Obfuscation
As endpoint security solutions catch up with attacker methods and implement numerous heuristics and detection signatures to catch powershell commands as theyâre being executed, we turn to obfuscation as a layer in helping us evade those defenses.
One of the more well-known frameworks we can use for this purpose is Daniel Bohannonâs Invoke-Obfuscation.
Invoke-Obfuscation offers us some excellent options we can use to obfuscate and encode our powershell commands or script blocks using a number of methods including AES encryption with the âSecureStringâ method, to special characters and even whitespace encoding.
Weâll first need to download the Invoke-Obfuscation framework into our modules directory, same as we did for the PowerSploit example in the Fundamentals lesson module. We can download the master.zip for Invoke-Obfuscation from github here:
We can find a modules path to use by executing the following from the PowerShell console:
In our case, weâll use the first path:
Once we download and extract the Invoke-Obfuscation package into our modules directory into a folder called âInvokeObfuscation,â we should be able to import it into our current PowerShell session:
Once weâve imported the Invoke-Obfuscation modules, we can then launch the framework with the InvokeObfuscation command, and are then presented with several different options we can use:
We have several different options we can use to obfuscate our PowerShell commands:
First, in order to tell Invoke-Obfuscation what weâd like to obfuscate exactly, we first need to use the âSET SCRIPTBLOCKâ command.
As an example of a script block we can use, letâs take a standard Net.WebClient download cradle:
The download cradle from the previous slide, when executed on our target, will use the Net.WebClient class, and will download and execute our âGet-ProcessPaths.ps1â script from our attacker machine, which will simply list running processes on our target.
Letâs set that as the âSCRIPTBLOCKâ in Invoke-Obfuscation as the command we want to obfuscate with the âSET SCRIPTBLOCKâ command:
Once weâve told Invoke-Obfuscation what weâd like to obfuscate with the SET SCRIPTBLOCK command, we can select a method weâd like to use. Letâs use the âSTRINGâ method to start as an example. We simply type âSTRINGâ and are presented with several options for that method:
We have three options with the âSTRINGâ obfuscation method. Letâs go with option â3,â the âReverseâ method.
The âREVERSEâ method will first concatenate our PowerShell command line and then reverse the entire string.
Once we select and run the option we want (in this case, â3â), Invoke-Obfuscation presents us with the command it used to create the obfuscated string block, along with the result of the command. Itâs the result of the command we will execute on our target system.
We can just copy and paste the âResultâ output to our target system in a powershell prompt, and it will execute our download cradle.
Letâs take a look at the results of the âENCODINGâ method, which provides a bit more obfuscation, and is a bit harder to detect. Option 7, for example, is the âSpecial Charactersâ encoding.
Again, we simply paste the resulting output into a powershell console on our target machine.
If weâre operating from a windows command prompt on the target, instead of a powershell console, we can use the powershell.exe -Command option to run our obfuscated commands, just encapsulate the result with quotes.
You should experiment with all of the obfuscation options available with Invoke-Obfuscation, thereâs a lot of great stuff in there, and much of it still bypasses most antivirus solutions.
Important :
Something to note while using Invoke-Obfuscation is that if youâve applied a method to a script block, and then re-apply another method, it will append to a previous script block, and essentially create a very large result. Youâll notice this when you try to apply a method and receive a warning about the command exceeding cmd.exeâs maximum command length.
To get around this, after applying one particular encoding method, use the âRESETâ option to clear previous encodings, this way, they wonât âpile upâ on one another.
n addition to obfuscating our PowerShell commands, we can also create obfuscated launcher commands to run our obfuscated code on the target using the âLAUNCHERâ option. For instance, if we want to use WMIC to launch our obfuscated code, we can quickly generate a command to do so. The available LAUNCHER options are:
The process for using the LAUNCHER option is that we first create our obfuscated commands as we did previously:
In this example, weâll assume we followed the above steps, and now select our LAUNCHER command. Weâll choose the RUNDLL method.
And then the command line options weâd like to use as well, in this case, weâll choose â0â for No Execution Flag:
The resulting string, is an obfuscated command that utilizes rundll32.exe with the âSHELL32.DLLâ function (ShellExec_RunDLL) which will launch our obfuscated powershell code on the target:
Invoke-Obfuscation includes a âTutorialâ option if youâre stuck and need some guidance on some of its options.
Encoded Commands :
Although not really a recommended âobfuscationâ method since it can be easily detected by Antivirus and other string heuristics, considering itâs just base64 encoding, is PowerShellâs â EncodedCommand parameter.
The -EncodedCommand parameter allows us to execute encoded commands or script blocks which contain characters which might interfere with the processing of our command via a windows command prompt. In simpler terms, it makes complex commands âdigestibleâ by PowerShell by encoding everything with Base64.
As an example, to encode a command that will add a new user âadmin1â to the local administratorâs group, we can do the following:
We can then get the results of our encoded command with the âWrite-Hostâ cmdlet against our $encodedCommand variable:
We then execute our encoded command with the powershell.exe - EncodedCommand parameter on the target:
Last updated
Was this helpful?