gearcapitan
commented
6 years ago 
kaspesky bloked all my scripts
Closed gearcapitan closed 6 years ago
gearcapitan
commented
6 years ago
kaspesky bloked all my scripts
danielbohannon
commented
6 years ago If you're expecting any kind of helpful response then more information is needed, like the content of the script. In addition, it appears to detect the script upon execution but no statically...and it looks like the random-cased if condition for PowerShell version is not obfuscated at all -- perhaps that is part of what A/V is flagging on?
gearcapitan
commented
6 years ago the obfuscated script is not what it is detecting, what is detecting the execution as such, but that did not happen before, so my powershell script is detected before its execution but when it obfuscated it was not detected either before or after its execution, to be more exact is the powershell script that generates the powershell Empire Framework
danielbohannon
commented
6 years ago Gotcha. So the obfuscation is not being detected, but Kaspersky is detecting the Empire payload heuristically. Is there an issue with Invoke-Obfuscation that you are pointing out?
gearcapitan
commented
6 years ago That's right, it's detected by heuristics, but what I do not understand because that did not happen before, I mean what the original ps1 was detected before, it obfuscated it and it was not detected, it was executed and it was not detected, it should not to be like that then forever? because the antivirus should detect the activity of the ps1, I feel that something is missing in the obfuscation, because in fact empire and incorporated invoke-obfuscation, and gives something very different to what can be generated with the script separately,: / and curiously the integration empire uses of your scripts there if it is not detected by heuristics
danielbohannon
commented
6 years ago it should not to be like that then forever Perhaps this is just defenders improving -- that is the purpose behind my building Invoke-Obfuscation, after all :) If there is a static detection of the .ps1 file then that does not mean that something is missing in the obfuscation, it just means the static detection has gotten better. See mine and Lee Holmes' Revoke-Obfuscation framework (https://github.com/danielbohannon/Revoke-Obfuscation).
If Kaspersky is using AMSI for their detection then you can check out Ryan Cobb's PSAmsi project (https://github.com/cobbr/PSAmsi) to see what portions of the script Kaspersky is using for their signature.
gearcapitan
commented
6 years ago Well, thank you very much for answering my questions