Going Undercover With Invoke-Obfuscation

In this episode of Hacks Weekly, our cybersecurity expert Adrian demonstrates how hackers avoid penetration test detection by using the Invoke-Obfuscation tool to make their PowerShell commands look unreadable.

Powershell is very often used during penetration tests or during relay attacks. There are many benefits of the tool. For instance, you can use PowerShell to download external code from the Internet and execute it in the memory. I have prepared a small example of it. Let me show you.

How To Use Invoke-Expression?

This is simple hello words I code, nothing malicious. But the point is that this code can do anything. And here we have PowerShell expression. It uses system network client and it’s meant for DownloadString to download a code from the Internet here at pastebin.com, then the code is executed using Invoke-Expression. I have to admit that this code is pretty simple, pretty straightforward. It’s easy to understand but also it’s easy to detect by security tools because it uses some typical classes, typical methods.

There is some URL that it’s referring to and also does an Invoke-Expression. I want to make that payload harder to understand, harder to detect, and I can do that by applying some minor modifications. For instance, I can go and remove this system.part from here because it’s not required. The PowerShell already knows where to look for its classes and I can change the Invoke-Expression into its shorter form which is iex and at the same time I can already mix the letters and make it uppercase, it doesn’t really matter for PowerShell.

Using Set-Variable

The other thing I want to do is to play with the strings. For example, here we have a string that contains a URL. I want to split it. So I can put the codes here and there and in fact, it still works. But I want to do something because I will get this part outside the expression and I will use Set-Variable or its shorter form is V to declare a new variable. Let’s name it somehow, why not? And maybe just use that variable here.

Okay. So now that we have part of the string outside the expression we can try to obfuscate the remaining strings and we could do that by adding the backticks characters in front of them. This will work for some of them, for other ones it will trigger a very special meaning. So be careful. For instance, A is back the character you can’t add a backtic here because you will change this string into something else. But as long as you’re careful you can execute that.

Get-Command Cmdlet

All right, let me now show you something else. There’s Get-Command cmdlet which we can refer to as Gcm as well, that accepts the part of the pattern that you’re looking for. So we can get the new object in a different way but we can also put the whitespace somewhere else. If we do something like that, it will still work and we will get the object that we are looking for. And now we can put that into our expression. So have to use an ampersand to trigger that but then this works as expected. Of course, there are many other things we could do here, for instance, this Invoke-Expression doesn’t have to be in front, it can go at the end. But now I want to introduce you to something else, to a very awesome framework from Daniel Bohannon. The framework is called Invoke-Obfuscation (you can find it here). I have the tool already in my disc so I just have to go to the right directory.

Here we have a bunch of files. I’m interested in the module right now because I want to do Import-Module.psd1. And now I have Invoke-Obfuscation cmdlet. Okay, it’s loaded.

The first thing we want to do is to set the script block. We’re going to use the same script that we’ve been using since the beginning of the video. The script block is set. We can use the function test to test if it’s working. And here we can see that although we haven’t obfuscated anything else it’s being displayed and it works as expected. Now, let’s go to the token submenu. Let’s see what can happen if we go to the string submenu. Here you have options how you can obfuscate these strings. So we’ve been using option number 1 manually. So let’s go with number 2. And this is a result of a function. So it’s slightly harder to see what’s going on right now but you still can see https here, right?

Let’s go back. We can now go to the command submenu and try to obfuscate the commands themselves. Let’s use number three this time. It’s getting harder to understand the payload. Let’s see what argument can do. Again, we have a bunch of options we can do, let’s go with number 4 this time. So we could now go and try other options but maybe let’s do all of them at once. Okay, so this is how our payload looks like right now. We can still test it to make sure it’s still working, and execute as expected.

We can now do something else with string for instance. In this menu, we’ll be working on the payload as a string. Not on particular tokens but on everything at once. We can choose number 3 for instance to reverse everything. We have to agree it’s pretty hard to understand it as it is right now. But let’s try to encode it anyway.

What Does The Compress Option Do?

So there are a couple of options. Let’s go with an Oct all encoding. If we do something like that it’s completely unreadable right now. We can see that this payload still works as expected. Nothing changed in its behavior. Let’s see what the compress option does. So now the string is compressed. Note that every time you do apply modification like that you’re getting a different result. If you’re not satisfied with this one you can undo and apply it again and you’re getting something else. So those are completely different. Of course, it might be hard to re-copy those payloads so instead of copying them you can either receive them to file or for instance use a clip command to copy them to your clipboard. Now we have them available and that way we can also make sure that all is working fine.

Well, let me get back. Lastly, there’s a launcher command. All right, in this menu, you can see a bunch of options that allow you to modify how the payload is launched. For instance, you can even use the HTML application to launch the payload or use rundll++. If we saw something like stdn++ and maybe no execution flags. First of all, we can see the payload but we can also see how handy the way of showing the processes. So this is a process tree. First the cmd is used to set some variable, again cmd and lastly, the PowerShell is executing that.

So far we have seen that this is a great tool to obfuscate the payloads. But it doesn’t make sense to use it if you end up deleting. Of course, use that to verify if the tools can detect those payloads. You can also try to decode them manually to understand some of the tricks and also make sure to check out how PowerShell blocks a lot in your system. Thank you for your attention. If you have any questions, leave them below and see you in the next Hacks Weekly episode!

How attackers may find a way to your infrastructure? Take a CQURE CyberByte training with Paula Januszkiewicz and secure all entries.