Blog
Informative, up-to-date and exciting - the Oneconsult Cybersecurity Blog.

An Introduction to Batch File Obfuscation

Batch files are an essential tool many users and administrators use to perform automated tasks. However, attackers also use these batch files to execute malicious commands on a system. To avoid detection by antivirus software, batch files are obfuscated.

Obfuscation is a method that attackers commonly use to disguise their malicious files or payloads. Obfuscation has two main goals. First, from a defender’s perspective, more resources must be invested to understand how the malware works. Second, obfuscation is intended to circumvent protection mechanisms such as antivirus. There are a variety of techniques to achieve obfuscation. This blog post describes what batch files are and why they are obfuscated.

An Introduction to Batch File Obfuscation

What is a Batch File?

A batch file (.bat) is an executable text file that is run by the Windows command line processor cmd.exe (CMD). These files can be created with any text editor and contain CMD commands. Double-clicking on such a file opens the command line, processing its commands from top to bottom. Administrators often use batch files to execute certain workflows faster and easier, eliminating the need to enter the commands manually. Figure 1 shows a simple batch file that uses the XCOPY command to copy the contents from the source directory to the backup directory. Specifying the “/m” flag ensures that only updated files are copied, preventing files that have already been backed up from being copied again.

Batch Script for Creating Backups
Figure 1: Batch Script for Creating Backups

Why are Batch Files Obfuscated?

Like administrators, attackers also use .bat files because they can be used to execute many system-specific commands. An example of this is disabling Windows Defender. As shown in Figure 1, a batch script is plain text, and Signature-based antivirus software can scan these files and check for malicious content. This results in these malicious batch files being detected and blocked by the above solutions. To prevent this, the attackers often obfuscate the content. Various techniques can be used for this obfuscation, and there are several freely available and easy-to-use implementations of obfuscation techniques. They are also built into common tools such as Meterpreter (see Metasploit Documentation). Figure 2 shows an obfuscated batch file. The content consists of seemingly random characters which hide the actual function of this file.

Obfuscated Batch File
Figure 2: Obfuscated Batch File (Line Breaks Are Enabled)

How Can I Detect Batch File Obfuscation?

When obfuscated, some antivirus solutions can no longer detect malicious batch files. Therefore, caution is advised when such executable files are found that have content that is difficult for humans to read. Under no circumstances should these files be executed before the file is thoroughly reviewed. Likewise, care should be taken if batch files are found in an unexpected location, such as on the desktop, or if no batch files are expected on the system. The following methods can be used to detect batch file obfuscation:

Text Editor

The easiest way to view the contents is to open the file in a text editor. To detect possible obfuscation, the following points can be considered:

  • Are the characters readable to me? As shown in the example in Figure 2, these are unknown characters that cannot be interpreted by humans. It is also possible that only part of the content is not readable. Again, an eye should be kept on this.
  • Are randomly generated variable and function names used? An example can be seen in Figure 3. Set is used here for setting a variable.
  • Also noticeable is when existing functions are assigned to a new variable name.
Setting a Variable
Figure 3: Setting a Variable

If the mentioned points are recognized, it can be a possible obfuscation. The file should be checked further and only then executed.

YARA Rules

YARA rules offer another possibility for detection (see Security Insider). YARA rules can be used to search for specific patterns in files or processes. This should make it possible to detect and classify malware. There are already many predefined rules that can be used. However, it is also possible to write your own YARA rules. Additionally, YARA rules can be used in different antivirus solutions It should be noted that what can be detected depends heavily on the rule in question. There are YARA rules that are written for a specific obfuscator. This rule only works for that obfuscator and does not detect other techniques. However, there are also rules that work for multiple techniques. Therefore, YARA rules are limited in their ability to detect batch file obfuscation.

To demonstrate the use of YARA rules, a simple rule was written. As shown in Figure 4, this rule searches for the three specified hexadecimal values (see red marker). One of the three values must be contained in an obfuscated batch file to be recognized. Please note that this is an example rule and should not be used in practice.

Example YARA rule for detection of obfuscated batch files
Figure 4: Example YARA rule for detection of obfuscated batch files

Figure 1 shows the original script without obfuscation and Figure 5 represents the obfuscated version of the script. The obfuscation was performed using an obfuscator available on the Internet (see github). This obfuscation is now to be detected using the example YARA rule.

Obfuscated batch file
Figure 5: Obfuscated batch file

The rule is applied to the two files with the command yara. As can be seen, nothing is detected in the Beispiel.bat file. Obfuscation is detected in the Beispiel_obfuscated.bat file and thus the rule is applied.

Applying the YARA rule
Figure 6: Applying the YARA rule

Outlook

The obfuscation of batch files is a way for attackers to bypass a company’s security measures. In the upcoming second part, an obfuscation will be presented from a real case, and it will be shown how suspicious batch files were handled and how the obfuscation can be reversed.

Do you still have questions about Batch File Obfuscation or need assistance with it? Our DFIR team will be happy to help you. We look forward to hearing from you.

Published on: 12.05.2023

Share

Never miss the latest news on cyber security topics again? Sign up for our newsletter

Author

Since August 2022, Melanie Kubli has been working as a Digital Forensics & Incident Response Specialist at Oneconsult. She is a GIAC Certified Forensic Examiner (GCFE) and holds a “Blue Team Level 1” certification.

LinkedIn

Don’t miss anything! Subscribe to our free newsletter.

Your security is our top priority – our specialists provide you with professional support.

Availability Monday to Friday 8:00 a.m. – 12:00 p.m. and 1:00 p.m. – 5:00 p.m (exception: customers with SLA – please call the 24/7 IRR emergency number).

Private individuals please contact your trusted IT service provider or the local police station.

For more information about our DFIR services here:

QR_CSIRT_2022_EN@2x
Add CSIRT to contacts