Flerken is an Open-source obfuscated command detection tool. Command line obfuscation has been proved to be a non-negligible factor in file-less malware or malicious actors that are “living off the land”.
To bypass signature-based detection, dedicated obfuscation techniques are shown to be used by red-team penetrations and even APT activities.
Meanwhile, numerous obfuscators (namely tools perform syntax transformation) are open sourced, thus making obfuscating given commands increasingly effortless.
However, the number of suitable defenses remains to be few. For Linux command line obfuscation,we can barely find any detection tools.
Concerning defenses against Windows command obfuscation, existing schemes turn out to either lack of toolization, or only partially resolve the entire problem, sometimes even inaccurately.
To better facilitate obfuscation detection, we have proposed Flerken, a toolized platform that can be used to detect both Windows (CMD and Powershell) and Linux (Bash) commands.
The name of Flerken is inspired by a cat-like yet extremely powerful creature from Marvel world. Flerken is build on the basis of carefully collection of black/white samples, and can be divided into two sub-schemes, namely Kindle (Windows obfuscation detector) and Octopus (Linux obfuscation detector).
To help optimize Flerken’s classification performance, we adopt techniques such as machine learning, bi-directional feature filter ring, script sandboxing.
Also Read : NAXSI : WAF For NGINX
Quick start : Installation
[root@server:~$] python -V
[root@server:~$] pip install -r requirement.txt
source /your path/Flerken/flerken/lib/flerken.sql
Path: flerken/config/global_config.py
[root@server:~$] python runApp.py
Path: flerken/config/whitelists/
How to use
It’s very easy to use as shown in the following picture, and we will also release API interfaces as soon.\
Build-in 3rd parties
Credits: Yao Zhang, Zhiyang Zeng
Cybersecurity tools play a critical role in safeguarding digital assets, systems, and networks from malicious…
MODeflattener is a specialized tool designed to reverse OLLVM's control flow flattening obfuscation through static…
"My Awesome List" is a curated collection of tools, libraries, and resources spanning various domains…
CVE-2018-17463, a type confusion vulnerability in Chrome’s V8 JavaScript engine, allowed attackers to execute arbitrary…
The blog post "Chrome Browser Exploitation, Part 1: Introduction to V8 and JavaScript Internals" provides…
The exploitation of CVE-2018-17463, a type confusion vulnerability in Chrome’s V8 JavaScript engine, relies on…