Need help with Flerken?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

135 Stars 38 Forks Apache License 2.0 32 Commits 0 Opened issues


A Solution For Cross-Platform Obfuscated Commands Detection presented on CIS2019 China. 动静态Bash/CMD/PowerShell命令混淆检测框架 - CIS 2019大会

Services available


Need anything else?

Contributors list

# 3,472
31 commits


python 3.x license


Command Line Obfuscation (CLOB) has been proved to be a non-negligible factor in fileless malware or malicious actors that are "living off the land". With dozens of obfuscation tools seen in the wild, by contrast few proper countermeasures can be found. In this talk, we present Flerken, an obfuscation detection approach that works for both Windows (Powershell and CMD) and Linux (Bash) commands. To the best of our knowledge, Flerken is the first solution that supports cross-platform obfuscation detection feature.

This talk first shares some key observations on CLOB such as its attack vectors and analyzing strategies. Then we give a detailed design of Flerken. The description is divided in two parts, namely Kindle (for Windows) and Octopus (for Linux). Respectively, we will show how human readability can serve as an effective statistical feature against PS/CMD obfuscation, and how dynamic syntax parsing can be adopted to eliminate false positives/negatives against Bash CLOB. The effectiveness of Flerken is evaluated via representative black/white command samples and performance experiments.

Hereby, we highlight the functional properties Flerken basically satisfies as follows:

Scalability. Flerken supports cross-platform obfuscation detection. Furthermore, Flerken can help achieve real-time obfuscation bubbling in server EDR systems (with a scale on the order of millions).

Accuracy. Flerken is adequate to correctly distinguish most Windows/Linux command obfuscations. Therefore, Flerken can be adopted by enterprises in many security investigations of server endpoints.

Availability. Flerken now is accessible through its official webpage. All you have to do is to paste into the command string and test what you want to analyze. No specific input file format is required. We have also open-sourced Flerken on Github so you can build your own detector on demand.

Upcoming Release

  • De-Obfuscated-Bash Tool: An image of the octopusbash-embedded docker.
  • A Web Manage Platform to monitor, config workflow of Flerken, also analysis the workflow ouput results.

Web Demo Source Code

Please checkout our another branch web-demo.

Getting Help

If you have any question or feedbacks on Flerken. Please create an issue and choose a suitable label for it. We will solve it as soon as possible.


Please see our



We would like to thank all the contributors to this research project and all the members in Tencent Blade Team. In addition, we would like to thank security researchers Daniel Bohannon and Andrew LeFevre for their valuable feedback and discussion.


Flerken is released under the Apache 2.0 license.

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.