RomuDeuxfois
commented
1 month ago - Faisability Step
Brainstorm on the possibility to launch plain text command on implant. Inspire yourself with Caldera -> stockpile/app/obfuscators/plain_text
-
Now, the implant retrieve the command in plain-text and obfuscates in base64. We need to raise the obfuscation at the OpenBAS platform level and give the obfuscate command directly to the implant (save in db the plain command + the obfuscation command ? ). Don't forget to use this obfscuquer command in the inject_expectations_signature.
-
Add obfuscator at the inject level. The payload can be defined and then we can change obfuscator on the fly when we are using it.
Potential next steps:
Obfuscator from Caldera:
- base64, base64jumble, base64noPadding, ceasar cypher, plain-text, steganography (see Caldera plugin -> stockpile/app/obfuscators)
Use case
Add obfuscator option to technical inject/ payload in order to avoid detection. Crowdstrike detect everything in base 64.
We want to be able to choose an obfuscator for your technical inject to avoid detection: