This article shows how to obfuscate PowerShell command or script for free using Invoke-Obfuscation. We will obfuscate powershell command on Linux CentOS machine and execute obfuscated command on Windows PC.
Invoke-Obfuscation runs under powershell and because Microsoft powershell is cross-platform tool and available for many not Windows platforms this obfuscator could be also used anywhere.
First of all check if your device has microsoft.repo in /etc/yum.repo directory. If not it is necessary to add Microsoft repository file to /etc/yum.repos.d/ directory:
# curl https://packages.microsoft.com/config/rhel/7/prod.repo | sudo tee /etc/yum.repos.d/microsoft.repo |
So it is ready for powershell installation:
# yum install -y powershell |
To start powershell on Linux you need to use pwsh command (not powershell command as on Windows machine):
# pwsh PowerShell 7.1.0 Copyright (c) Microsoft Corporation. https://aka.ms/powershell PS /root> |
Now installing Invoke-Obfuscation:
# git clone https://github.com/danielbohannon/Invoke-Obfuscation Cloning into ‘Invoke-Obfuscation’… remote: Enumerating objects: 220, done. remote: Total 220 (delta 0), reused 0 (delta 0), pack-reused 220 Receiving objects: 100% (220/220), 482.83 KiB | 1.65 MiB/s, done. Resolving deltas: 100% (161/161), done. |
Cloning created Invoke-Obfuscation directory with powershell scripts:
# ls Invoke-Obfuscation/ Invoke-Obfuscation.ps1 Out-EncodedOctalCommand.ps1 Invoke-Obfuscation.psd1 Out-EncodedSpecialCharOnlyCommand.ps1 Invoke-Obfuscation.psm1 Out-EncodedWhitespaceCommand.ps1 LICENSE Out-ObfuscatedAst.ps1 Out-CompressedCommand.ps1 Out-ObfuscatedStringCommand.ps1 Out-EncodedAsciiCommand.ps1 Out-ObfuscatedTokenCommand.ps1 Out-EncodedBinaryCommand.ps1 Out-PowerShellLauncher.ps1 Out-EncodedBXORCommand.ps1 Out-SecureStringCommand.ps1 Out-EncodedHexCommand.ps1 README.md |
Now it is possible to use Invoke-Obfuscation:
# pwsh PowerShell 7.1.0 Copyright (c) Microsoft Corporation. https://aka.ms/powershell PS /root> Import-Module ./Invoke-Obfuscation/ |
Create script and obfuscate it with ENCODING/2 (hex):
Invoke-Obfuscation> SET SCRIPTBLOCK Write-Host ‘Visit ladydebug.com’ -ForegroundColor red Successfully set ScriptBlock: Choose one of the below options: [*] TOKEN Obfuscate PowerShell command Tokens Invoke-Obfuscation> ENCODING Choose one of the below Encoding options to APPLY to current payload: [*] ENCODING\1 Encode entire command as ASCII Invoke-Obfuscation\Encoding> 2 Result: |
Now testing original and obfuscated commands in Windows powershell, coping and pasted these strings:
The both work the same. It is possible to paste obfuscated command in notepad and save it as script, then execute the script in powershell to get the same result.