Flerken : Obfuscated Command Detection Tool

Flerken is an Open-source obfuscated command detection tool. Command line obfuscation has been proved to be a non-negligible factor in file-less malware or malicious actors that are “living off the land”.

To bypass signature-based detection, dedicated obfuscation techniques are shown to be used by red-team penetrations and even APT activities.

Meanwhile, numerous obfuscators (namely tools perform syntax transformation) are open sourced, thus making obfuscating given commands increasingly effortless.

However, the number of suitable defenses remains to be few. For Linux command line obfuscation,we can barely find any detection tools.

Concerning defenses against Windows command obfuscation, existing schemes turn out to either lack of toolization, or only partially resolve the entire problem, sometimes even inaccurately.

To better facilitate obfuscation detection, we have proposed Flerken, a toolized platform that can be used to detect both Windows (CMD and Powershell) and Linux (Bash) commands.

The name of Flerken is inspired by a cat-like yet extremely powerful creature from Marvel world. Flerken is build on the basis of carefully collection of black/white samples, and can be divided into two sub-schemes, namely Kindle (Windows obfuscation detector) and Octopus (Linux obfuscation detector).

To help optimize Flerken’s classification performance, we adopt techniques such as machine learning, bi-directional feature filter ring, script sandboxing.

Also Read : NAXSI : WAF For NGINX

Quick start : Installation

  • Step 1: Ensure you have installed python 3.x on your server, you can use the following command to check it.

[root@server:~$] python -V

  • Step 2: Install the required components, all the prerequisite components have been declared in requirement.txt.

[root@server:~$] pip install -r requirement.txt

  • Step 3: Login in your MySQL console, and import database

source /your path/Flerken/flerken/lib/flerken.sql

  • Step4: Custom your Flerken APP config as you want.

Path: flerken/config/global_config.py

  • Step5: Now you can run it!

[root@server:~$] python runApp.py

  • Step 6(Optional): You can build your own whitelists for reducing false positive rate.

Path: flerken/config/whitelists/

How to use

It’s very easy to use as shown in the following picture, and we will also release API interfaces as soon.\

Build-in 3rd parties

  • Flask
  • Flask-WTF
  • Flask-Limiter
  • frankie-huang/pythonMySQL
  • jQuery
  • Swiper

Credits: Yao Zhang, Zhiyang Zeng

R K

Recent Posts

Playwright-MCP : A Powerful Tool For Browser Automation

Playwright-MCP (Model Context Protocol) is a cutting-edge tool designed to bridge the gap between AI…

2 hours ago

JBDev : A Tool For Jailbreak And TrollStore Development

JBDev is a specialized development tool designed to streamline the creation and debugging of jailbreak…

23 hours ago

Kereva LLM Code Scanner : A Revolutionary Tool For Python Applications Using LLMs

The Kereva LLM Code Scanner is an innovative static analysis tool tailored for Python applications…

1 day ago

Nuclei-Templates-Labs : A Hands-On Security Testing Playground

Nuclei-Templates-Labs is a dynamic and comprehensive repository designed for security researchers, learners, and organizations to…

1 day ago

SSH-Stealer : The Stealthy Threat Of Advanced Credential Theft

SSH-Stealer and RunAs-Stealer are malicious tools designed to stealthily harvest SSH credentials, enabling attackers to…

1 day ago

ollvm-unflattener : A Tool For Reversing Control Flow Flattening In OLLVM

Control flow flattening is a common obfuscation technique used by OLLVM (Obfuscator-LLVM) to transform executable…

1 day ago