Use this tool to detect if your Network Anomaly detection solution is working smoothly

Instead of directly encrypting the data, we can use Markov Obfuscation tool which is created by Cylance Spear Team.

Once used correctly, it can change a simple /etc/passwd file from:

To:

The steps which need to be taken:

  1. First, we need to encode encrypted content with Base64 to get rid of gibberish characters.
  2. As we talked we also need lots of texts which will be used as training data. One way to do it is including the training data inside the agent. However, it won’t be practical since it will increase the agent size like ten megabytes. Instead of that, we can download the dataset from an external source. It doesn’t have to be our own website. We can program it for crawling and parsing texts from news websites, blogs etc.
  3. Train the Markov Obfuscation algorithm with downloaded training data.
  4. Encode the data with generated model.
  5. Send the encoded data to the C2 server, alongside with the training data.
  6. C2 server will also build the same model with the training data, and will be able to decode the main data.

Download the package:

References:

  1. github.com/tearsecurity/firstorder
  2. utkusen.com/blog/bypassing-anomaly-based-nids-with-empire.html
  3. github.com/CylanceSPEAR/MarkovObfuscate