# If you have RDP access and can get a prompt
$cred = Get-Credential Domain\Username
invoke-command -Credential $cred -computername x -scriptblock {whoami}
# If you are over C2 and cant get a prompt
$password = "Password123" | ConvertTo-SecureString -AsPlainText -Force; $cred = New-Object System.Management.Automation.PSCredential("Domain\User",$password); invoke-command -computername 192.168.144.197 -Credential $cred -scriptblock {whoami}
Obfuscation defeats script block logging, warning level auto logging and AMSI when done right. As a very simple example, we have already seen how GetField becomes GetFiel`d to bypass warning level auto logging. Invoke-Obfuscation and Invoke-CradleCrafter from Daniel () are very useful for implementing obfuscation.
Obfuscated scripts can be spotted by comparing common characteristics like variable names, function names, character frequency, distribution of language operators, entropy etc. Revoke-Obfusction () is one such tool for identifying obfuscated scripts from event logs. Bonus: To avoid detection of obfuscation we can use minimal obfuscation by identifying the exact signature which gets detected and obfuscating only that part of the script. See: