{"id":13704919,"url":"https://github.com/danielbohannon/Invoke-Obfuscation","last_synced_at":"2025-05-05T12:32:39.333Z","repository":{"id":37768364,"uuid":"69141905","full_name":"danielbohannon/Invoke-Obfuscation","owner":"danielbohannon","description":"PowerShell Obfuscator","archived":false,"fork":false,"pushed_at":"2023-08-10T23:49:06.000Z","size":480,"stargazers_count":3739,"open_issues_count":13,"forks_count":768,"subscribers_count":138,"default_branch":"master","last_synced_at":"2024-11-11T17:02:31.896Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/danielbohannon.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2016-09-25T03:38:02.000Z","updated_at":"2024-11-10T22:05:40.000Z","dependencies_parsed_at":"2024-01-23T16:10:40.214Z","dependency_job_id":"6c87cc27-d6bd-4351-a01e-189c6722a382","html_url":"https://github.com/danielbohannon/Invoke-Obfuscation","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/danielbohannon%2FInvoke-Obfuscation","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/danielbohannon%2FInvoke-Obfuscation/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/danielbohannon%2FInvoke-Obfuscation/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/danielbohannon%2FInvoke-Obfuscation/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/danielbohannon","download_url":"https://codeload.github.com/danielbohannon/Invoke-Obfuscation/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":224448781,"owners_count":17313116,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-02T22:00:26.097Z","updated_at":"2024-11-13T12:31:10.259Z","avatar_url":"https://github.com/danielbohannon.png","language":"PowerShell","funding_links":[],"categories":["🛡️ Security","PowerShell","Security"],"sub_categories":[],"readme":"Invoke-Obfuscation v1.8\r\n===============\r\n\r\n![Invoke-Obfuscation Screenshot](https://github.com/danielbohannon/danielbohannon.github.io/blob/master/Invoke-Obfuscation%20Screenshot.png)\r\n\r\nIntroduction\r\n------------\r\nInvoke-Obfuscation is a PowerShell v2.0+ compatible PowerShell command\r\nand script obfuscator.\r\n\r\nBackground\r\n----------\r\nIn the Fall of 2015 I decided to begin researching the flexibility of\r\nPowerShell's language and began cataloguing the various ways to\r\naccomplish a handful of common techniques that most attackers use on a\r\nregular basis.\r\n\r\nInitially focusing on encoded command and remote download cradle syntaxes,\r\nI discovered that various escape characters that did not hinder the\r\nexecution of the command persisted in the command line arguments, both in\r\nthe running process as well as what is logged in Security EID 4688 and\r\nSysmon EID 1 event logs. This led me to systematically explore ways of\r\nobfuscating each kind of \"token\" found in any PowerShell command or script.\r\n\r\nI then explored more obscure ways to perform string-level obfuscation,\r\nvarious encoding/encrypting techniques (like ASCII/hex/octal/binary and even\r\nSecureString), and finally PowerShell launch techniques to abstract the\r\ncommand line arguments from powershell.exe and to push it back to the parent\r\nand even grandparent process.\r\n\r\nPurpose\r\n-------\r\nAttackers and commodity malware have started using extremely basic\r\nobfuscation techniques to hide the majority of the command from the command\r\nline arguments of powershell.exe. I developed this tool to aid the Blue Team\r\nin simulating obfuscated commands based on what I currently know to be\r\nsyntactically possible in PowerShell 2.0-5.0 so that they can test their\r\ndetection capabilities of these techniques.\r\n\r\nThe tool's sole purpose is to break any assumptions that we as defenders may\r\nhave concerning how PowerShell commands can appear on the command line. My\r\nhope is that it will encourage the Blue Team to shift to looking for\r\nIndicators of Obfuscation on the command line in addition to updating\r\nPowerShell logging to include Module, ScriptBlock and Transcription logging\r\nas these sources simplify most aspects of the obfuscation techniques\r\ngenerated by this tool.\r\n\r\nUsage\r\n-----\r\nWhile all of the layers of obfuscation have been built out into separate\r\nscripts, most users will find the `Invoke-Obfuscation` function to be the\r\neasiest way to explorer and visualize the obfuscation techniques that this\r\nframework currently supports.\r\n\r\nInstallation\r\n------------\r\nThe source code for Invoke-Obfuscation is hosted at Github, and you may\r\ndownload, fork and review it from this repository\r\n(https://github.com/danielbohannon/Invoke-Obfuscation). Please report issues\r\nor feature requests through Github's bug tracker associated with this project.\r\n\r\nTo install:\r\n\r\n\tImport-Module ./Invoke-Obfuscation.psd1\r\n\tInvoke-Obfuscation\r\n\r\nLicense\r\n-------\r\nInvoke-Obfuscation is released under the Apache 2.0 license.\r\n\r\nRelease Notes\r\n-------------\r\nv1.0 - 2016-09-25 DerbyCon 6.0 (Louisville, Kentucky USA): PUBLIC Release of Invoke-Obfuscation.\r\n\r\nv1.1 - 2016-10-09 SANS DFIR Summit (Prague, Czech Republic): Added -f format operator re-ordering \r\nfunctionality to all applicable TOKEN obfuscation functions. Also added additional \r\nsyntax options for setting variable values.\r\n\r\nv1.2 - 2016-10-20 CODE BLUE (Tokyo, Japan): Added Type TOKEN obfuscation (direct type \r\ncasting with string obfuscation options for type name).\r\n\r\nv1.3 - 2016-10-22 Hacktivity (Budapest, Hungary): Added two new LAUNCHERs: CLIP+ and CLIP++. \r\nAlso added additional (and simpler) array char conversion syntax for all ENCODING \r\nfunctions that does not require For-EachObject/%.\r\n\r\nv1.4 - 2016-10-28 BruCON (Ghent, Belgium): Added new BXOR ENCODING function. Also enhanced \r\nrandomized case for all components of all ENCODING functions as well as for \r\nPowerShell execution flags for all LAUNCHERs. Finally, added -EP shorthand option \r\nfor -ExecutionPolicy to all LAUNCHERs as well as the optional integer representation \r\nof the -WindowStyle PowerShell execution flag: Normal (0), Hidden (1), Minimized (2), \r\nMaximized (3).\r\n\r\nv1.5 - 2016-11-04 Blue Hat (Redmond, Washington USA): Added WMIC LAUNCHER with some \r\nrandomization of WMIC command line arguments.\r\n\r\nv1.6 - 2017-01-24 Blue Hat IL (Tel Aviv, Israel):\r\n- Added CLI functionality:\r\nE.g., Invoke-Obfuscation -ScriptBlock {Write-Host 'CLI FTW!'} -Command 'Token\\All\\1,\r\nEncoding\\1,Launcher\\Stdin++\\234,Clip' -Quiet -NoExit\r\n- Added UNDO functionality to remove one layer of obfuscation at a time.\r\n- Removed Whitespace obfuscation from Token\\All\\1 to speed up large script obfuscation.\r\n- Added Process Argument Tree output for all launchers to aid defenders.\r\n- Added base menu auto-detect functionality to avoid needing to use BACK or HOME:\r\nE.g., if you ran TOKEN then ALL then 1, then just type LAUNCHER and you will get to \r\nthe LAUNCHER menu without needing to type HOME or BACK to get back to the home menu.\r\n- Added multi-command syntax utilized by CLI and interactive mode:\r\nE.g., Token\\All\\1,String\\3,Encoding\\5,Launcher\\Ps\\234,Clip\r\n- Added regex capability to all menu and obfuscation commands:\r\nE.g., Token\\*\\*,String\\[13],Encoding\\(1|6),Launcher\\.*[+]{2}\\234,Clip\r\n- Added OUT FILEPATH single command functionality.\r\n- Added decoding if powershell -enc syntax is entered as a SCRIPTBLOCK value.\r\n- Added alias ForEach to ForEach-Object/% randomized syntax options in all ENCODING \r\nfunctions.\r\n- Added -Key -Ke -K KEY substring syntax options to Out-SecureStringCommand.ps1.\r\n- Added more thorough case randomization to all \\Home\\String obfuscation functions.\r\n- Added -ST/-STA (Single-Threaded Apartment) flags to CLIP+ and CLIP++ launcher \r\nfunctions since they are required if running on PowerShell 2.0.\r\n- Added Get-Item/GI/Item syntax everywhere where Get-ChildItem is used to get \r\nvariable values.\r\n- Added Set-Item variable instantiation syntax to TYPE obfuscation function.\r\n- Added additional Invoke-Expression/IEX syntax using PowerShell automatic variables \r\nand environment variable value concatenations in Out-ObfuscatedStringCommand.ps1's \r\nOut-EncapsulatedInvokeExpression function and copied to all launchers, STRING and \r\nENCODING functions to add numerous command-line syntaxes for IEX.\r\n- Added two new JOIN syntaxes for String\\Reverse and all ENCODING obfuscation options:\r\n1) Added [String]::Join('',$string) JOIN syntax\r\n2) Added OFS-variable JOIN syntax (Output Field Separator automatic variable)\r\n- Added two more SecureString syntaxes to Encoding\\5:\r\n1) PtrToStringAnsi / SecureStringToGlobalAllocAnsi\r\n2) PtrToStringBSTR / SecureStringToBSTR\r\n- Added six GetMember alternate syntaxes for several SecureString members:\r\n1) PtrToStringAuto, ([Runtime.InteropServices.Marshal].GetMembers()[3].Name).Invoke\r\n2) PtrToStringAuto, ([Runtime.InteropServices.Marshal].GetMembers()[5].Name).Invoke\r\n3) PtrToStringUni , ([Runtime.InteropServices.Marshal].GetMembers()[2].Name).Invoke\r\n4) PtrToStringUni , ([Runtime.InteropServices.Marshal].GetMembers()[4].Name).Invoke\r\n5) PtrToStringAnsi, ([Runtime.InteropServices.Marshal].GetMembers()[0].Name).Invoke\r\n6) PtrToStringAnsi, ([Runtime.InteropServices.Marshal].GetMembers()[1].Name).Invoke\r\n- Updated Out-ObfuscatedTokenCommand.ps1 so that VARIABLE obfuscation won't \r\nencapsulate variables in ${} if they are already encapsulated (so ${${var}} won't \r\nhappen as this causes errors).\r\n- Replaced Invoke-Obfuscation.psm1 with Invoke-Obfuscation.psd1 (thanks @Carlos_Perez).\r\n- Fixed several TOKEN-level obfuscation bugs reported by @cobbr_io and @IISResetMe.\r\n\r\nv1.7 - 2017-03-03 nullcon (Goa, India):\r\n- Added 3 new LAUNCHERs: RUNDLL, RUNDLL++ and MSHTA++\r\n- Added additional ExecutionContext wildcard variable strings\r\n\r\nv1.8 - 2017-07-27 Black Hat (Las Vegas, Nevada USA):\r\n- Added 2 new ENCODING options: Special Characters and Whitespace\r\n\r\nv1.8.1 - 2017-12-19:\r\n- Added COMPRESS function for easier conversion of multi-line scripts to a one-liner \r\ncommand while drastically reducing the command length for cmd.exe command line length \r\nlimitation purposes.\r\n\r\nv1.8.2 - 2018-01-04:\r\n- Added AST obfuscation functions, which obfuscates by manipulating the structure of\r\nthe AbstractSyntaxTree without using many special characters.\r\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdanielbohannon%2FInvoke-Obfuscation","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdanielbohannon%2FInvoke-Obfuscation","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdanielbohannon%2FInvoke-Obfuscation/lists"}