Flerken - Obfuscated Ascendency Detection Tool


Command business obfuscation has been proved to endure a non-negligible cistron inwards fileless malware or malicious actors that are "living off the land". To bypass signature-based detection, dedicated obfuscation techniques are shown to endure used past times red-team penetrations as well as fifty-fifty APT activities. Meanwhile, numerous obfuscators (namely tools perform syntax transformation) are opened upwards sourced, hence making obfuscating given commands increasingly effortless.
However, the position out of suitable defenses remains to endure few. For Linux command line obfuscation, nosotros tin barely divulge whatever detection tools. Concerning defenses against Windows ascendance obfuscation, existing schemes plough out to either lack of toolization, or alone partially resolve the entire problem, sometimes fifty-fifty inaccurately.
To amend facilitate obfuscation detection, we accept proposed Flerken, a toolized platform that tin endure used to honor both Windows (CMD as well as Powershell) as well as Linux (Bash) commands. The advert of Flerken is inspired past times a cat-like nonetheless extremely powerful brute from Marvel world. Flerken is construct on the footing of carefully collection of black/white samples, as well as tin endure divided into 2 sub-schemes, namely Kindle (Windows obfuscation detector) as well as Octopus (Linux obfuscation detector). To aid optimize Flerken's classification performance, nosotros adopt techniques such equally machine learning, bi-directional characteristic filter ring, script sandboxing.

Documentation
For a detailed description of Flerken, delight review our specification document here.

Quickstart
  • Installation

    Step 1: Ensure yous accept installed python 3.x on your server, yous tin purpose the next ascendance to cheque it.
    [root@server: $] python -V

    Step 2: Install the required components, all the prerequisite components accept been declared inwards requirement.txt.
    [root@server: $] pip install -r requirement.txt

    Step3: Custom your Flerken APP config equally yous want.
    Path: flerken/config/global_config.py

    Step4: Now yous tin move it!
    [root@server: $] python runApp.py

    Step 5(Optional): You tin construct your ain whitelists for reducing imitation positive rate.
    Path: flerken/config/whitelists/
  • How to use

    It's really tardily to purpose equally shown inwards the next picture, as well as nosotros volition also loose API interfaces equally soon.

Getting Help
If yous accept whatever interrogation or feedbacks on Flerken. Please practise an termination as well as pick out a suitable label for it. We volition solve it equally presently equally possible.


Build-in third parties

Authors