{
	"id": "4b6850a2-e859-4c4c-a4f1-8f3001e271d2",
	"created_at": "2026-04-06T00:10:41.618553Z",
	"updated_at": "2026-04-10T03:21:41.263615Z",
	"deleted_at": null,
	"sha1_hash": "729ef878680ea18af51d7b979b9c49e0b59deaad",
	"title": "GitHub - danielbohannon/Revoke-Obfuscation: PowerShell Obfuscation Detection Framework",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 125582,
	"plain_text": "GitHub - danielbohannon/Revoke-Obfuscation: PowerShell\r\nObfuscation Detection Framework\r\nBy LeeHolmes\r\nArchived: 2026-04-05 20:28:32 UTC\r\nhttps://github.com/danielbohannon/Revoke-Obfuscation\r\nPage 1 of 6\n\nIntroduction\r\nRevoke-Obfuscation is a PowerShell v3.0+ compatible PowerShell obfuscation detection framework.\r\nAuthors\r\nDaniel Bohannon (@danielhbohannon) Lee Holmes (@Lee_Homes)\r\nResearch\r\nBlog Post: https://www.fireeye.com/blog/threat-research/2017/07/revoke-obfuscation-powershell.html\r\nWhite Paper: https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/revoke-obfuscation-report.pdf\r\nBackground\r\nIn the Fall of 2016 and Spring of 2017, Daniel Bohannon (@danielhbohannon) released Invoke-Obfuscation and\r\nInvoke-CradleCrafter, two open-source PowerShell obfuscation frameworks. The goal of this research and these\r\nframeworks was to highlight the limitations of a purely signature-based approach to detecting attackers' usage of\r\nhttps://github.com/danielbohannon/Revoke-Obfuscation\r\nPage 2 of 6\n\nPowerShell. The core message to defenders has been to focus on detecting Indicators of Obfuscation in addition\r\nto known suspicious syntax.\r\nHowever, the extreme levels of randomization in Invoke-Obfuscation and Invoke-CradleCrafter paired with the\r\ntoken-layer obfuscation options that are not deobfuscated in PowerShell's script block logging have led defenders\r\nto look for a new, scalable means of generically detecting both known and unknown obfuscation techniques.\r\nA few weeks after the release of Invoke-Obfuscation, Lee Holmes (@Lee_Homes) authored a blog posted entitled\r\nMore Detecting Obfuscated PowerShell in which he highlighted statistical analysis techniques to detect\r\nanomalous features found in heavily obfuscated scripts, specifically those produced by Invoke-Obfuscation.\r\nSince this exchange, Daniel and Lee became good friends and shared many common interests/obsessions --\r\nnamely, a love of fine coffee and the pursuit of creating new ways to thoroughly detect obfuscated PowerShell.\r\nThe amount of time both Blue Teamers spent pouring over research and POC code would equate to several\r\nthousand cups of Chemex-brewed coffee assuming the proper 4-minute target brew time (assuming at least one\r\nother coffee enthusiast picked up on this \"pour over\" pun).\r\nRevoke-Obfuscation is the final hand-crafted product of these efforts.\r\nPurpose\r\nRevoke-Obfuscation is an open-source PowerShell v3.0+ framework for detecting obfuscated PowerShell\r\ncommands and scripts at scale. It relies on PowerShell's AST (Abstract Syntax Tree) to rapidly extract thousands\r\nof features from any input PowerShell script and compare this feature vector against one of several pre-defined\r\nweighted feature vectors computed through an automated learning process conducted against a corpus of 408K+\r\nPowerShell scripts. This full corpus can be downloaded from (https://aka.ms/PowerShellCorpus). You can find the\r\ndetails behind the data science aspects of this work in the 'DataScience' subdirectory of the repository.\r\nSince Revoke-Obfuscation relies on feature extraction and comparison instead of pure IOCs or RegEx matching,\r\nit is more robust in its ability to identify unknown obfuscation techniques even when attackers attempt to subdue\r\ntheir obfuscation by padding it with unobfuscated script contents to overthrow basic checks like character\r\nfrequency analysis.\r\nRevoke-Obfuscation can easily measure most input PowerShell scripts within 100-300 milliseconds. This level of\r\nperformance allows an organization to measure the obfuscation of (at worst) 12K+ PowerShell scripts per hour\r\nwithout the need to index verbose PowerShell script block logs in a SIEM.\r\nLastly, Revoke-Obfuscation supports easy whitelisting functionality along with the ability to ingest PowerShell\r\nOperational event log records and reassemble script blocks that are recorded across numerous script block EID\r\n4104 records. It can easily become a one-stop shop for ingesting an environment's PowerShell Operational event\r\nlogs, reassembling and unique'ing all scripts within those logs, and then identifying obfuscated PowerShell scripts\r\nthat deserve manual inspection.\r\nInstallation\r\nhttps://github.com/danielbohannon/Revoke-Obfuscation\r\nPage 3 of 6\n\nThe source code for Revoke-Obfuscation is hosted at Github, and you may download, fork and review it from this\r\nrepository (https://github.com/danielbohannon/Revoke-Obfuscation). Please report issues or feature requests\r\nthrough Github's bug tracker associated with this project.\r\nTo install (from Github):\r\nImport-Module .\\Revoke-Obfuscation.psd1\r\nThe source code can also be installed directly from the PowerShell Gallery via the following commands:\r\nTo install (from PowerShell Gallery):\r\nInstall-Module Revoke-Obfuscation\r\nImport-Module Revoke-Obfuscation\r\nUsage\r\nRevoke-Obfuscation will provide a detailed tutorial as well as a few other fun surprises. But if you are not into\r\nthe lulz then you can simply run Get-Help Measure-RvoObfuscation to see usage syntax or just continue reading.\r\nThere are two primary functions used in this framework:\r\nGet-RvoScriptBlock -- reassembles scripts from EID 4104 script block logs\r\nMeasure-RvoObfuscation -- measures input script(s) and returns obfuscation score\r\nIf you need to reassemble and extract script block logs from PowerShell Operational logs then Get-RvoScriptBlock is your function of choice. It automatically returns only unique script blocks and excludes certain\r\ndefault script block values deemed not malicious. This can be overridden with the -Deep switch.\r\nGet-RvoScriptBlock -Path 'C:\\Windows\\System32\\Winevt\\Logs\\Microsoft-Windows-PowerShell%4Operational.evtx' -Verbose\r\nGet-ChildItem .\\Demo\\demo.evtx | Get-RvoScriptBlock -Verbose\r\nGet-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | Get-RvoScriptBlock -Verbose\r\nGet-RvoScriptBlock also supports MIR/HX audit results as well as PowerShell Operational logs retrieved via\r\nMatt Graeber's (@mattifestation) CimSweep project (https://github.com/PowerShellMafia/CimSweep). For\r\nCimSweep there is a minor registry tweak required to trick WMI into querying a non-classic event log. Details can\r\nbe found in the NOTES section of Get-RvoScriptBlock .\r\nGet-ChildItem C:\\MirOrHxAuditFiles\\*_w32eventlogs.xml | Get-RvoScriptBlock -Verbose\r\nGet-CSEventLogEntry -LogName Microsoft-Windows-PowerShell/Operational | Get-RvoScriptBlock\r\nA full example against test data recorded in demo.evtx can be found below:\r\n$obfResults = Get-WinEvent -Path .\\Demo\\demo.evtx | Get-RvoScriptBlock | Measure-RvoObfuscation -OutputToDisk -\r\nhttps://github.com/danielbohannon/Revoke-Obfuscation\r\nPage 4 of 6\n\nA full example against local and remotely hosted test scripts can be found below:\r\nMeasure-RvoObfuscation -Url 'http://bit.ly/DBOdemo1' -Verbose -OutputToDisk\r\nGet-Content .\\Demo\\DBOdemo*.ps1 | Measure-RvoObfuscation -Verbose -OutputToDisk\r\nGet-ChildItem .\\Demo\\DBOdemo*.ps1 | Measure-RvoObfuscation -Verbose -OutputToDisk\r\nThe -OutputToDisk switch will automatically output all obfuscated scripts to .\\Results\\Obfuscated. Regardless,\r\nall results will be returned as PSCustomObjects containing the script content along with metadata like an\r\nobfuscation score, measurement time, whitelisting result, all extracted script features, etc.\r\nThree whitelisting options exist in two locations in Revoke-Obfuscation:\r\n1. On Disk (automatically applied if present):\r\n1. .\\Whitelist\\Scripts_To_Whitelist\\ -- All scripts placed in this directory will be hashed and any\r\nidentical scripts will be whitelisted. This whitelisting method is preferred above the next two\r\noptions.\r\n2. .\\Whitelist\\Strings_To_Whitelist.txt -- A script containing ANY of the strings in this file will be\r\nwhitelisted. Syntax: Rule_Name,string_to_whitelist\r\n3. .\\Whitelist\\Regex_To_Whitelist.txt -- A script containing ANY of the regular expressions in this\r\nfile will be whitelisted. Syntax: Rule_Name,regex_to_whitelist\r\n2. Arguments for Measure-RvoObfuscation (applied in addition to above whitelisting options):\r\n1. -WhitelistFile -- -WhitelistFile .\\files\\*.ps1,.\\more_files\\*.ps1,.\\one_more_file.ps1\r\n2. -WhitelistContent -- -WhitelistContent 'string 1 to whitelist','string 2 to whitelist'\r\n3. -WhitelistRegex -- -WhitelistRegex 'regex 1 to whitelist','regex 2 to whitelist'\r\nIf interested in creating your own set of training data and generating a weighted vector for the Measure-Vector\r\nfunction, then ModelTrainer.cs/ModelTrainer.exe can be executed against a labeled data set. The following\r\ncommand will extract feature vectors from all input scripts and aggregate them into a single CSV used in this\r\ntraining phase:\r\nGet-ChildItem .\\*.ps1 | ForEach-Object { [PSCustomObject](Get-RvoFeatureVector -Path $_.FullName) | Export-Csv\r\nLastly, if looking for a platform for creating indicators (IOCs) that harness the power of PowerShell's AST\r\n(Abstract Syntax Tree) -- which we would highly recommend for identifying malicious PowerShell activity that is\r\nNOT obfuscated -- then PS Script Analyzer is an excellent framework designed to handle such tasks.\r\nLicense\r\nRevoke-Obfuscation is released under the Apache 2.0 license.\r\nRelease Notes\r\nv1.0 - 2017-07-27 Black Hat USA \u0026 2017-07-30 DEF CON: PUBLIC Release of Revoke-Obfuscation.\r\nhttps://github.com/danielbohannon/Revoke-Obfuscation\r\nPage 5 of 6\n\nSource: https://github.com/danielbohannon/Revoke-Obfuscation\r\nhttps://github.com/danielbohannon/Revoke-Obfuscation\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://github.com/danielbohannon/Revoke-Obfuscation"
	],
	"report_names": [
		"Revoke-Obfuscation"
	],
	"threat_actors": [],
	"ts_created_at": 1775434241,
	"ts_updated_at": 1775791301,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/729ef878680ea18af51d7b979b9c49e0b59deaad.pdf",
		"text": "https://archive.orkl.eu/729ef878680ea18af51d7b979b9c49e0b59deaad.txt",
		"img": "https://archive.orkl.eu/729ef878680ea18af51d7b979b9c49e0b59deaad.jpg"
	}
}