by We5ter

We5ter / Flerken

A Solution For Cross-Platform Obfuscated Commands Detection 动静态Bash/CMD/PowerShell命令混淆检测框架

127 Stars 36 Forks Last release: over 1 year ago (v1.0.2) Apache License 2.0 32 Commits 2 Releases

Available items

No Items, yet!

The developer of this repository has not created any items for sale yet. Need a bug fixed? Help with integration? A different license? Create a request here:


python 3.x license


Command Line Obfuscation (CLOB) has been proved to be a non-negligible factor in fileless malware or malicious actors that are "living off the land". With dozens of obfuscation tools seen in the wild, by contrast few proper countermeasures can be found. In this talk, we present Flerken, an obfuscation detection approach that works for both Windows (Powershell and CMD) and Linux (Bash) commands. To the best of our knowledge, Flerken is the first solution that supports cross-platform obfuscation detection feature.

This talk first shares some key observations on CLOB such as its attack vectors and analyzing strategies. Then we give a detailed design of Flerken. The description is divided in two parts, namely Kindle (for Windows) and Octopus (for Linux). Respectively, we will show how human readability can serve as an effective statistical feature against PS/CMD obfuscation, and how dynamic syntax parsing can be adopted to eliminate false positives/negatives against Bash CLOB. The effectiveness of Flerken is evaluated via representative black/white command samples and performance experiments.

Hereby, we highlight the functional properties Flerken basically satisfies as follows:

Scalability. Flerken supports cross-platform obfuscation detection. Furthermore, Flerken can help achieve real-time obfuscation bubbling in server EDR systems (with a scale on the order of millions).

Accuracy. Flerken is adequate to correctly distinguish most Windows/Linux command obfuscations. Therefore, Flerken can be adopted by enterprises in many security investigations of server endpoints.

Availability. Flerken now is accessible through its official webpage. All you have to do is to paste into the command string and test what you want to analyze. No specific input file format is required. We have also open-sourced Flerken on Github so you can build your own detector on demand.

Upcoming Release

  • De-Obfuscated-Bash Tool: An image of the octopusbash-embedded docker.
  • A Web Manage Platform to monitor, config workflow of Flerken, also analysis the workflow ouput results.

Web Demo Source Code

Please checkout our another branch web-demo.

Getting Help

If you have any question or feedbacks on Flerken. Please create an issue and choose a suitable label for it. We will solve it as soon as possible.


Please see our CHANGELOG.md



We would like to thank all the contributors to this research project and all the members in Tencent Blade Team. In addition, we would like to thank security researchers Daniel Bohannon and Andrew LeFevre for their valuable feedback and discussion.


Flerken is released under the Apache 2.0 license.

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.