Powershell Obfuscation

[c0d3xpl0it]

Hello,

Whenever we use the crackmapexec in corporate environment with --mimikatz option, we dont receive any output. Mostly because AV flags mimikatz and stop execution. Is it possible to obfuscation the mimikatz powershell script can be obfuscated and then sent to target ? I saw one project for powershell obfuscation (https://github.com/danielbohannon/Invoke-Obfuscation).

Do guide, if i am missing on something.

[c0d3xpl0it]

Any plans to release this feature in upcoming v4.0 ?

The blog http://www.blackhillsinfosec.com/?p=5555 has pretty good and easy obfuscation trick to bypass AV. CME helps it to spray Mimikatz on larger subnet, so I am asking for this feature.

[byt3bl33d3r]

@c0d3xpl0it yup! I'm planning on integrating PS obfuscation in v4.0 using Invoke-Obfuscation. There is currently an issue with PowerShell v2.0 compatibility with the obfuscated scripts, I'm currently working with the author to resolve this issue https://github.com/danielbohannon/Invoke-Obfuscation/issues/10

[byt3bl33d3r]

Update on this, the code to support obfuscation through Invoke-Obfuscation is done (https://github.com/byt3bl33d3r/CrackMapExec/blob/master/cme/helpers/powershell.py), Im still currently waiting for that issue to be resolved.

[byt3bl33d3r]

implemented in 7149b24524cbd8b9b2ad6c42f7a1f6214c4137d9