PowerShell Obfuscation

Topics: AMSI | Layer 0 Obfuscation | Breaking Down a Reverse Shell | Stepping Into the Gauntlet | Invoke-PSObfuscation.ps1 | Wrapping Up | Resources

This blog post was originally published by Tristram (aka gh0x0st) on GitHub and has been reposted with permission from the author.

As penetration testers, we use obfuscation in our payloads to bypass various security controls and to buy ourselves time in the event our payload is obtained by a blue team. PowerShell is no exception when it comes to obfuscation. While there exists many different strategies and techniques, some of the more common approaches encapsulate the entire payload within a layer. This inadvertently creates a chokepoint as it makes it easier to break down and tends to get you busted if the presented layer starts get you flagged before the intended payload executes.

PowerShell obfuscation can sometimes be an intimidating topic and frustrating when the common tools start to bust you. What I am looking to do here is to open your eyes to a slightly different approach that could help inspire you to create your very own techniques.


The Windows Antimalware Scan Interface (AMSI) is essentially an API that allows applications (such as anti-virus)

Read More: https://www.offensive-security.com/offsec/powershell-obfuscation/