Simple but effective PowerShell obfuscation techniques
Some background:
Windows PowerShell is a popular tool for performing admin tasks and like any useful tool can be leveraged by adversaries. On the defensive side windows PowerShell can be logged and many tools have detections in place for common nefarious PowerShell commands. PowerShell is still popular but with the increase in detection it may not be as undetectable as other tactics. The technique below can help avoid some detection but like always you need to evaluate your target before selecting your techniques.
Using what’s there:
Powershell supports running base64 encoding commands using the EncodedCommand option as mentioned in the Powershell help.
To generate a base64 encoded command or section with PowerShell use the tobase64string command such as this:
[Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes(“‘secure-tactics.com’”))
This will output the encoded version of what is between the single quote (secure-tactics.com) in this case.
Longer example:
An easy way to encode a command or multi part string is to set it as a variable and then pass it.
$Command = ‘(New-Object System.Net.WebClient).DownloadFile(“https://www.secure-tactics.com/", “C:\temp\out.txt”)’
$Encoded = [convert]::ToBase64String([System.Text.encoding]::Unicode.GetBytes($command))
To run: powershell.exe -encoded $Encoded
Taking it further:
Looking for more than simple base64 encoding, enter Invoke-Obfuscation. Invoke obfuscation is an open source PowerShell command and script obfuscator available on github here:
Setup take just a few steps:
Open PowerShell as admin
Download invoke-obfuscation from github and unzip it
Import the modules using Import-Module .\Invoke-Obfuscation.psd1
Start the tool by running Invoke-Obfuscation
Usage example:
Note: You can review the built-in help by entering ‘tutorial’
To get started you set your command using SET SCRIPTBLOCK
Invoke-Obfuscation> set scriptblock Write-Host ‘(New-Object System.Net.WebClient).DownloadFile(“https://www.secure-tactics.com/", “C:\temp\out.txt”)’
Then you use the menus to select the different obfuscation methods and the encoded output with be printed out, example using STRING
This is just one example, but Invoke-Obfuscation has many options and combinations to leverage.
