Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ability to choose an obfuscator for your technical inject to avoid detection #1604

Closed
jborozco opened this issue Oct 1, 2024 · 1 comment · Fixed by #2090 or OpenBAS-Platform/implant#26
Closed

Ability to choose an obfuscator for your technical inject to avoid detection #1604

jborozco opened this issue Oct 1, 2024 · 1 comment · Fixed by #2090 or OpenBAS-Platform/implant#26
Assignees
@Dimfacion @MarineLeM @jborozco @damgouj
Labels
feature use for describing a new feature to develop solved The issue has been solved
Milestone
Release 1.11.0

Comments

@jborozco
Copy link

jborozco commented Oct 1, 2024
edited by EllynBsc
Loading

Use case

Add obfuscator option to technical inject/ payload in order to avoid detection.
Crowdstrike detect everything in base 64.

We want to be able to choose an obfuscator for your technical inject to avoid detection:

  • base 64
  • Clear
@jborozco jborozco added the feature use for describing a new feature to develop label Oct 1, 2024
@jborozco jborozco added this to the Release 1.10.0 milestone Oct 1, 2024
@RomuDeuxfois
Copy link
Member

RomuDeuxfois commented Oct 2, 2024
edited
Loading

  1. Faisability Step

Brainstorm on the possibility to launch plain text command on implant. Inspire yourself with Caldera -> stockpile/app/obfuscators/plain_text

  1. Now, the implant retrieve the command in plain-text and obfuscates in base64. We need to raise the obfuscation at the OpenBAS platform level and give the obfuscate command directly to the implant (save in db the plain command + the obfuscation command ? ).
    Don't forget to use this obfscuquer command in the inject_expectations_signature.

  2. Add obfuscator at the inject level.
    The payload can be defined and then we can change obfuscator on the fly when we are using it.

Potential next steps:

Obfuscator from Caldera:

  • base64, base64jumble, base64noPadding, ceasar cypher, plain-text, steganography
    (see Caldera plugin -> stockpile/app/obfuscators)

@jborozco jborozco modified the milestones: Release 1.10.0, Release 1.9.0 Oct 2, 2024
@jborozco jborozco self-assigned this Oct 2, 2024
@savacano28 savacano28 self-assigned this Oct 23, 2024
@RomuDeuxfois RomuDeuxfois mentioned this issue Nov 8, 2024
Closed
@savacano28 savacano28 removed their assignment Nov 19, 2024
@EllynBsc EllynBsc changed the title Add obfuscator option to technical inject/ payload Ability to choose an obfuscator for your technical inject to avoid detection Nov 22, 2024
@damgouj damgouj self-assigned this Nov 27, 2024
This was referenced Dec 5, 2024
Merged
Merged
MarineLeM added a commit that referenced this issue Dec 10, 2024
@MarineLeM
[backend] handle cmd variables (#1604)
0b0afb3 
Signed-off-by: Marine LM <[email protected]>
@MarineLeM MarineLeM mentioned this issue Dec 17, 2024
Merged
This was linked to pull requests Dec 19, 2024
Add obfuscation chunk 2 #2090
Merged
[implant] decode payload with rust OpenBAS-Platform/implant#26
Merged
MarineLeM added a commit that referenced this issue Jan 2, 2025
@MarineLeM
Add obfuscation chunk 2 (#1604)
7b58130 
Signed-off-by: Marine LM <[email protected]>
@MarineLeM MarineLeM added the solved The issue has been solved label Jan 2, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Dimfacion Dimfacion

@MarineLeM MarineLeM

@jborozco jborozco

@damgouj damgouj

Labels
feature use for describing a new feature to develop solved The issue has been solved
Projects
None yet
Milestone
Release 1.11.0
6 participants
@savacano28 @Dimfacion @MarineLeM @jborozco @RomuDeuxfois @damgouj