This article explores manual obfuscation techniques for PowerShell scripts, primarily focusing on bypassing AMSI detection. It covers various methods such as string extraction, reversing strings, encoding, and combining tactics to obscure code effectively while noting the educational intention and ethical considerations. Affected: PowerShell, AMSI

Keypoints :

Manual obfuscation techniques are discussed with a focus on PowerShell scripts.
Methods include string extraction to variables and reversing strings.
Encoding techniques like Base64 and ROT13 are utilized to hide data.
Using character codes and regex for evasion instead of spelling out sensitive terms.
Combining different obfuscation tactics yields more effective results.
Emphasis on legal and ethical usage of the techniques for penetration testing.
Code examples progressively escalate in complexity and obscurity.

MITRE Techniques :

T1027 – Obfuscated Files or Information: PowerShell scripts are obfuscated by extracting strings and encoding methods.
T1071.001 – Application Layer Protocol: Combining methods of string manipulation (encoding and reversing) to communicate with system components.

Full Story: https://infosecwriteups.com/manual-obfuscation-in-powershell-2778a3b3fb6f?source=rss—-7b722bfd1b8d—4 )

Combining methods

Some tactics are more effective then others, but in my experience the best results are achieved by combining them. For example, the above obfuscation techniques can be combined to hide the AMSI breaker mentioned earlier, evading detection.

Example one:

The following obfuscated script does the same as the example mentioned in the disclaimer, but applies the following techniques:

Extract strings to prevent spelling out amsiInitFailed.
Reverse citatS,cilbuPnoN to NonPublic,Static.
Find AmsiUtils in the Assembly using character codes.
Using Invoke to call functions instead of directly invoking them.

Example two:

The following example may be a bit harder to read, so I will explain it line by line:

Create a lambda function which reverses a string.
Create a lambda function which creates a string based on a regex group search. It expects a search string, pattern, start group and end group.
The data where the needed characters are hidden. In this example: 'Always make sure it utilises obfuscation! Initially get past some failed attempts!'
Extracting the AmsiUtils type from the assembly using parts from the $data string found using regex.
Extracting the amsiInitFailed function using a reversed NonPublic,Static and another regex call.
Invoking the function.

As seen below, this effectively disables the detection of the AMSI test sample string:

Figure 1: Demonstration of obfuscated example two

Testing

When entering one of the following strings, depending on your EDR and Windows version, AMSI may trigger. Use above tricks to experiment with bypassing the detection!

Sources

https://cyberchef.org
https://regex101.com
https://www.blackhillsinfosec.com/is-this-thing-on/

Originally posted at https://pampuna.nl/blog/2024/12/manual-obfuscation-in-powershell.html

[/hidden_content]

Full Story: https://infosecwriteups.com/manual-obfuscation-in-powershell-2778a3b3fb6f?source=rss—-7b722bfd1b8d—4 , 1, 6)) });
$target = $utils.GetFields.Invoke($reverse.invoke(‘citatS,cilbuPnoN’, ‘RightToLeft’)) | Where { $_.Name -like “*$($reg.invoke($data, ‘!s(.{4})(?:w+s){4}(w{6}).+’, 1, 2))” };
$target.SetValue.Invoke($null, $true);

As seen below, this effectively disables the detection of the AMSI test sample string:

Figure 1: Demonstration of obfuscated example two

Testing

When entering one of the following strings, depending on your EDR and Windows version, AMSI may trigger. Use above tricks to experiment with bypassing the detection!

Sources

https://cyberchef.org
https://regex101.com
https://www.blackhillsinfosec.com/is-this-thing-on/

Originally posted at https://pampuna.nl/blog/2024/12/manual-obfuscation-in-powershell.html

[/hidden_content]

Full Story: https://infosecwriteups.com/manual-obfuscation-in-powershell-2778a3b3fb6f?source=rss—-7b722bfd1b8d—4 )

Combining methods

Example one:

The following obfuscated script does the same as the example mentioned in the disclaimer, but applies the following techniques:

Extract strings to prevent spelling out amsiInitFailed.
Reverse citatS,cilbuPnoN to NonPublic,Static.
Find AmsiUtils in the Assembly using character codes.
Using Invoke to call functions instead of directly invoking them.

Example two:

The following example may be a bit harder to read, so I will explain it line by line:

Create a lambda function which reverses a string.
Create a lambda function which creates a string based on a regex group search. It expects a search string, pattern, start group and end group.
The data where the needed characters are hidden. In this example: 'Always make sure it utilises obfuscation! Initially get past some failed attempts!'
Extracting the AmsiUtils type from the assembly using parts from the $data string found using regex.
Extracting the amsiInitFailed function using a reversed NonPublic,Static and another regex call.
Invoking the function.

As seen below, this effectively disables the detection of the AMSI test sample string:

Figure 1: Demonstration of obfuscated example two

Testing

When entering one of the following strings, depending on your EDR and Windows version, AMSI may trigger. Use above tricks to experiment with bypassing the detection!

Sources

https://cyberchef.org
https://regex101.com
https://www.blackhillsinfosec.com/is-this-thing-on/

Originally posted at https://pampuna.nl/blog/2024/12/manual-obfuscation-in-powershell.html

[/hidden_content]

Full Story: https://infosecwriteups.com/manual-obfuscation-in-powershell-2778a3b3fb6f?source=rss—-7b722bfd1b8d—4

Tags: PENETRATION, WINDOWS, TOOL, EDR

Manual Obfuscation in PowerShell

Combining methods

Example one:

Example two:

Testing

Sources

Testing

Sources

Combining methods

Example one:

Example two:

Testing

Sources