hell does 16 00:00:32,880 --> 00:00:34,620 that have to do with AV evasion or 17 00:00:34,620 --> 00:00:36,840 Powershell obfuscation whatever okay so 18 00:00:36,840 --> 00:00:39,120 here's why I'm mentioning this this is 19 00:00:39,120 --> 00:00:41,579 because malware often contains code that 20 00:00:41,579 --> 00:00:43,559 is highly randomized right it's many 21 00:00:43,559 --> 00:00:45,480 times it's encrypted and coded 22 00:00:45,480 --> 00:00:46,980 officiated with many different 23 00:00:46,980 --> 00:00:49,320 techniques that tend to make a payload 24 00:00:49,320 --> 00:00:51,960 unrecognizable very difficult to process 25 00:00:51,960 --> 00:00:55,260 either by a human or even a machine a 26 00:00:55,260 --> 00:00:57,480 computer right to make it difficult to 27 00:00:57,480 --> 00:00:59,399 analyze and therefore detect so imagine 28 00:00:59,399 --> 00:01:00,780 if there was a form formula that you 29 00:01:00,780 --> 00:01:02,760 could pass a specific data set okay and 30 00:01:02,760 --> 00:01:04,739 with some mathematical calculation you 31 00:01:04,739 --> 00:01:06,180 could determine the measure of 32 00:01:06,180 --> 00:01:08,760 randomness of a given data set like a 33 00:01:08,760 --> 00:01:10,260 payload for example a malware or 34 00:01:10,260 --> 00:01:12,360 whatever okay and you could say that hey 35 00:01:12,360 --> 00:01:14,400 you know what this the randomness of 36 00:01:14,400 --> 00:01:17,580 this thing is 5 or it's 10 or it's 8. 37 00:01:17,580 --> 00:01:19,439 then you could statistically create 38 00:01:19,439 --> 00:01:23,040 models to kind of predict when a file or 39 00:01:23,040 --> 00:01:25,320 payload is malicious and this is exactly 40 00:01:25,320 --> 00:01:27,240 one of the methods that antivirus 41 00:01:27,240 --> 00:01:30,000 products use entropy analysis to 42 00:01:30,000 --> 00:01:31,860 identify potentially malicious files 43 00:01:31,860 --> 00:01:35,520 because a file that has a very high 44 00:01:35,520 --> 00:01:39,240 measure of Randomness is probably a 45 00:01:39,240 --> 00:01:41,400 malicious or at least it has many more 46 00:01:41,400 --> 00:01:42,900 chances to be malicious compared to 47 00:01:42,900 --> 00:01:44,759 other files and with other parameters 48 00:01:44,759 --> 00:01:47,520 and Analysis techniques I I guess you 49 00:01:47,520 --> 00:01:49,740 can determine if something is a malware 50 00:01:49,740 --> 00:01:51,659 or whatever a mathematician and computer 51 00:01:51,659 --> 00:01:54,240 science is named Claude sanon introduced 52 00:01:54,240 --> 00:01:56,939 a formula many years ago with which you 53 00:01:56,939 --> 00:01:59,399 can measure the entropy in a set of data 54 00:01:59,399 --> 00:02:01,200 and I think it's really important for 55 00:02:01,200 --> 00:02:03,720 someone into AV vision and Pen testing 56 00:02:03,720 --> 00:02:05,159 generally speaking with teaming and 57 00:02:05,159 --> 00:02:06,840 stuff like that to know this concept 58 00:02:06,840 --> 00:02:08,700 because you can actually use this 59 00:02:08,700 --> 00:02:10,920 formula it's a you can find python 60 00:02:10,920 --> 00:02:12,959 implementations here and in many other 61 00:02:12,959 --> 00:02:14,819 sources it's not something I wrote I 62 00:02:14,819 --> 00:02:16,500 edited something that I found online 63 00:02:16,500 --> 00:02:18,480 because actually this is a mathematical 64 00:02:18,480 --> 00:02:20,760 formula so anyone can express it in any 65 00:02:20,760 --> 00:02:22,319 programming language which convenient 66 00:02:22,319 --> 00:02:23,819 for him there are also online 67 00:02:23,819 --> 00:02:26,520 calculators this actually is describing 68 00:02:26,520 --> 00:02:28,620 this uh the sun on entropy is called 69 00:02:28,620 --> 00:02:30,180 this formula and there is a calculator 70 00:02:30,180 --> 00:02:32,340 down here to use and we're gonna use it 71 00:02:32,340 --> 00:02:34,379 very soon and I think it's really 72 00:02:34,379 --> 00:02:36,180 important to have it in mind because you 73 00:02:36,180 --> 00:02:38,099 might you might obfuscate something 74 00:02:38,099 --> 00:02:39,840 using all of these tricks and many more 75 00:02:39,840 --> 00:02:41,760 you can find everywhere on the internet 76 00:02:41,760 --> 00:02:44,760 today and you you will be able to bypass 77 00:02:44,760 --> 00:02:47,220 I think very easily many of the common 78 00:02:47,220 --> 00:02:49,620 antiviruses we all have and utilize in 79 00:02:49,620 --> 00:02:51,840 our computers but sophisticated systems 80 00:02:51,840 --> 00:02:54,239 will see through these payloads that you 81 00:02:54,239 --> 00:02:57,000 probably develop using multiple uh 82 00:02:57,000 --> 00:02:59,040 office location techniques just because 83 00:02:59,040 --> 00:03:01,080 of entropy of course there are many 84 00:03:01,080 --> 00:03:03,540 other variants in this equation but I 85 00:03:03,540 --> 00:03:05,940 think entropy places a significant part 86 00:03:05,940 --> 00:03:07,920 and it's something you can control you 87 00:03:07,920 --> 00:03:09,780 can there are tricks to lower it and you 88 00:03:09,780 --> 00:03:12,239 can be careful with what you choose to 89 00:03:12,239 --> 00:03:16,080 modify in the script to not fall in the 90 00:03:16,080 --> 00:03:18,900 Trap of being identified because of very 91 00:03:18,900 --> 00:03:21,420 high entropy in your payload and let me 92 00:03:21,420 --> 00:03:23,159 just really quickly show you an example 93 00:03:23,159 --> 00:03:25,800 of how a little bit entropy works okay 94 00:03:25,800 --> 00:03:28,680 this is an entropy calculator this is 95 00:03:28,680 --> 00:03:31,140 the result here entropy okay so it has 96 00:03:31,140 --> 00:03:33,060 this example Laura nipsum you know the 97 00:03:33,060 --> 00:03:35,819 classic string and it has an entropy 98 00:03:35,819 --> 00:03:37,860 let's say of 3.99 okay let's forget 99 00:03:37,860 --> 00:03:39,959 about this example and let's create a 100 00:03:39,959 --> 00:03:41,940 data set okay and this could be a 101 00:03:41,940 --> 00:03:43,680 payload right in here we will measure 102 00:03:43,680 --> 00:03:45,659 something later okay so let's say we 103 00:03:45,659 --> 00:03:47,819 have the data set that is just Four A's 104 00:03:47,819 --> 00:03:50,159 okay this will actually have an entropy 105 00:03:50,159 --> 00:03:51,959 of zero because there's actually no 106 00:03:51,959 --> 00:03:54,239 Randomness in this this absolutely it's 107 00:03:54,239 --> 00:03:56,700 just super predictable it's four 108 00:03:56,700 --> 00:04:00,360 instances of a okay so let's just add B 109 00:04:00,360 --> 00:04:02,700 okay so let's calculate and we'll see 110 00:04:02,700 --> 00:04:06,360 that entropy starts to rise right and as 111 00:04:06,360 --> 00:04:08,760 many unique characters you add to this 112 00:04:08,760 --> 00:04:12,420 data set it will go up okay and let's 113 00:04:12,420 --> 00:04:14,640 see just to understand a little bit just 114 00:04:14,640 --> 00:04:16,560 the feeling of this The Taste the flavor 115 00:04:16,560 --> 00:04:19,019 of this of this thing called entropy 116 00:04:19,019 --> 00:04:22,740 let's add a lot of more A's okay and we 117 00:04:22,740 --> 00:04:24,720 are two right now 118 00:04:24,720 --> 00:04:27,060 and you'll see that we the the entropy 119 00:04:27,060 --> 00:04:29,639 fell because now our data set has less 120 00:04:29,639 --> 00:04:31,199 Randomness because most of the 121 00:04:31,199 --> 00:04:33,479 characters in this whole data data set 122 00:04:33,479 --> 00:04:35,400 probably you understand that this has 123 00:04:35,400 --> 00:04:37,320 also this calculation on this formula 124 00:04:37,320 --> 00:04:39,360 has to do also with the length the 125 00:04:39,360 --> 00:04:41,580 length of the data set okay 126 00:04:41,580 --> 00:04:45,360 so our data set grew but it grew Less in 127 00:04:45,360 --> 00:04:47,880 Randomness because it has more uh 128 00:04:47,880 --> 00:04:50,520 similar characters and of course 129 00:04:50,520 --> 00:04:54,380 the more weird things are 130 00:04:54,380 --> 00:04:57,240 entropy will rise this is exactly what 131 00:04:57,240 --> 00:04:58,860 happens with a payload for example when 132 00:04:58,860 --> 00:05:00,540 you grab a reversal command and you 133 00:05:00,540 --> 00:05:02,220 start obfuscating you're adding weird 134 00:05:02,220 --> 00:05:05,580 stuff in it encryption encoding uh weird 135 00:05:05,580 --> 00:05:08,400 variable names weird class names all of 136 00:05:08,400 --> 00:05:10,620 this juicy stuff we do to bypass 137 00:05:10,620 --> 00:05:13,080 antiviruses and you should have in mind 138 00:05:13,080 --> 00:05:14,820 that this is also something that is 139 00:05:14,820 --> 00:05:17,540 happening uh behind the scene and 140 00:05:17,540 --> 00:05:19,979 Antivirus products actually measure this 141 00:05:19,979 --> 00:05:21,840 and 142 00:05:21,840 --> 00:05:24,240 statistically they can calculate and say 143 00:05:24,240 --> 00:05:26,160 hey this is probably this is probably 144 00:05:26,160 --> 00:05:28,860 malware more details about this are in 145 00:05:28,860 --> 00:05:31,139 the power cell obfuscation Bible you can 146 00:05:31,139 --> 00:05:33,000 find and read stuff about it here but 147 00:05:33,000 --> 00:05:34,979 let's for the sake of this video and for 148 00:05:34,979 --> 00:05:36,720 it not to be super long and boring let's 149 00:05:36,720 --> 00:05:39,060 just jump into practical examples so 150 00:05:39,060 --> 00:05:40,320 let's check out some of these techniques 151 00:05:40,320 --> 00:05:42,180 let's go to rename objects I think it 152 00:05:42,180 --> 00:05:43,380 should be a priority to replace 153 00:05:43,380 --> 00:05:45,600 variables and class and function names 154 00:05:45,600 --> 00:05:47,520 with random ones within a script that 155 00:05:47,520 --> 00:05:48,960 you are trying to obfuscate and bypass 156 00:05:48,960 --> 00:05:51,060 detection and everything okay so here we 157 00:05:51,060 --> 00:05:52,680 have a classic Powers reverse cell 158 00:05:52,680 --> 00:05:54,840 command just for an example and I have 159 00:05:54,840 --> 00:05:56,699 done this actually I have replaced the 160 00:05:56,699 --> 00:05:59,039 the variable names because there are no 161 00:05:59,039 --> 00:06:01,139 class or function definitions in this 162 00:06:01,139 --> 00:06:05,039 particular reversal command and I also 163 00:06:05,039 --> 00:06:08,460 only change this part here PWD dot path 164 00:06:08,460 --> 00:06:09,780 which Returns the current working 165 00:06:09,780 --> 00:06:13,020 directory with the get location GL the 166 00:06:13,020 --> 00:06:15,060 the alias in parcel and actually this 167 00:06:15,060 --> 00:06:17,520 worked and this is the case in many 168 00:06:17,520 --> 00:06:20,280 times at least for me the the test I run 169 00:06:20,280 --> 00:06:23,400 I have noticed that if I most of the 170 00:06:23,400 --> 00:06:26,039 times since the object names in a script 171 00:06:26,039 --> 00:06:28,080 and I just used one of these other 172 00:06:28,080 --> 00:06:30,060 techniques additionally to obfuscate 173 00:06:30,060 --> 00:06:32,940 something usually I'm already there and 174 00:06:32,940 --> 00:06:36,120 let's just use villain which is a tool 175 00:06:36,120 --> 00:06:38,759 that can generate a reversal commands 176 00:06:38,759 --> 00:06:40,800 and also it has some listeners you can 177 00:06:40,800 --> 00:06:43,319 see netcat TCP hoaxel and we can catch 178 00:06:43,319 --> 00:06:45,440 multiple cells and I'm gonna just use it 179 00:06:45,440 --> 00:06:48,840 uh to generate a 180 00:06:48,840 --> 00:06:51,120 this particular command that we were 181 00:06:51,120 --> 00:06:53,819 just observing windows netcat power cell 182 00:06:53,819 --> 00:06:56,280 lhost equals at zero it's just the same 183 00:06:56,280 --> 00:06:58,680 exactly template actually I'm lying is 184 00:06:58,680 --> 00:07:00,360 not exactly the same oh I already have 185 00:07:00,360 --> 00:07:02,460 it here okay let's use this one 186 00:07:02,460 --> 00:07:04,680 the difference here is that this one has 187 00:07:04,680 --> 00:07:06,360 this wrapper to start as a new process 188 00:07:06,360 --> 00:07:08,340 and I don't really want it right now 189 00:07:08,340 --> 00:07:10,440 because we won't be able to see error 190 00:07:10,440 --> 00:07:12,180 messages and I want to see error 191 00:07:12,180 --> 00:07:14,819 messages because this is actually 192 00:07:14,819 --> 00:07:17,460 detected because it's raw it's I mean 193 00:07:17,460 --> 00:07:20,160 it's the template that is super flag 194 00:07:20,160 --> 00:07:22,620 they it has I don't know 195 00:07:22,620 --> 00:07:24,539 I don't think there's a solution an 196 00:07:24,539 --> 00:07:26,699 antivirus product that cannot cut this 197 00:07:26,699 --> 00:07:28,919 cell okay and let me just show you 198 00:07:28,919 --> 00:07:30,240 really quickly 199 00:07:30,240 --> 00:07:32,580 my virus signatures what's happening 200 00:07:32,580 --> 00:07:35,220 throw again whoa whoa 201 00:07:35,220 --> 00:07:38,759 severe right now okay so my wireless 202 00:07:38,759 --> 00:07:41,300 signatures are up to date and 203 00:07:41,300 --> 00:07:44,699 uh my settings my sales are all up and 204 00:07:44,699 --> 00:07:46,500 just to be quick I'm gonna use a script 205 00:07:46,500 --> 00:07:48,660 to automatically randomize all the 206 00:07:48,660 --> 00:07:50,099 variables in this payload I've used this 207 00:07:50,099 --> 00:07:52,080 script before in other videos and but I 208 00:07:52,080 --> 00:07:54,060 never included it somewhere on GitHub 209 00:07:54,060 --> 00:07:56,099 and uh here in this repository you can 210 00:07:56,099 --> 00:07:58,259 find it it's far from perfect and if you 211 00:07:58,259 --> 00:08:01,020 execute this against the script that is 212 00:08:01,020 --> 00:08:03,419 large probably it will destroy it well 213 00:08:03,419 --> 00:08:05,520 given the architecture of the script if 214 00:08:05,520 --> 00:08:07,620 there's something weird and it replaces 215 00:08:07,620 --> 00:08:09,240 something it shouldn't because I thought 216 00:08:09,240 --> 00:08:10,740 it's a variable or something but 217 00:08:10,740 --> 00:08:12,300 whatever maybe someone can perfect 218 00:08:12,300 --> 00:08:14,580 perfect this thing and just do a pull 219 00:08:14,580 --> 00:08:16,020 request or something I don't know let's 220 00:08:16,020 --> 00:08:17,160 use it 221 00:08:17,160 --> 00:08:19,560 I have it um 222 00:08:19,560 --> 00:08:21,840 where is it 223 00:08:21,840 --> 00:08:25,500 we want to run the script and pass as a 224 00:08:25,500 --> 00:08:26,759 command line argument the standard 225 00:08:26,759 --> 00:08:29,099 reversal template and let's do this from 226 00:08:29,099 --> 00:08:30,300 power cell 227 00:08:30,300 --> 00:08:32,820 the script is in 228 00:08:32,820 --> 00:08:35,760 desktop payload which is unexcluded from 229 00:08:35,760 --> 00:08:38,839 the antivirus directory on my system 230 00:08:38,839 --> 00:08:42,060 should not be saying this but anyway you 231 00:08:42,060 --> 00:08:45,060 can do this if you go here and add an 232 00:08:45,060 --> 00:08:47,160 exclusion you can just choose a path 233 00:08:47,160 --> 00:08:48,720 that you don't want to be scanned and 234 00:08:48,720 --> 00:08:50,339 I've done this before because I have 235 00:08:50,339 --> 00:08:52,440 myself up and running and I don't want 236 00:08:52,440 --> 00:08:56,279 it to be scanned right now and let's uh 237 00:08:56,279 --> 00:09:00,420 or is it okay python let's do randomized 238 00:09:00,420 --> 00:09:03,120 variables and we want to do this on the 239 00:09:03,120 --> 00:09:04,920 standard reversal template and this is 240 00:09:04,920 --> 00:09:07,560 just gonna print the payload again but 241 00:09:07,560 --> 00:09:10,200 this time the variable names are random 242 00:09:10,200 --> 00:09:12,839 and this alone will not work 243 00:09:12,839 --> 00:09:14,459 I'm gonna showcase this really quickly 244 00:09:14,459 --> 00:09:17,100 because I've done it before and I feel 245 00:09:17,100 --> 00:09:19,980 end of boards so if I run this it's 246 00:09:19,980 --> 00:09:22,800 still detected so if we just jump into 247 00:09:22,800 --> 00:09:26,100 another technique something really 248 00:09:26,100 --> 00:09:27,660 reasonable I think 249 00:09:27,660 --> 00:09:31,140 but I also describe somewhere here 250 00:09:31,140 --> 00:09:34,980 uh where is it substitute commands Okay 251 00:09:34,980 --> 00:09:37,620 you can just substitute a command that 252 00:09:37,620 --> 00:09:39,720 you know an equivalent of it for example 253 00:09:39,720 --> 00:09:41,820 I mentioned that this this is the 254 00:09:41,820 --> 00:09:44,399 template we are working on is PWD dot 255 00:09:44,399 --> 00:09:46,380 path that Returns the current working 256 00:09:46,380 --> 00:09:48,180 directory can be replaced with many 257 00:09:48,180 --> 00:09:51,300 things like DL get location and this 258 00:09:51,300 --> 00:09:54,480 analysis for get location for this or 259 00:09:54,480 --> 00:09:56,760 probably actually these two also this 260 00:09:56,760 --> 00:09:59,580 very long script I've I've added here as 261 00:09:59,580 --> 00:10:02,519 an example but let's not be you know 262 00:10:02,519 --> 00:10:04,860 let's just do something simpler I'm 263 00:10:04,860 --> 00:10:06,839 gonna clear here because now we're gonna 264 00:10:06,839 --> 00:10:10,320 get ourselves finally hopefully 265 00:10:10,320 --> 00:10:13,440 uh what is uh Power Cell 266 00:10:13,440 --> 00:10:15,240 so we have the script it's still not 267 00:10:15,240 --> 00:10:19,140 working it's it's still detected but 268 00:10:19,140 --> 00:10:22,200 if we do this really small change 269 00:10:22,200 --> 00:10:24,779 that I mentioned 270 00:10:24,779 --> 00:10:28,800 with get location we are gonna fly off 271 00:10:28,800 --> 00:10:30,240 the radar and of course this is not 272 00:10:30,240 --> 00:10:32,040 something this might bypass Defender 273 00:10:32,040 --> 00:10:34,980 here on this uh on my machine that is 274 00:10:34,980 --> 00:10:37,260 not in a mature Network like security 275 00:10:37,260 --> 00:10:40,260 wise and uh it would probably not work 276 00:10:40,260 --> 00:10:42,660 against some endpoint detection but if 277 00:10:42,660 --> 00:10:44,279 you take into consideration of the 278 00:10:44,279 --> 00:10:46,680 entropy because you can see that this 279 00:10:46,680 --> 00:10:48,660 thing based on the example we mentioned 280 00:10:48,660 --> 00:10:49,560 earlier 281 00:10:49,560 --> 00:10:52,740 all these random stuff and length 282 00:10:52,740 --> 00:10:55,560 probably made the entropy of this 283 00:10:55,560 --> 00:10:58,380 payload go up and there are ways to make 284 00:10:58,380 --> 00:11:01,260 it go lower and maybe this would work 285 00:11:01,260 --> 00:11:03,060 actually in test I've done it did work 286 00:11:03,060 --> 00:11:06,899 against edrs that way so you should read 287 00:11:06,899 --> 00:11:08,820 the repository in detail because I have 288 00:11:08,820 --> 00:11:10,380 some comments on this I'm not gonna 289 00:11:10,380 --> 00:11:12,300 associate this showcase this right now 290 00:11:12,300 --> 00:11:15,000 so let's stop going random let's do the 291 00:11:15,000 --> 00:11:16,740 mature thing here which is to identify 292 00:11:16,740 --> 00:11:19,079 detection triggers meaning strings Parts 293 00:11:19,079 --> 00:11:22,100 in this script that is actually 294 00:11:22,100 --> 00:11:24,300 flagged as malicious because it's not 295 00:11:24,300 --> 00:11:26,160 like everything every component of a 296 00:11:26,160 --> 00:11:28,260 script is flagged it's usually some 297 00:11:28,260 --> 00:11:30,720 particular part of it because this would 298 00:11:30,720 --> 00:11:32,760 like destroy the functionality of 299 00:11:32,760 --> 00:11:34,560 anything else that is normal issues 300 00:11:34,560 --> 00:11:37,260 right so let's uh let's use ampsi 301 00:11:37,260 --> 00:11:39,720 trigger which I have it here it's a tool 302 00:11:39,720 --> 00:11:41,279 you can just download for game from 303 00:11:41,279 --> 00:11:43,800 GitHub just search for ampsi trigger it 304 00:11:43,800 --> 00:11:45,800 can highlight for you if you do this if 305 00:11:45,800 --> 00:11:48,540 format 3 I think it means it will 306 00:11:48,540 --> 00:11:51,300 highlight with red the part of the of 307 00:11:51,300 --> 00:11:52,399 the 308 00:11:52,399 --> 00:11:55,200 payload that you insert that you input 309 00:11:55,200 --> 00:11:58,140 as a file uh and this is the standard 310 00:11:58,140 --> 00:11:59,700 reversal template that we're working 311 00:11:59,700 --> 00:12:02,339 with right this the classic one without 312 00:12:02,339 --> 00:12:04,380 changed variables nothing 313 00:12:04,380 --> 00:12:07,700 let's just run it 314 00:12:07,980 --> 00:12:10,260 when it's when it's kind of hanging I 315 00:12:10,260 --> 00:12:12,420 have noticed that if you 316 00:12:12,420 --> 00:12:15,959 uh stop Cloud delivery protection it 317 00:12:15,959 --> 00:12:18,060 will not hang and it will just tell us 318 00:12:18,060 --> 00:12:21,180 what is the problem I think yes it 319 00:12:21,180 --> 00:12:22,260 worked 320 00:12:22,260 --> 00:12:24,420 I'm not sure why 321 00:12:24,420 --> 00:12:26,820 uh let's turn it back on because I want 322 00:12:26,820 --> 00:12:30,480 everything to be enabled so it says that 323 00:12:30,480 --> 00:12:32,760 this part is what it doesn't like so 324 00:12:32,760 --> 00:12:35,279 let's choose some technique and just 325 00:12:35,279 --> 00:12:38,540 mess with this part which is like a 90 326 00:12:38,540 --> 00:12:41,700 95 of this payload whatever I thought it 327 00:12:41,700 --> 00:12:43,019 would be shorter but it doesn't matter 328 00:12:43,019 --> 00:12:45,300 let's do this get command technique 329 00:12:45,300 --> 00:12:47,279 which is really awesome 330 00:12:47,279 --> 00:12:50,820 so here's the thing with uh get command 331 00:12:50,820 --> 00:12:54,180 let's open a new partial window if I do 332 00:12:54,180 --> 00:12:55,500 get 333 00:12:55,500 --> 00:12:56,880 command 334 00:12:56,880 --> 00:12:59,339 this will just drop everything every 335 00:12:59,339 --> 00:13:01,500 commandlet and every I think executable 336 00:13:01,500 --> 00:13:03,540 that is in the path bar environmental 337 00:13:03,540 --> 00:13:06,180 variable on my machine okay and uh 338 00:13:06,180 --> 00:13:08,160 here's the trick with this you can use 339 00:13:08,160 --> 00:13:09,180 it 340 00:13:09,180 --> 00:13:10,980 entity 341 00:13:10,980 --> 00:13:14,339 CCM yes get command is an alias for this 342 00:13:14,339 --> 00:13:17,579 you can use it for example this would 343 00:13:17,579 --> 00:13:20,060 return ex also you can use wildcard 344 00:13:20,060 --> 00:13:22,860 wildcards with this this also returns EX 345 00:13:22,860 --> 00:13:25,980 for example and you can do weirder stuff 346 00:13:25,980 --> 00:13:28,200 as well of course like 347 00:13:28,200 --> 00:13:30,300 invoke 348 00:13:30,300 --> 00:13:33,860 uh X 349 00:13:34,380 --> 00:13:36,899 I guess yes this also would return ex 350 00:13:36,899 --> 00:13:39,060 and of course you can just grab this 351 00:13:39,060 --> 00:13:41,339 because it's a it's an object a string 352 00:13:41,339 --> 00:13:44,279 you can just grab the name of it 353 00:13:44,279 --> 00:13:46,260 or you can just without grabbing the 354 00:13:46,260 --> 00:13:49,019 name uh run it as a job okay and this is 355 00:13:49,019 --> 00:13:52,620 ex right now actually so we can 356 00:13:52,620 --> 00:13:55,740 replace ex with this and probably 357 00:13:55,740 --> 00:13:58,260 hopefully 358 00:13:58,260 --> 00:14:00,959 this will work because this pedal has ex 359 00:14:00,959 --> 00:14:04,740 here if we do this we have messed with 360 00:14:04,740 --> 00:14:07,680 this part that is red it's not 100 361 00:14:07,680 --> 00:14:09,000 percent 362 00:14:09,000 --> 00:14:11,279 I'm not sure this is going to work but 363 00:14:11,279 --> 00:14:13,500 it's worth trying so let's 364 00:14:13,500 --> 00:14:16,200 drum roll and boom Oh 365 00:14:16,200 --> 00:14:18,060 worked 366 00:14:18,060 --> 00:14:20,579 it didn't work but okay we're getting 367 00:14:20,579 --> 00:14:21,420 there 368 00:14:21,420 --> 00:14:25,820 let's see in combination with um 369 00:14:26,040 --> 00:14:28,560 where is it oh yeah 370 00:14:28,560 --> 00:14:31,079 in combination with what we did we did 371 00:14:31,079 --> 00:14:33,500 earlier 372 00:14:34,320 --> 00:14:36,720 okay CL and now we have not changed any 373 00:14:36,720 --> 00:14:39,300 variables nothing it's quite similar to 374 00:14:39,300 --> 00:14:41,220 what it is originally 375 00:14:41,220 --> 00:14:44,360 still doesn't work 376 00:14:44,399 --> 00:14:47,699 let's see what else we can combine 377 00:14:47,699 --> 00:14:51,540 we could try to add comments I mentioned 378 00:14:51,540 --> 00:14:53,279 this also in the repository you can just 379 00:14:53,279 --> 00:14:55,560 go to some random places and add 380 00:14:55,560 --> 00:14:57,959 comments and let's 381 00:14:57,959 --> 00:15:00,959 add some random string in this 382 00:15:00,959 --> 00:15:04,380 moment and let's let's add one more 383 00:15:04,380 --> 00:15:06,839 somewhere 384 00:15:06,839 --> 00:15:09,860 for example here 385 00:15:13,440 --> 00:15:17,040 okay oh it actually worked 386 00:15:17,040 --> 00:15:19,620 and we must have gotten a new Vector 387 00:15:19,620 --> 00:15:22,560 session here on villain 388 00:15:22,560 --> 00:15:25,019 Let's test it one more time to be sure 389 00:15:25,019 --> 00:15:27,240 let me just kill 390 00:15:27,240 --> 00:15:29,160 this session 391 00:15:29,160 --> 00:15:31,320 return because it was hanging and I 392 00:15:31,320 --> 00:15:33,480 could not control C out of this so I'm 393 00:15:33,480 --> 00:15:35,399 gonna run it one more time 394 00:15:35,399 --> 00:15:37,440 and you can see we actually combined 395 00:15:37,440 --> 00:15:39,540 like three techniques we didn't change 396 00:15:39,540 --> 00:15:41,639 any variable names nothing we just added 397 00:15:41,639 --> 00:15:45,139 some comments we did this uh get command 398 00:15:45,139 --> 00:15:48,480 substitution of e x okay 399 00:15:48,480 --> 00:15:50,459 and this wildcard thing it gives you 400 00:15:50,459 --> 00:15:52,800 Endless Possibilities to get the command 401 00:15:52,800 --> 00:15:54,540 you want endless okay that was an 402 00:15:54,540 --> 00:15:56,279 overstatement but it gives you a lot of 403 00:15:56,279 --> 00:15:58,380 ground to work with and of course this 404 00:15:58,380 --> 00:16:00,600 is a good location and you see we 405 00:16:00,600 --> 00:16:03,000 actually managed to mess with this also 406 00:16:03,000 --> 00:16:06,320 this uh adding comments is a great way 407 00:16:06,320 --> 00:16:10,019 to mess with the entropy of a pellet and 408 00:16:10,019 --> 00:16:11,760 let's go back to our calculator I'm 409 00:16:11,760 --> 00:16:14,100 gonna just slap this in okay now we can 410 00:16:14,100 --> 00:16:15,959 calculate it has an entropy of 5 which 411 00:16:15,959 --> 00:16:17,699 is kind of high I think 412 00:16:17,699 --> 00:16:19,380 not that much it could be of course 413 00:16:19,380 --> 00:16:21,360 higher but it is high and let's see 414 00:16:21,360 --> 00:16:23,699 check this out 415 00:16:23,699 --> 00:16:25,500 as we showed earlier with a simple 416 00:16:25,500 --> 00:16:29,160 example I added A's okay and 417 00:16:29,160 --> 00:16:31,800 this was actually dropping the 418 00:16:31,800 --> 00:16:34,740 entropy because the randomness is 419 00:16:34,740 --> 00:16:37,259 decreasing because we have less random 420 00:16:37,259 --> 00:16:40,320 characters right this again 421 00:16:40,320 --> 00:16:41,820 you can see that it dropped it actually 422 00:16:41,820 --> 00:16:45,120 and this payload which would have longer 423 00:16:45,120 --> 00:16:47,399 comments it doesn't really matter 424 00:16:47,399 --> 00:16:49,440 I'm gonna just slap of this and now we 425 00:16:49,440 --> 00:16:51,779 have dropped a lot in entropy and this 426 00:16:51,779 --> 00:16:54,120 payload actually and again 427 00:16:54,120 --> 00:16:57,420 let's go villain and let's fill this 428 00:16:57,420 --> 00:16:59,160 session also 429 00:16:59,160 --> 00:17:01,980 to unhang our cell here and I'm gonna 430 00:17:01,980 --> 00:17:04,140 slap this in just for you to see that it 431 00:17:04,140 --> 00:17:05,520 actually will work 432 00:17:05,520 --> 00:17:07,980 so this is a cool way to to drop the 433 00:17:07,980 --> 00:17:09,900 entropy and you know 434 00:17:09,900 --> 00:17:12,360 combine a few techniques combine a few 435 00:17:12,360 --> 00:17:14,220 tricks to also drop the entropy and who 436 00:17:14,220 --> 00:17:15,900 knows maybe even in sophisticated 437 00:17:15,900 --> 00:17:18,299 environments with endpoint detection 438 00:17:18,299 --> 00:17:20,579 stuff maybe you will have a chance to 439 00:17:20,579 --> 00:17:23,459 not be detected and you can also take 440 00:17:23,459 --> 00:17:25,319 this template that we just created and 441 00:17:25,319 --> 00:17:26,160 uh 442 00:17:26,160 --> 00:17:28,740 pass it in villain replace the the 443 00:17:28,740 --> 00:17:30,600 pellet and plate that it has to generate 444 00:17:30,600 --> 00:17:33,240 this standard one that is actually 445 00:17:33,240 --> 00:17:36,419 uh detected this one you can replace it 446 00:17:36,419 --> 00:17:38,100 I have made a video about this you can 447 00:17:38,100 --> 00:17:40,500 find it and check this out so you can 448 00:17:40,500 --> 00:17:42,299 combine these two 449 00:17:42,299 --> 00:17:44,400 like this knowledge base this repository 450 00:17:44,400 --> 00:17:46,679 this demonstration and just create your 451 00:17:46,679 --> 00:17:48,360 own obfuscated templates and you will 452 00:17:48,360 --> 00:17:50,039 not have to worry for it getting 453 00:17:50,039 --> 00:17:52,140 detected after one week especially if 454 00:17:52,140 --> 00:17:53,880 you spend some time to create something 455 00:17:53,880 --> 00:17:55,740 really unique so hopefully you will find 456 00:17:55,740 --> 00:17:57,720 this useful there's a lot of details in 457 00:17:57,720 --> 00:17:59,100 all these things that I just really 458 00:17:59,100 --> 00:18:01,140 quickly demonstrated right now I have to 459 00:18:01,140 --> 00:18:03,539 go for vacation with sister and uh I'm 460 00:18:03,539 --> 00:18:05,100 gonna publish this robot story right 461 00:18:05,100 --> 00:18:06,780 after this video is finished I have to 462 00:18:06,780 --> 00:18:08,400 do some editing if you like it make sure 463 00:18:08,400 --> 00:18:10,620 to support this project and me as well 464 00:18:10,620 --> 00:18:12,120 maybe you can just follow me or not 465 00:18:12,120 --> 00:18:13,559 whatever do whatever you want it doesn't 466 00:18:13,559 --> 00:18:16,320 matter this is for penetration testers 467 00:18:16,320 --> 00:18:18,120 and red teamers and blue teamers and 468 00:18:18,120 --> 00:18:19,500 people interested in cyber security 469 00:18:19,500 --> 00:18:22,020 don't be evil don't use this to gain 470 00:18:22,020 --> 00:18:23,580 access to systems that you should not 471 00:18:23,580 --> 00:18:25,980 have access to except if someone asks 472 00:18:25,980 --> 00:18:27,840 you to do it for testing reasons of 473 00:18:27,840 --> 00:18:29,700 course and I hope you enjoyed this video 474 00:18:29,700 --> 00:18:33,080 and thanks for watching33185