Home

Awesome

InvisibilityCloak

Proof-of-concept obfuscation toolkit for C# post-exploitation tools. This will perform the below actions for a C# visual studio project.

Blog Post: https://securityintelligence.com/posts/invisibility-cloak-obfuscate-c-tools-evade-signature-based-detection

String Candidates Not Obfuscated

The below string candidates are not included in obfuscation

Support Information

Arguments/Options

Usage/Examples

Run InvisibilityCloak with string obfuscation

Base64 String Obfuscation

python InvisibilityCloak.py -d /path/to/project -n "TotallyLegitTool" -m base64

python InvisibilityCloak.py -d C:\path\to\project -n "TotallyLegitTool" -m base64

ROT13 String Obfuscation

python InvisibilityCloak.py -d /path/to/project -n "TotallyLegitTool" -m rot13

python InvisibilityCloak.py -d C:\path\to\project -n "TotallyLegitTool" -m rot13

Reverse String Obfuscation

python InvisibilityCloak.py -d /path/to/project -n "TotallyLegitTool" -m reverse

python InvisibilityCloak.py -d C:\path\to\project -n "TotallyLegitTool" -m reverse

Run InvisibilityCloak without string obfuscation

python InvisibilityCloak.py -d /path/to/project -n "TotallyLegitTool"

python InvisibilityCloak.py -d C:\path\to\project -n "TotallyLegitTool"

Signature-Based Detection Statistics

The below table shows the signature-based detection statistics between the unobfuscated and obfuscated versions of 20 popular public C# tools with InvisibilityCloak.

This is specifically for Microsoft Defender (free version), and accurate as of April 14th, 2022.

ToolLinkUnobfuscatedObfuscated w/ InvisibilityCloak
ADCSPwnhttps://github.com/bats3c/ADCSPwnDetectedNot Detected
Certifyhttps://github.com/GhostPack/CertifyDetectedNot Detected
Farmerhttps://github.com/mdsecactivebreach/FarmerDetectedNot Detected
Rubeushttps://github.com/GhostPack/RubeusDetectedDetected
SafetyKatzhttps://github.com/GhostPack/SafetyKatzDetectedNot Detected
Seatbelthttps://github.com/GhostPack/SeatbeltDetectedNot Detected
SharpClipboardhttps://github.com/slyd0g/SharpClipboardNot DetectedNot Detected
SharPersisthttps://github.com/mandiant/SharPersistNot DetectedNot Detected
SharpExechttps://github.com/anthemtotheego/SharpExecDetectedNot Detected
SharpGPOAbusehttps://github.com/FSecureLABS/SharpGPOAbuseDetectedNot Detected
SharpHoundhttps://github.com/BloodHoundAD/SharpHoundNot DetectedNot Detected
SharpLoggerhttps://github.com/djhohnstein/SharpLoggerDetectedNot Detected
SharpMovehttps://github.com/0xthirteen/SharpMoveDetectedNot Detected
SharpRDPhttps://github.com/0xthirteen/SharpRDPDetectedDetected
SharpSecDumphttps://github.com/G0ldenGunSec/SharpSecDumpDetectedNot Detected
SharpUphttps://github.com/GhostPack/SharpUpNot DetectedNot Detected
SharpViewhttps://github.com/tevora-threat/SharpViewDetectedNot Detected
SharpWMIhttps://github.com/GhostPack/SharpWMIDetectedNot Detected
StandInhttps://github.com/xforcered/StandInDetectedNot Detected
WireTaphttps://github.com/djhohnstein/WireTapNot DetectedNot Detected

Compiled C# Tool Size Statistics

The below table shows the file sizes of 20 popular public C# tools between the unobfucated and obfuscated versions using InvisibilityCloak with various string obfuscation methods.

ToolLinkUnobfuscatedROT13 String ObfuscationBase64 String ObfuscationReverse String Obfuscation
ADCSPwnhttps://github.com/bats3c/ADCSPwn718 KB728 KB722 KB720 KB
Certifyhttps://github.com/GhostPack/Certify170 KB198 KB178 KB176 KB
Farmerhttps://github.com/mdsecactivebreach/Farmer13 KB17 KB14 KB13 KB
Rubeushttps://github.com/GhostPack/Rubeus418 KB605 KB469 KB455 KB
SafetyKatzhttps://github.com/GhostPack/SafetyKatz714 KB716 KB948 KB715 KB
Seatbelthttps://github.com/GhostPack/Seatbelt543 KB904 KB618 KB608 KB
SharpClipboardhttps://github.com/slyd0g/SharpClipboard6 KB7 KB6 KB7 KB
SharPersisthttps://github.com/mandiant/SharPersist231 KB281 KB248 KB243 KB
SharpExechttps://github.com/anthemtotheego/SharpExec30 KB57 KB36 KB34 KB
SharpGPOAbusehttps://github.com/FSecureLABS/SharpGPOAbuse70 KB98 KB79 KB76 KB
SharpHoundhttps://github.com/BloodHoundAD/SharpHound880 KB897 KB885 KB883 KB
SharpLoggerhttps://github.com/djhohnstein/SharpLogger19 KB27 KB20 KB20 KB
SharpMovehttps://github.com/0xthirteen/SharpMove41 KB100 KB50 KB49 KB
SharpRDPhttps://github.com/0xthirteen/SharpRDP322 KB346 KB326 KB325 KB
SharpSecDumphttps://github.com/G0ldenGunSec/SharpSecDump42 KB55 KB45 KB43 KB
SharpUphttps://github.com/GhostPack/SharpUp35 KB50 KB40 KB39 KB
SharpViewhttps://github.com/tevora-threat/SharpView719 KB856 KB742 KB738 KB
SharpWMIhttps://github.com/GhostPack/SharpWMI53 KB92 KB62 KB61 KB
StandInhttps://github.com/xforcered/StandIn162 KB294 KB197 KB189 KB
WireTaphttps://github.com/djhohnstein/WireTap282 KB292 KB285 KB284 KB

Roadmap