Obfuscation base64 with CMD

[MarineLeM]

The Base64 obfuscation works well with PowerShell and sh executors, but it does not seem to work with the cmd executor.

When I checked the code, I found that the functions responsible for obfuscating commands are implemented specifically for psh and sh, but not for cmd.
To further investigate, I analyzed the network traffic and observed the HTTP requests between Caldera and the agent. For PowerShell, the command was obfuscated

powershell -Enc ZQBjAGgAbwAgAGgAZQBsAGwAbwAgAHcAbwByAGwAZAA=

However, for cmd, the command was in plain text.

echo hello world

My questions are:

• Does the Base64 obfuscation feature support the cmd executor?
• If not, is it technically possible to implement Base64 obfuscation for cmd commands?

[github-actions]

Looks like your first issue -- we aim to respond to issues as quickly as possible. In the meantime, check out our documentation here: http://caldera.readthedocs.io/

[elegantmoose]

Does the Base64 obfuscation feature support the cmd executor?

Looks like it is not specified (https://github.com/mitre/stockpile/blob/master/app/obfuscators/base64_basic.py). Not sure why was left off the list.

Presumably not too hard to add. Not sure if you have identified appropriate python 1 liner that correctly encodes for CMD.

[MarineLeM]

@elegantmoose If you have an idea on how to achieve this, I'd be curious to know, as I couldn’t find a way myself.

What I did find involves using CMD to call PowerShell or a tool like certutil to decode the command first before executing it. However, my understanding of obfuscation is not about decoding and then executing the command, but rather executing a command that remains encoded throughout. If you decode first and then execute, the obfuscation becomes useless since the EDR will catch the command in plain-text.