String Replacement

This technique includes replacing the characters from a string. Consider below example

set string=hello!
set string=%string:!=%

The string will now have the value "hello" instead of "hello!"

string replace obfuscation.png, Aug 2021

 

 

Using Double Quotes

Double quotes can be used in command as well as command arguements. Using a balanced pair of double quotes do not affect the syntax. For ex:
c""m""d.exe /c not""e""pad  is a perfectly balanced command which works

double quote obfuscation.png, Aug 2021

 


Extracting Value From Variables

COMPSEC is an environment variable which holds the default shell in windows. You can check it via set command.  The string ‘cmd’ can be extracted from this variable to avoid typing it in our script and avoid detection.  In below image %COMSPEC:~ 20,3% evaluated to cmd

comspec obfuscation.png, Aug 2021

 

 

Using Parenthesis

Parenthesis can be used in command line arguments for obfuscation purposes as shown in below image

parenthesis obfuscation.png, Aug 2021

 

Using Caret For Obfuscation

Most commonly used obfuscation character. The ^ symbol (also called caret or circumflex) is an escape character in Batch script. When it is used, the next character is interpreted as an ordinary character. Caret character can escape itself.

echo ^alpha   will give      alpha
echo ^^alpha will give    ^alpha
echo ^^^^alpha will give    ^^alpha
caret obfuscation.png, Aug 2021

 

 

For Loop Obfuscation

Cmd’s native tokens and delim make it possible to extract values from a string and use accordingly.
Delimiter acts like -d and tokens act like -f of cut command in linux. 
In image below we are extracting the word ‘powershell’ from environment variable.

for obfuscate.png, Aug 2021

 

 

Comma and Semicolon Obfuscation

Comma and semicolons can be used in place of spaces under cmd.

comma-colon obfuscation.png, Aug 2021

 

 

 

Let us now combine some methods to download remote contents. For this we created a local server on port 8000 and hosted a file with below contents:

Write-Host This is fetched from remote server -ForegroundColor Green; Start-Process -FilePath "notepad.exe"

The command executed successfully popping up a notepad, as shown in below image

command.png, Aug 2021

 

FOR ENTHUSIAST READERS

Try to decode the below obfuscation:

command1.png, Aug 2021