Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ability to choose an obfuscator for your technical inject to avoid detection #1604

Open
jborozco opened this issue Oct 1, 2024 · 1 comment · Fixed by OpenBAS-Platform/implant#26 · May be fixed by #2090
Open

Ability to choose an obfuscator for your technical inject to avoid detection #1604

jborozco opened this issue Oct 1, 2024 · 1 comment · Fixed by OpenBAS-Platform/implant#26 · May be fixed by #2090
Assignees
@Dimfacion @MarineLeM @jborozco @damgouj
Labels
feature use for describing a new feature to develop
Milestone
Release 1.11.0

Comments

@jborozco
Copy link

jborozco commented Oct 1, 2024
edited by EllynBsc
Loading

Use case

Add obfuscator option to technical inject/ payload in order to avoid detection.
Crowdstrike detect everything in base 64.

We want to be able to choose an obfuscator for your technical inject to avoid detection:

  • base 64
  • Clear
@jborozco jborozco added the feature use for describing a new feature to develop label Oct 1, 2024
@jborozco jborozco added this to the Release 1.10.0 milestone Oct 1, 2024
@RomuDeuxfois
Copy link
Member

RomuDeuxfois commented Oct 2, 2024
edited
Loading

  1. Faisability Step

Brainstorm on the possibility to launch plain text command on implant. Inspire yourself with Caldera -> stockpile/app/obfuscators/plain_text

  1. Now, the implant retrieve the command in plain-text and obfuscates in base64. We need to raise the obfuscation at the OpenBAS platform level and give the obfuscate command directly to the implant (save in db the plain command + the obfuscation command ? ).
    Don't forget to use this obfscuquer command in the inject_expectations_signature.

  2. Add obfuscator at the inject level.
    The payload can be defined and then we can change obfuscator on the fly when we are using it.

Potential next steps:

Obfuscator from Caldera:

  • base64, base64jumble, base64noPadding, ceasar cypher, plain-text, steganography
    (see Caldera plugin -> stockpile/app/obfuscators)

@jborozco jborozco modified the milestones: Release 1.10.0, Release 1.9.0 Oct 2, 2024
@jborozco jborozco self-assigned this Oct 2, 2024
@savacano28 savacano28 self-assigned this Oct 23, 2024
@RomuDeuxfois RomuDeuxfois mentioned this issue Nov 8, 2024
Closed
@savacano28 savacano28 removed their assignment Nov 19, 2024
@EllynBsc EllynBsc changed the title Add obfuscator option to technical inject/ payload Ability to choose an obfuscator for your technical inject to avoid detection Nov 22, 2024
@damgouj damgouj self-assigned this Nov 27, 2024
This was referenced Dec 5, 2024
Merged
Merged
MarineLeM added a commit that referenced this issue Dec 10, 2024
@MarineLeM
[backend] handle cmd variables (#1604)
0b0afb3 
Signed-off-by: Marine LM <[email protected]>
@MarineLeM MarineLeM linked a pull request Dec 17, 2024 that will close this issue
Open
This was linked to pull requests Dec 19, 2024
Add obfuscation chunk 2 #2090
Open
[implant] decode payload with rust OpenBAS-Platform/implant#26
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Dimfacion Dimfacion

@MarineLeM MarineLeM

@jborozco jborozco

@damgouj damgouj

Labels
feature use for describing a new feature to develop
Projects
None yet
Milestone
Release 1.11.0
6 participants
@savacano28 @Dimfacion @MarineLeM @jborozco @RomuDeuxfois @damgouj