Deobfuscation with PowerShell Logging

by Vince
in Blog
Hits: 806

There are a number of tools used for obfuscating PowerShell and one of the more famous tools, Invoke Obfuscation, I've written about a few times.  But with PowerShell logging becoming more popular, I wonder why the bother to obfuscate.  As far as I can tell, it no longer helps with evasion and if it's not captured in some form, what's the point? 

To see what I'm talking about, we need to enable logging and script block logging:

If we execute a simple command:

We then open Event Viewer:

A quick search and we find the command we just executed:

Now let's fire up Invoke Obfuscation:

I should also add that attempting to even drop this onto a system is a fruitless effort without disabling endpoint protection / Windows Defender. 

At the initial prompt, we input the command we would like to execute: 

We choose STRING and option 1 to concatenate the entire string:

The result is our obfuscated PowerShell.  Now let's execute that:

Parsing through the logs, we find both the obfuscated command and what really occurs:

So there you have it.  As far as I can tell, obfuscation is pointless because the logs will reveal what actually occurred regardless of how the string appears at entry.