Description
This script compiles a C# payload with multiple layers of obfuscation and an AMSI bypass technique, ensuring the resulting binary is more challenging for security tools to detect.
Overview
The script begins by generating a C# payload that loads a module from a URL using the Get-CsLoadModuleFromURL function. The generated code is then processed through multiple obfuscation steps:
Add-CsAmsiBypass: Implements the specified AMSI bypass technique to evade AMSI scanning.
Obfuscate-CsByteArray: Obscures byte array data to prevent signature-based detection.
Obfuscate-CsStrings: Uses the chosen string obfuscation technique to make string values difficult to identify.
Obfuscate-CsVariables, Obfuscate-CsMethods, Obfuscate-CsClasses, Obfuscate-CsClassMembers: These steps rename variables, methods, classes, and their members to enhance code complexity and obscure functionality.
Finally, the script compiles the modified code with the specified .NET framework version and output type, creating an executable or DLL payload. This comprehensive obfuscation strategy makes the payload harder for security tools to analyze and detect.
Parameters
| Name | Type | Description |
|---|---|---|
| AmsiBypassTechnique | SpecterInsight.Obfuscation.CSharp.AstTransforms.Bypasses.Techniques.CSharpAmsiBypassTechnique | The specific AMSI bypass technique to use. Default is HardwareBreakpointAmsiScanBuffer. |
| StringObfuscationTechnique | SpecterInsight.Obfuscation.CSharp.AstTransforms.CSharpStringVaultTransformTechnique | The string obfuscation technique to use. Default is Random. |
| OutputType | SpecterInsight.Obfuscation.CSharp.OutputTransforms.CSharpCompilerTarget | The output format of the compiled payload (e.g., Console, DLL). Default is Console. |
| FrameworkVersion | SpecterInsight.Obfuscation.CSharp.OutputTransforms.CSharpCompilerFrameworkVersion | The target .NET Framework version for the compiled binary (e.g., .NET 2.0, .NET 4.0). Default is Dotnet2. |