Description
Applies the ps_cradle obfuscation stack to an arbitrary PowerShell script.
Overview
Accepts any PowerShell script and applies the same obfuscation stack used by ps_cradle: member expression renaming, type expression renaming, cmdlet renaming, comment removal, variable renaming, and string encoding. Optionally prepends an AMSI bypass.
Parameters
| Name | Type | Description |
|---|---|---|
| Script | string | The PowerShell script to obfuscate. Multiline strings are supported. |
| MemberExpressionTechnique | PwshInvokeMemberTechnique | Member expression obfuscation technique. Values: Invoke, CodeMethod. Default: Invoke. |
| MemberExpressionLayout | PwshCodeMethodLayout | CodeMethod call-site layout. Values: Inline, Separate. Default: Inline. |
| StringsTechnique | PwshStringObfuscationTechnique | String obfuscation technique. Values: Random, Base64, Concat, Escape, Format, Reverse, Shuffle, Delta, Interleave, Otp, Substitution, Xor, Preferred. Default: Preferred. |
| AmsiBypassTechnique | string | AMSI bypass technique to prepend. Use None to skip. Values: None, Random, EffectiveAgainstPowerShellCommands, EffectiveAgainstModuleLoading, ContextError, InitFailed, PatchAddType, PatchInMemory, PatchScanContent, AmsiScanBufferStringReplace, HardwareBreakpointAmsiScanBufferAddType, RpcGhosting. Default: None. |