-
Notifications
You must be signed in to change notification settings - Fork 209
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Question regarding obfuscation #1
Comments
If you look back at the 1.3 branch, I used to have two methods: local and external. By adding the external argument it would go to Github, download the module and run it. This is obviously a huge opsec no-no as you'd trigger not only AV/EDRs, but any half decent SIEM or IPS/IDS. Running it with the local argument would require the modules to be in the same directory as the .ps1 thus making you obfuscate them, which isn't hard, but just a pain. I was at Derbycon for training with Larry Spohn and Ben Mauch (Ben Ten), and showed Ben, who is a Powershell guru, my script and he thought it was awesome but said I should use invoke-obfuscation, so I did. Here is him retweeting it, if it matters any: https://imgur.com/a/2E69T9B Unfortunately the side-effect of obfuscating code from AV is you hide it from people too, so it's always a question of it's actually installing a RAT or something and obviously I'll say no, but if you don't want to take my word you are more than able to feel free to run Invoke-Obfuscation against the modules used and compare base64 output to the script, it should give the exact output. I'll include a few screenshots of this as well, but of course there will always be skepticism (as there should be). Initially I just wanted to just call down Invoke-Obfuscation then obfuscate the modules live, in the script. The problem with that is there is a hard-coded limit to output for Invoke-Obfuscation, with a default of 8900ish, as that is the limit for command prompt, so in order to get a full obfuscated script, you have to edit Invoke-Obfuscation to increase the output limit. If you're still skeptical, 1.3 still works, so just download the modules yourself and include them in the same folder as the script and run it with the local argument and it will use the modules you downloaded, which of course you can obfuscate yourself. |
Thanks for the explanation, that's pretty clear and faith entrusting. |
I completely understand the want to have this obfuscated, but since github has the feature of branches. Do you think you could possibly keep another branch in sync with master that is the unobfuscated branch, so we could possibly contribute to the code without having to deobfuscate? I don't know if that is what you were planning on doing with 1.3 branch, but I just checked that and it says that it is 16 commits behind right now. |
Why exactly is this obfuscated? I would be crazy to run what is random gibberish because "someone on the internet posted a VirusTotal screenshot" and pray it's not malicious.
The text was updated successfully, but these errors were encountered: