Out-ObfuscatedTokenCommand

[1nsa]

Hi, when I load my script in Invoke-Obfuscation and try to use TOKEN\String or any other obfuscation method I get following error:

Out-ObfuscatedTokenCommand : The term 'Out-ObfuscatedTokenCommand' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At C:\Users\test\Documents\Safe-Area-no-AV\Invoke-Obfuscation-master\Invoke-Obfuscation.ps1:1232 char:61

• ... $Script:ObfuscatedCommand = Out-ObfuscatedTokenCommand ...

• 
  + CategoryInfo          : ObjectNotFound: (Out-ObfuscatedTokenCommand:String) [], CommandNotFoundException
  + FullyQualifiedErrorId : CommandNotFoundException

I imported All modules even manually and still same error. I Unblocked All modules.

Any suggestions?

[danielbohannon]

This sounds like all of the modules were not successfully downloaded or the Import-Module command was not finished running. Are you running Import-Module against the .psd1 file?

Import-Module ./Invoke-Obfuscation.psd1

[n00py]

I have the same Issue.

` PS C:\Users\n00py\Invoke-Obfuscation> Import-Module ./Invoke-Obfuscation.psd1 PS C:\Users\n00py\Invoke-Obfuscation> Invoke-Obfuscation

... Invoke-Obfuscation> set scriptpath https://raw.githubusercontent.com/vysecurity/ps1-toolkit/master/Invoke-Mimikatz.ps1

........

Invoke-Obfuscation> Token\all\1

.........

Out-ObfuscatedTokenCommand : The term 'Out-ObfuscatedTokenCommand' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At C:\Users\n00py\Invoke-Obfuscation\Invoke-Obfuscation.ps1:1163 char:61

• $Script:ObfuscatedCommand = Out-ObfuscatedTokenCommand

• 
  + CategoryInfo          : ObjectNotFound: (Out-ObfuscatedTokenCommand:String) [], CommandNotFoundException
  + FullyQualifiedErrorId : CommandNotFoundException

WARNING: There were not any tokens to further obfuscate, so nothing changed.

Choose one of the below Token\All options to APPLY to current payload:

[*] TOKEN\ALL\1 Execute ALL Token obfuscation techniques (random order)

Invoke-Obfuscation\Token\All>

[danielbohannon]

Can you doublecheck that all of the files for Invoke-Obfuscation were successfully downloaded to your directory? Specifically Out-ObfuscatedTokenCommand.ps1. Sometimes this issue occurs if there was an incomplete download of the project from github.

[HSIS007]

Hi I am also facing same issue, any solution for this ?

Invoke-Obfuscation> token

Choose one of the below Token options:

[] TOKEN\STRING Obfuscate String tokens (suggested to run first) [] TOKEN\COMMAND Obfuscate Command tokens [] TOKEN\ARGUMENT Obfuscate Argument tokens [] TOKEN\MEMBER Obfuscate Member tokens [] TOKEN\VARIABLE Obfuscate Variable tokens [] TOKEN\TYPE Obfuscate Type tokens [] TOKEN\COMMENT Remove all Comment tokens [] TOKEN\WHITESPACE Insert random Whitespace (suggested to run last) [*] TOKEN\ALL Select All choices from above (random order)

Invoke-Obfuscation\Token> all

Choose one of the below Token\All options to APPLY to current payload:

[*] TOKEN\ALL\1 Execute ALL Token obfuscation techniques (random order)

Invoke-Obfuscation\Token\All> 1 Out-ObfuscatedTokenCommand : The term 'Out-ObfuscatedTokenCommand' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

[SYANiDE-]

I was having the same issue, and here's what I found. I imported the Invoke-Obfuscation.psd1. No issues or warnings. Attempted to obfuscate Tokens; both options 1, 2 gave this error as OP thread states.

And so I tried to Import-Module Out-ObfuscatedTokenCommand.ps1. I got the atypical "This script contains malicious content and has been blocked by your antivirus software.". AMSI is blocking the import of the requisite cmdlets silently.

I gave an encoded AMSI Bypass (or disabling Windows Defender using 'Set-MpPreference -DisableRealtimeMonitoring $true' works too; but beware, should probably re-enable after you conduct your business end of ops here), then was able to Import-Module Out-ObfuscatedTokenCommand.ps1 without issue. Also, was proven to be able to obfuscate tokens hereafter using Invoke-Obfuscation framework.

Oddly enough, it was an AMSI bypass that I was ultimately trying to obfuscate, but there's what was going on. Kind of a chicken/egg inception, but Hope that helps!

[danielbohannon]

Thanks for the resolution, @SYANiDE-!