Not really an issue but I can't contact you any other way.

[Human505-oatmeal]

How does the PrivescCheck/PrivescCheck.ps1 work?

I'm trying to obfuscate a Powershell script the other scripts get detected by the anti-virus whereas this script entirely bypasses it, how did you base64 encode and compress it and then load it? Can I get any more resources to do this kind of obfuscation? Sorry for the issue, thank you!

[itm4n]

The code of PrivescCheck is spread across multiple "source" files (see the src folder). Each of these files is compressed (gzip) and base64-encoded, which yields a list of very long base64 strings in the final script, referenced with a randomly named variable. As for the loader in the output file PrivescCheck.ps1, it simply iterates this list of strings, and does everything in reverse to get the original content and load it.

This is a technique I came up with. Perhaps other tools used a similar technique before that, I don't know. The basic idea is that most AV/EDR seem to detect "malicious" scripts based on multiple signatures, not just one or two. Therefore, if you have a large script, like mine, there is a high chance it will be detected. However, if you split it into smaller chunks and load them separately, the chance of triggering multiple signatures at the same time is lowered. But that's not all, because sometimes that's not enough. In that case, I modify the script manually to bypass a particular signature.

For more information, you should check out the script build/Build.ps1. There is no "magic trick" involved, it's pretty basic, but it is particularly well suited for my purpose.