What is ArgFuscator?

ArgFuscator is an open-source, stand-alone web application that helps generate obfuscated command lines for common system-native executables.

Command-Line obfuscation (T1027.010) is the masquerading of a command's true intention through the manipulation of a process' command line. Across Windows, Linux and MacOS, many applications parse passed command-line arguments in unexpected ways, leading to situations in which insertion, deletion and/or subsitution of certain characters does not change the program's execution flow. Successful command-line obfuscation is likely to frustrate defensive measures such as AV and EDR software, in some cases completely bypassing detection altogether.

A sample certutil command in normal and obfuscated form

Although previous research has highlighted the risks of command-line obfuscation, mostly with anecdotal examples of vulnerable (system-native) applications, there is an knowledge vacuum surrounding this technique. This project aims to overcome this by providing a centralised resource that documents and demonstrates various command-line obfuscation techniques, and records the subsceptability of popular applications for each.

Goal

The primary goal of this project is to document known command-line obfuscation techniques against applications commonly used in cyber attacks, and using this knowledge to allow users to generate obfuscated command lines. For cyber security defenders, this provides a powerful tool to test one's own defence systems. Since detecting or otherwise accommodating for command-line obfuscation does not have to be difficult, having access to a this resource allows for effective, real-world validation of defense mechanisms in one's environment.

Coming about

First, through literature review and our own research, command-line obfuscation techniques were gathered, analysed and classified. The identified techniques form the basis for the subsequent analysis.

Following this, by assessing a wide variety of popular applications, both in automated fashion and through manual inspection, a mapping between the defined techniques and vulnerable applications was created. The resulting 'obfuscation models' are captured in machine-readable format.

Thirdly, a system was created that allows for the transformation of an arbitrary command line using a sequence of defined obfuscation technique in a provided configuration. To ensure ease of use, a TypeScript implementation was created that is supported by a user-friendly web interface, which can interpret the aforementioned model files - the result is the website you're currently visiting. Additionally, a cross-platform PowerShell implementation was created.

Finally, the models were tested against the created implementation in order to validate their correctness, which allows for the further tuning of the findings. The result is this project, encompassing the results of all stages.

FAQs

What is command-line obfuscation?

Command-Line obfuscation is an attempt to masquerade or otherwise hide the true intention of a program execution. Particularly, in a cyber security context, this usually involves rewriting a process' arguments to something that is functionally equivalent to the original, but bypasses detection systems. This may enable an attacker to execute a malicious command with a lower chance of being detected.

Why would I need to obfuscate command lines?

Typically used by threat actors and red teamers, obfuscating command-line arguments masquerades what the goal of the command is, and may bypass detection mechanisms and fool security analysts. As a security professional, you may therefore use this tool to test your resilience against command-line obfuscations, for example by validating whether your detections work when command-line arguments are obfuscated.

The obfuscated command did not work, what do I do?

Command lines generated by ArgFuscator sometimes may not work as expected; one reason for this may be that the targeted program may have been updated since the obfuscation options were originally determined. Another reason may be that the obfuscation model created for ArgFuscator was incorrect. Command lines are complicated as every program has their own way of parsing and interpreting the provided arguments; we may therefore get small things wrong. If you believe this is the case, please raise an issue on ArgFuscator's GitHub repository so this can be looked into.