Xencrypt : A PowerShell Script Anti-Virus Evasion Tool

Xencrypt is a PowerShell crypter that uses AES encryption and Gzip/DEFLATE compression to with every invocation generate a completely unique yet functionally equivalent output script given any input script.

It does this by compressing and encrypting the input script and storing this data as a payload in a new script which will unencrypt and decompress the payload before running it. In essence, it is to PowerShell what a PE crypter is.

Features

  • Bypasses AMSI and all modern AVs in use on VirusTotal (as of writing)
  • Compresses and encrypts powershell scripts
  • Has a minimal and often even negative (thanks to the compression) overhead
  • Randomizes variable names to further obfuscate the decrypter stub
  • Randomizes encryption, compression and even the order that the statements appear in the code for maximum entropy!
  • Super easy to modify to create your own crypter variant
  • Supports recursive layering (crypter crypting the crypted output), tested up to 500 layers.
  • Supports Import-Module as well as standard running as long as the input script also supported it
  • GPLv3 — Free and open-source!
  • All features in a single file so you can take it with you anywhere!
  • Is despite all of the above not a silver bullet for every configuration — caveat emptor!

Also Read – Mouse : iOS & macOS Post-Exploitation Framework

Usage

Import-Module ./xencrypt.ps1
Invoke-Xencrypt -InFile invoke-mimikatz.ps1 -OutFile xenmimi.ps1

You will now have an encrypted xenmimi.ps1 file in your current working directory. You can use it in the same way as you would the original script, so in this case:

Import-Module ./xenmimi.ps1
Invoke-Mimikatz

It also supports recursive layering via the -Iterations flag.

Invoke-Xencrypt -InFile invoke-mimikatz.ps1 -OutFile xenmimi.ps1 -Iterations 100

This will compress and encrypt it 100 times and is useful for dynamic AV bypasses because they have a time-out for analyzing code. There’s no fakery here like sleeps that the dynamic scan can skip to get to the end — it has to go through the entire chain to get to the malicious payload which it usually never does since they normally time out after a second or two or scanning.

Warning though, the files can get big and generating the output file can take a very long time depending on the scripts and number of iterations requested.

Download
R K

Share
Published by
R K
Tags: Anti VirusevasionPowerShellXencrypt
5 years ago

Recent Posts

Shadow-rs : Harnessing Rust’s Power For Kernel-Level Security Research

shadow-rs is a Windows kernel rootkit written in Rust, demonstrating advanced techniques for kernel manipulation…

1 week ago

ExecutePeFromPngViaLNK – Advanced Execution Of Embedded PE Files via PNG And LNK

Extract and execute a PE embedded within a PNG file using an LNK file. The…

2 weeks ago

Red Team Certification – A Comprehensive Guide To Advancing In Cybersecurity Operations

Embark on the journey of becoming a certified Red Team professional with our definitive guide.…

3 weeks ago

CVE-2024-5836 / CVE-2024-6778 : Chromium Sandbox Escape via Extension Exploits

This repository contains proof of concept exploits for CVE-2024-5836 and CVE-2024-6778, which are vulnerabilities within…

3 weeks ago

Rust BOFs – Unlocking New Potentials In Cobalt Strike

This took me like 4 days (+2 days for an update), but I got it…

3 weeks ago

MaLDAPtive – Pioneering LDAP SearchFilter Parsing And Security Framework

MaLDAPtive is a framework for LDAP SearchFilter parsing, obfuscation, deobfuscation and detection. Its foundation is…

3 weeks ago