{"id":13844331,"url":"https://github.com/We5ter/Flerken","last_synced_at":"2025-07-11T22:31:42.501Z","repository":{"id":50349953,"uuid":"182990453","full_name":"We5ter/Flerken","owner":"We5ter","description":"A Solution For Cross-Platform Obfuscated Commands Detection presented on CIS2019 China. 动静态Bash/CMD/PowerShell命令混淆检测框架 - CIS 2019大会","archived":false,"fork":false,"pushed_at":"2019-08-21T07:12:04.000Z","size":10011,"stargazers_count":161,"open_issues_count":2,"forks_count":40,"subscribers_count":12,"default_branch":"master","last_synced_at":"2023-11-07T18:49:28.815Z","etag":null,"topics":["blueteam","de-obfuscates-bash","malware-detection","obfuscation-detection"],"latest_commit_sha":null,"homepage":"https://cis.freebuf.com/","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/We5ter.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2019-04-23T10:21:48.000Z","updated_at":"2023-09-28T11:00:59.000Z","dependencies_parsed_at":"2022-08-31T02:11:37.445Z","dependency_job_id":null,"html_url":"https://github.com/We5ter/Flerken","commit_stats":null,"previous_names":[],"tags_count":2,"template":null,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/We5ter%2FFlerken","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/We5ter%2FFlerken/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/We5ter%2FFlerken/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/We5ter%2FFlerken/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/We5ter","download_url":"https://codeload.github.com/We5ter/Flerken/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225763338,"owners_count":17520439,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["blueteam","de-obfuscates-bash","malware-detection","obfuscation-detection"],"created_at":"2024-08-04T17:02:40.469Z","updated_at":"2024-11-21T16:31:11.223Z","avatar_url":"https://github.com/We5ter.png","language":null,"funding_links":[],"categories":["Others"],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n  \u003cimg src=\"doc/logo.png\" width=\"150\"\u003e\n\u003c/p\u003e\n\n\u003ch1 align=\"center\"\u003eFlerken\u003c/h1\u003e\n\n\u003cp align=\"center\"\u003e\n  \n  \u003cimg src=\"https://img.shields.io/badge/python-3.x-orange.svg\" alt=\"python 3.x\"\u003e\n  \u003cimg src=\"http://img.shields.io/badge/license-APL2-brightgreen.svg?style=flat\" alt=\"license\"\u003e\n  \n\u003c/p\u003e\n\n## Introduction\n\n\u003cb\u003eCommand Line Obfuscation (CLOB) \u003c/b\u003ehas been proved to be a non-negligible factor in fileless malware or malicious actors that are \"living off the land\". With dozens of obfuscation tools seen in the wild, by contrast few proper countermeasures can be found. In this talk, we present Flerken, an obfuscation detection approach that works for both Windows (Powershell and CMD) and Linux (Bash) commands. To the best of our knowledge, Flerken is the first solution that supports cross-platform obfuscation detection feature.\n\nThis talk first shares some key observations on CLOB such as its attack vectors and analyzing strategies. Then we give a detailed design of Flerken. The description is divided in two parts, namely \u003cb\u003eKindle (for Windows)\u003c/b\u003e and \u003cb\u003eOctopus (for Linux)\u003c/b\u003e. Respectively, we will show how human readability can serve as an effective statistical feature against PS/CMD obfuscation, and how dynamic syntax parsing can be adopted to eliminate false positives/negatives against Bash CLOB. The effectiveness of Flerken is evaluated via representative black/white command samples and performance experiments. \n\nHereby, we highlight the functional properties Flerken basically satisfies as follows:\n\n• \u003cb\u003eScalability.\u003c/b\u003e Flerken supports cross-platform obfuscation detection. Furthermore, Flerken can help achieve real-time obfuscation bubbling in server EDR systems (with a scale on the order of millions).\n\n• \u003cb\u003eAccuracy.\u003c/b\u003e Flerken is adequate to correctly distinguish most Windows/Linux command obfuscations. Therefore, Flerken can be adopted by enterprises in many security investigations of server endpoints.\n\n• \u003cb\u003eAvailability.\u003c/b\u003e Flerken now is accessible through its official webpage. All you have to do is to paste into the command string and test what you want to analyze. No specific input file format is required. We have also open-sourced Flerken on Github so you can build your own detector on demand.\n\n## Upcoming Release\n\n- **De-Obfuscated-Bash Tool: An image of the octopusbash-embedded docker.**\n- **A Web Manage Platform to monitor, config workflow of Flerken, also analysis the workflow ouput results.**\n\n## Web Demo Source Code\n\nPlease checkout our another branch [web-demo](https://github.com/We5ter/Flerken/tree/web-demo).\n\n## Getting Help\n\nIf you have any question or feedbacks on Flerken. Please create an issue and choose a suitable label for it. We will solve it as soon as possible.\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"doc/labels.png\" width=\"95%\"\u003e\n\u003c/p\u003e\n\n## CHANGELOG\n\nPlease see our \u003ca href=\"./CHANGELOG.md\"\u003eCHANGELOG.md\u003c/a\u003e\n\n\n## Authors\n\n- \u003ca href=\"https://www.researchgate.net/profile/Yao_Zhang80\" target=\"_blank\"\u003eYao Zhang\u003c/a\u003e\n- \u003ca href=\"https://lightrains.org\" target=\"_blank\"\u003eZhiyang Zeng\u003c/a\u003e\n\n## Acknowledgments\n\nWe would like to thank all the contributors to this research project and all the members in Tencent Blade Team. In addition, we would like to thank security researchers Daniel Bohannon and Andrew LeFevre for their valuable feedback and discussion.\n\n## License\n\nFlerken is released under the Apache 2.0 license.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FWe5ter%2FFlerken","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FWe5ter%2FFlerken","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FWe5ter%2FFlerken/lists"}