Changelog Invoke-Obfuscation v1.5 – 2016-11-04:
* BlueHat: Added WMIC LAUNCHER with some randomization of WMIC command line arguments.
Attackers and commodity malware have started using extremely basic obfuscation techniques to hide the majority of the command from the command line arguments of powershell.exe. I developed this tool to aid the Blue Team in simulating obfuscated commands based on what I currently know to be syntactically possible in PowerShell 2.0-5.0 so that they can test their detection capabilities of these techniques.
The tool’s sole purpose is to break any assumptions that we as defenders may have concerning how PowerShell commands can appear on the command line. My hope is that it will encourage the Blue Team to shift to looking for Indicators of Obfuscation on the command line in addition to updating PowerShell logging to include Module, ScriptBlock and Transcription logging as these sources simplify most aspects of the obfuscation techniques generated by this tool.
git clone https://github.com/danielbohannon/Invoke-Obfuscation && cd Invoke-Obfuscation
cd [Your Path]
git pull origin master