[AV Evasion] Xencrypt - PowerShell AV Evasion Tool

#Xencrypt

What is Xencrypt?

Xencrypt is a tool for AV and AMSI evasion for PowerShell scripts. I wrote it specifically with CTFs in mind since it’s quite common that you bump into various AV solutions on the harder boxes. It’s designed to be a single ps1 file so you can take it with you in your kit!

Features

  • Bypasses AMSI and all modern AVs in use on VirusTotal (as of writing)
  • Compresses and encrypts powershell scripts
  • Has a minimal and often even negative (thanks to the compression) overhead
  • Everything in a single file!
  • Randomizes variable names to further obfuscate the decrypter stub
  • Randomizes encryption, compression and even the order that the statements appear in the code for maximum entropy!
  • Super easy to modify to create your own crypter variant
  • Supports recursive layering (crypter crypting the crypted output), tested up to 500 layers.
  • Supports Import-Module as well as standard running as long as the input script also supported it
  • GPLv3, Free and FOSS so you can edit it however you want!

Link to github here

Look great, I’ll try it.

Very good tool man!, let me test :smiley:

looks cool, will give that a go :slight_smile: - Nice work

I try in a 2019 box.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
import-module ./mimi.ps1
IEX : At line:1 char:1

  • function Invoke-Mimikatz

This script contains malicious content and has been blocked by your antivirus software.
At line:18 char:1

  • IEX($owjopuj)
  •   + CategoryInfo          : ParserError: (:) [Invoke-Expression], ParseException
      + FullyQualifiedErrorId : ScriptContainedMaliciousContent,Microsoft.PowerShell.Commands.InvokeExpressionCommand
    
    
    

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

I checked my ps1 with virus total and of couse no egines was detected but then, how can I hide the function ?