{"id":13842865,"url":"https://github.com/danielbohannon/Invoke-CradleCrafter","last_synced_at":"2025-07-11T17:32:05.337Z","repository":{"id":41394754,"uuid":"89400033","full_name":"danielbohannon/Invoke-CradleCrafter","owner":"danielbohannon","description":"PowerShell Remote Download Cradle Generator \u0026 Obfuscator","archived":false,"fork":false,"pushed_at":"2018-03-23T12:50:21.000Z","size":380,"stargazers_count":837,"open_issues_count":4,"forks_count":163,"subscribers_count":36,"default_branch":"master","last_synced_at":"2025-05-24T14:22:07.838Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/danielbohannon.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-04-25T19:44:42.000Z","updated_at":"2025-05-08T19:13:51.000Z","dependencies_parsed_at":"2022-08-10T02:07:16.077Z","dependency_job_id":null,"html_url":"https://github.com/danielbohannon/Invoke-CradleCrafter","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/danielbohannon/Invoke-CradleCrafter","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/danielbohannon%2FInvoke-CradleCrafter","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/danielbohannon%2FInvoke-CradleCrafter/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/danielbohannon%2FInvoke-CradleCrafter/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/danielbohannon%2FInvoke-CradleCrafter/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/danielbohannon","download_url":"https://codeload.github.com/danielbohannon/Invoke-CradleCrafter/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/danielbohannon%2FInvoke-CradleCrafter/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":264862473,"owners_count":23674981,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-04T17:01:48.286Z","updated_at":"2025-07-11T17:32:05.007Z","avatar_url":"https://github.com/danielbohannon.png","language":"PowerShell","funding_links":[],"categories":["PowerShell","PowerShell (153)","Operating Systems"],"sub_categories":["Windows"],"readme":"Invoke-CradleCrafter v1.1\r\n===============\r\n\r\n![Invoke-CradleCrafter Screenshot](https://github.com/danielbohannon/danielbohannon.github.io/blob/master/Invoke-CradleCrafter%20Screenshot.png)\r\n\r\nIntroduction\r\n------------\r\nInvoke-CradleCrafter is a PowerShell v2.0+ compatible PowerShell remote\r\ndownload cradle generator and obfuscator.\r\n\r\nBackground\r\n----------\r\nIn the Fall of 2016 after releasing Invoke-Obfuscation, I continued updating\r\nmy spreadsheet of PowerShell remote download cradles thinking that one day I\r\nmight add a \"cradle selector\" menu into Invoke-Obfuscation. This list \r\nconsisted of cradles that were obscure to me, and many of which were not \r\nprevelently (or at all) being observed in the wild.\r\n\r\nHowever, since Invoke-Obfuscation was designed to obfuscate any arbitrary \r\nPowerShell command or script, there are certain obfuscation techniques that \r\nI knew I needed to include with regards to building customized cradles that \r\nwere not feasible to include in Invoke-Obfuscation.\r\n\r\nThis was the point that led me to shift this cradle research into a separate\r\nproject altogether, though you can always take output from Invoke-\r\nCradleCrafter and intput it into Invoke-Obfuscation and continue the fun.\r\nSince Invoke-CradleCrafter is much more tightly controlled, it has enabled \r\nme to include obfuscation techniques that are completely unlike any \r\ntechnique found in Invoke-Obfuscation.\r\n\r\nSome of the new obfuscation techniques in this tool include token \r\nobfuscation through data type enumeration and wildcard matching, and the \r\nreordering of command structure by introducing additional variables and \r\nvariable syntaxes.\r\n\r\nLastly, the tool supports 10+ invocation syntaxes that extend beyond the \r\nmost prevalent Invoke-Expression and IEX.\r\n\r\nPurpose\r\n-------\r\nInvoke-CradleCrafter exists to aid Blue Teams and Red Teams in easily \r\nexploring, generating and obfuscating PowerShell remote download cradles.\r\nIn addition, it helps Blue Teams test the effectiveness of detections that \r\nmay work for output produced by Invoke-Obfuscation but may fall short when\r\ndealing with Invoke-CradleCrafter since it does not contain any string\r\nconcatenations, encodings, tick marks, type casting, etc.\r\n\r\nAnother important component of this research and tool development was to \r\neffectively highlight the high-level behavior and artifacts left behind \r\nwhen each cradle is executed. I have tried to highlight this information \r\nwhen you first enter a new cradle type in the interactive menus of the tool.\r\n\r\nUltimately, knowing more about each cradle's behavior and artifacts will \r\nhelp the Blue Team better detect these cradles. This knowledge should also\r\nbenefit the Red Teamer in making more informed selections of which cradle \r\nto use in a given scenario.\r\n\r\nUsage\r\n-----\r\nWhile all of the cradles can be produced by directly calling the Out-Cradle\r\nfunction, the complexity of the moving pieces for all of the stacked \r\nobfuscated components makes using the Invoke-CradleCrafter function the \r\neasiest way to explorer and visualize the cradle syntaxes and obfuscation \r\ntechniques that this framework currently supports.\r\n\r\nInstallation\r\n------------\r\nThe source code for Invoke-CradleCrafter is hosted at Github, and you may\r\ndownload, fork and review it from this repository\r\n(https://github.com/danielbohannon/Invoke-CradleCrafter). Please report issues\r\nor feature requests through Github's bug tracker associated with this project.\r\n\r\nTo install:\r\n\r\n\tImport-Module ./Invoke-CradleCrafter.psd1\r\n\tInvoke-CradleCrafter\r\n\r\nLicense\r\n-------\r\nInvoke-CradleCrafter is released under the Apache 2.0 license.\r\n\r\nRelease Notes\r\n-------------\r\nv1.0 - 2017-04-28 x33fcon (Gdynia, Poland): PUBLIC Release of Invoke-CradleCrafter.\r\n\r\nv1.1 - 2017-05-11 NOPcon (Istanbul, Turkey):\r\nAdded 3 new memory-based cradles:\r\n- PsComMsXml\r\n- PsInlineCSharp\r\n- PsCompiledCSharp\r\nAdded 2 disk-based cradles:\r\n- PsBits\r\n- BITSAdmin\r\n\r\nv1.1.1 - 2018-01-08:\r\nAdded 1 new memory-based cradle:\r\n- Certutil -ping\r\nAdded 1 new disk-based cradle:\r\n- Certutil -urlcache\r\n\r\nv1.1.2 - 2018-02-05:\r\nAdded User-Agent strings to cradle info\r\n- Thanks for the PR, @mgreen27!\r\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdanielbohannon%2FInvoke-CradleCrafter","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdanielbohannon%2FInvoke-CradleCrafter","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdanielbohannon%2FInvoke-CradleCrafter/lists"}