{
	"id": "e09a5136-8812-4328-a985-94d0c846b70f",
	"created_at": "2026-04-06T01:30:59.67749Z",
	"updated_at": "2026-04-10T03:35:21.478238Z",
	"deleted_at": null,
	"sha1_hash": "b3499fa332d046d07d5bcd5611655ac36dfa1577",
	"title": "GitHub - danielbohannon/Invoke-Obfuscation: PowerShell Obfuscator",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 115830,
	"plain_text": "GitHub - danielbohannon/Invoke-Obfuscation: PowerShell\r\nObfuscator\r\nBy cobbr\r\nArchived: 2026-04-06 01:15:57 UTC\r\nhttps://github.com/danielbohannon/Invoke-Obfuscation\r\nPage 1 of 6\n\nIntroduction\r\nInvoke-Obfuscation is a PowerShell v2.0+ compatible PowerShell command and script obfuscator.\r\nBackground\r\nhttps://github.com/danielbohannon/Invoke-Obfuscation\r\nPage 2 of 6\n\nIn the Fall of 2015 I decided to begin researching the flexibility of PowerShell's language and began cataloguing\r\nthe various ways to accomplish a handful of common techniques that most attackers use on a regular basis.\r\nInitially focusing on encoded command and remote download cradle syntaxes, I discovered that various escape\r\ncharacters that did not hinder the execution of the command persisted in the command line arguments, both in the\r\nrunning process as well as what is logged in Security EID 4688 and Sysmon EID 1 event logs. This led me to\r\nsystematically explore ways of obfuscating each kind of \"token\" found in any PowerShell command or script.\r\nI then explored more obscure ways to perform string-level obfuscation, various encoding/encrypting techniques\r\n(like ASCII/hex/octal/binary and even SecureString), and finally PowerShell launch techniques to abstract the\r\ncommand line arguments from powershell.exe and to push it back to the parent and even grandparent process.\r\nPurpose\r\nAttackers and commodity malware have started using extremely basic obfuscation techniques to hide the majority\r\nof the command from the command line arguments of powershell.exe. I developed this tool to aid the Blue Team\r\nin simulating obfuscated commands based on what I currently know to be syntactically possible in PowerShell\r\n2.0-5.0 so that they can test their detection capabilities of these techniques.\r\nThe tool's sole purpose is to break any assumptions that we as defenders may have concerning how PowerShell\r\ncommands can appear on the command line. My hope is that it will encourage the Blue Team to shift to looking\r\nfor Indicators of Obfuscation on the command line in addition to updating PowerShell logging to include Module,\r\nScriptBlock and Transcription logging as these sources simplify most aspects of the obfuscation techniques\r\ngenerated by this tool.\r\nUsage\r\nWhile all of the layers of obfuscation have been built out into separate scripts, most users will find the Invoke-Obfuscation function to be the easiest way to explorer and visualize the obfuscation techniques that this\r\nframework currently supports.\r\nInstallation\r\nThe source code for Invoke-Obfuscation is hosted at Github, and you may download, fork and review it from this\r\nrepository (https://github.com/danielbohannon/Invoke-Obfuscation). Please report issues or feature requests\r\nthrough Github's bug tracker associated with this project.\r\nTo install:\r\nImport-Module ./Invoke-Obfuscation.psd1\r\nInvoke-Obfuscation\r\nLicense\r\nInvoke-Obfuscation is released under the Apache 2.0 license.\r\nhttps://github.com/danielbohannon/Invoke-Obfuscation\r\nPage 3 of 6\n\nRelease Notes\r\nv1.0 - 2016-09-25 DerbyCon 6.0 (Louisville, Kentucky USA): PUBLIC Release of Invoke-Obfuscation.\r\nv1.1 - 2016-10-09 SANS DFIR Summit (Prague, Czech Republic): Added -f format operator re-ordering\r\nfunctionality to all applicable TOKEN obfuscation functions. Also added additional syntax options for setting\r\nvariable values.\r\nv1.2 - 2016-10-20 CODE BLUE (Tokyo, Japan): Added Type TOKEN obfuscation (direct type casting with string\r\nobfuscation options for type name).\r\nv1.3 - 2016-10-22 Hacktivity (Budapest, Hungary): Added two new LAUNCHERs: CLIP+ and CLIP++. Also\r\nadded additional (and simpler) array char conversion syntax for all ENCODING functions that does not require\r\nFor-EachObject/%.\r\nv1.4 - 2016-10-28 BruCON (Ghent, Belgium): Added new BXOR ENCODING function. Also enhanced\r\nrandomized case for all components of all ENCODING functions as well as for PowerShell execution flags for all\r\nLAUNCHERs. Finally, added -EP shorthand option for -ExecutionPolicy to all LAUNCHERs as well as the\r\noptional integer representation of the -WindowStyle PowerShell execution flag: Normal (0), Hidden (1),\r\nMinimized (2), Maximized (3).\r\nv1.5 - 2016-11-04 Blue Hat (Redmond, Washington USA): Added WMIC LAUNCHER with some randomization\r\nof WMIC command line arguments.\r\nv1.6 - 2017-01-24 Blue Hat IL (Tel Aviv, Israel):\r\nAdded CLI functionality: E.g., Invoke-Obfuscation -ScriptBlock {Write-Host 'CLI FTW!'} -Command\r\n'Token\\All\\1, Encoding\\1,Launcher\\Stdin++\\234,Clip' -Quiet -NoExit\r\nAdded UNDO functionality to remove one layer of obfuscation at a time.\r\nRemoved Whitespace obfuscation from Token\\All\\1 to speed up large script obfuscation.\r\nAdded Process Argument Tree output for all launchers to aid defenders.\r\nAdded base menu auto-detect functionality to avoid needing to use BACK or HOME: E.g., if you ran\r\nTOKEN then ALL then 1, then just type LAUNCHER and you will get to the LAUNCHER menu without\r\nneeding to type HOME or BACK to get back to the home menu.\r\nAdded multi-command syntax utilized by CLI and interactive mode: E.g.,\r\nToken\\All\\1,String\\3,Encoding\\5,Launcher\\Ps\\234,Clip\r\nAdded regex capability to all menu and obfuscation commands: E.g.,\r\nToken**,String[13],Encoding(1|6),Launcher.*[+]{2}\\234,Clip\r\nAdded OUT FILEPATH single command functionality.\r\nAdded decoding if powershell -enc syntax is entered as a SCRIPTBLOCK value.\r\nAdded alias ForEach to ForEach-Object/% randomized syntax options in all ENCODING functions.\r\nAdded -Key -Ke -K KEY substring syntax options to Out-SecureStringCommand.ps1.\r\nAdded more thorough case randomization to all \\Home\\String obfuscation functions.\r\nAdded -ST/-STA (Single-Threaded Apartment) flags to CLIP+ and CLIP++ launcher functions since they\r\nare required if running on PowerShell 2.0.\r\nhttps://github.com/danielbohannon/Invoke-Obfuscation\r\nPage 4 of 6\n\nAdded Get-Item/GI/Item syntax everywhere where Get-ChildItem is used to get variable values.\r\nAdded Set-Item variable instantiation syntax to TYPE obfuscation function.\r\nAdded additional Invoke-Expression/IEX syntax using PowerShell automatic variables and environment\r\nvariable value concatenations in Out-ObfuscatedStringCommand.ps1's Out-EncapsulatedInvokeExpression\r\nfunction and copied to all launchers, STRING and ENCODING functions to add numerous command-line\r\nsyntaxes for IEX.\r\nAdded two new JOIN syntaxes for String\\Reverse and all ENCODING obfuscation options:\r\n1. Added [String]::Join('',$string) JOIN syntax\r\n2. Added OFS-variable JOIN syntax (Output Field Separator automatic variable)\r\nAdded two more SecureString syntaxes to Encoding\\5:\r\n1. PtrToStringAnsi / SecureStringToGlobalAllocAnsi\r\n2. PtrToStringBSTR / SecureStringToBSTR\r\nAdded six GetMember alternate syntaxes for several SecureString members:\r\n1. PtrToStringAuto, ([Runtime.InteropServices.Marshal].GetMembers()[3].Name).Invoke\r\n2. PtrToStringAuto, ([Runtime.InteropServices.Marshal].GetMembers()[5].Name).Invoke\r\n3. PtrToStringUni , ([Runtime.InteropServices.Marshal].GetMembers()[2].Name).Invoke\r\n4. PtrToStringUni , ([Runtime.InteropServices.Marshal].GetMembers()[4].Name).Invoke\r\n5. PtrToStringAnsi, ([Runtime.InteropServices.Marshal].GetMembers()[0].Name).Invoke\r\n6. PtrToStringAnsi, ([Runtime.InteropServices.Marshal].GetMembers()[1].Name).Invoke\r\nUpdated Out-ObfuscatedTokenCommand.ps1 so that VARIABLE obfuscation won't encapsulate variables\r\nin ${} if they are already encapsulated (so ${${var}} won't happen as this causes errors).\r\nReplaced Invoke-Obfuscation.psm1 with Invoke-Obfuscation.psd1 (thanks @Carlos_Perez).\r\nFixed several TOKEN-level obfuscation bugs reported by @cobbr_io and @IISResetMe.\r\nv1.7 - 2017-03-03 nullcon (Goa, India):\r\nAdded 3 new LAUNCHERs: RUNDLL, RUNDLL++ and MSHTA++\r\nAdded additional ExecutionContext wildcard variable strings\r\nv1.8 - 2017-07-27 Black Hat (Las Vegas, Nevada USA):\r\nAdded 2 new ENCODING options: Special Characters and Whitespace\r\nv1.8.1 - 2017-12-19:\r\nAdded COMPRESS function for easier conversion of multi-line scripts to a one-liner command while\r\ndrastically reducing the command length for cmd.exe command line length limitation purposes.\r\nv1.8.2 - 2018-01-04:\r\nhttps://github.com/danielbohannon/Invoke-Obfuscation\r\nPage 5 of 6\n\nAdded AST obfuscation functions, which obfuscates by manipulating the structure of the\r\nAbstractSyntaxTree without using many special characters.\r\nSource: https://github.com/danielbohannon/Invoke-Obfuscation\r\nhttps://github.com/danielbohannon/Invoke-Obfuscation\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://github.com/danielbohannon/Invoke-Obfuscation"
	],
	"report_names": [
		"Invoke-Obfuscation"
	],
	"threat_actors": [
		{
			"id": "2864e40a-f233-4618-ac61-b03760a41cbb",
			"created_at": "2023-12-01T02:02:34.272108Z",
			"updated_at": "2026-04-10T02:00:04.97558Z",
			"deleted_at": null,
			"main_name": "WildCard",
			"aliases": [],
			"source_name": "ETDA:WildCard",
			"tools": [
				"RustDown",
				"SysJoker"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "256a6a2d-e8a2-4497-b399-628a7fad4b3e",
			"created_at": "2023-11-30T02:00:07.299845Z",
			"updated_at": "2026-04-10T02:00:03.484788Z",
			"deleted_at": null,
			"main_name": "WildCard",
			"aliases": [],
			"source_name": "MISPGALAXY:WildCard",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775439059,
	"ts_updated_at": 1775792121,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b3499fa332d046d07d5bcd5611655ac36dfa1577.pdf",
		"text": "https://archive.orkl.eu/b3499fa332d046d07d5bcd5611655ac36dfa1577.txt",
		"img": "https://archive.orkl.eu/b3499fa332d046d07d5bcd5611655ac36dfa1577.jpg"
	}
}