A PowerShell armoury for security guys and girls
New major version that introduces, besides a lot of cleanup, a modular design for evasion and obfuscation code. The goal is to make PSArmoury more easy to adapt.
Details:
[fixed] Current loader detected by AV on disk [fixed] Current deobfuscation method (AES) detected through AMSI [fixed] Fixed a bug in -VerifyOnly that led to a silent fail [fixed] Broken link in default config
[new] Modular design for evasion and obfuscation [new] Reduced size of the cleartext loader function on disk to a minimum [new] 3 different obfuscation templates included [new] ConvertTo-PowerShell now supports private main methods (thanks @theluemmel) [new] Used ParameterSets to improve quality of Powershell help menu (aka. "man New-PSArmoury") [new] Github credentials can now be passed as a parameter - no more prompting
[removed] Support for BlockDLL process mitigation
[new] introducing Invoke-Shuffle.ps1 - a new utility script for code obfuscation [fixed] modified AMSI bypass and decryption stub to prevent detection by Windows Defender
[new] new json config - WARNING: BREAKING CHANGE! - old config formats will no longer work. Have a look at the README. [new] New-PSArmoury will now run a config syntax check by default (like -ValidateOnly) [new] GZIP compression is here, typically armoury size reduced by at least 50% percent [new] finally wrote a useful readme... yeah, I know... [fixed] UTF8 with BOM will no longer cause issues
[new] Added support for BlockDLL process mitigation policy to enhance armoury protection
New release for Andi ❤️ [new] choose Github branch in config file (dev/master/...) --> have a look at the sample config [new] simply create armoury from local file or folder without the need to create a config file [new] every armoury now contains an inventory function called Get-PSArmoury, so you know what's inside
Added a small change to disable PS History automatically, which sadly bypasses some EDR solutions ;-)
Small modifications regarding AMSI bypass. Updated tools inside.