Shulou(Shulou.com)06/03 Report--

This article mainly introduces "how to detect obfuscated commands in Windows and Linux servers". In daily operation, I believe many people have doubts about how to detect obfuscated commands in Windows and Linux servers. Xiaobian consulted all kinds of materials and sorted out simple and easy-to-use methods of operation. I hope it will be helpful to answer the doubts of "how to detect obfuscated commands in Windows and Linux servers". Next, please follow the editor to study!

Tool introduction

Command line confusion is already common in the current field of undocumented malware or cybercrime. In order to bypass the signature-based security detection mechanism, red team penetration testing and APT attacks use a variety of dedicated obfuscation / obfuscation techniques. At the same time, many code obfuscation tools (that is, performing syntax conversion tools) are open source, which makes it easier for network attackers to obfuscate a given command.

However, there are still few defense tools against such technologies. We can hardly find any detection tools that can be used for the command line confusion of Linux. In terms of preventing the confusion of Windows commands, the existing solutions either lack the corresponding tools, or only solve part of the problem, but not all the problems completely.

To better detect related threats, we have designed and developed Flerken, a tooling platform that can be used to detect Windows (CMD and PowerShell) and Linux (Bash) commands. Flerken can be divided into two modules: Kindle and Octopus, in which Kindle is aimed at Windows fuzzy detection tool, and Octopus is aimed at Linux fuzzy testing tool. In addition, in order to optimize the classification performance of Flerken, we also introduce machine learning, bi-directional feature filtering and script sandboxie and other technologies.

Tool installation & use tool installation

1. Make sure that Python 3.x is installed on the server side, and you can use the following command to detect:

[root@server:~$] python-V

2. Install dependent components. All dependent components have been declared in requirement.txt:

[root@server:~$] python-V

3. Log in to the MySQL console and import the database:

Source/your path/Flerken/flerken/lib/flerken.sql

4. Custom configuration Flerken App:

Path:flerken/config/global_config.py

5. Run the tool:

[root@server:~$] python runApp.py

6. (optional) in order to reduce false positives, whitelist rules can be constructed as needed:

Use of Path:flerken/config/whitelists/ tool

The use of the tool is shown in the following figure, and we can also use the API interface:

Get help information

If you have any questions about the use of Flerken, you can directly create an issue and mark it. We will solve the problems raised by you as soon as possible:

Built-in third-party libraries

Flask

Flask-WTF

Flask-Limiter

Frankie-huang/pythonMySQL

JQuery

Swiper

At this point, the study on "how to detect obfuscated commands in Windows and Linux servers" is over. I hope I can solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.