Antivirus Evasion
Getting your payload and tools through antivirus protections by obfuscating them or disabling protections
Last updated
Getting your payload and tools through antivirus protections by obfuscating them or disabling protections
Last updated
Windows's Antimalware Scan Interface (AMSI) tries to protect systems against suspicious scripts, but like most things, can easily be bypassed. When you run PowerShell code from the command-line, or from a .ps1
script, AMSI will look at the code and if it finds any malicious-looking code, it will throw a ScriptContainedMaliciousContent
error and not execute it. When you want to execute your exploit script, this can get in the way.
A straightforward way to test if AMSI is enabled is to include a string that is always blocked, such as "Invoke-Mimikatz
".
There are many different bypasses that will disable AMSI, without being detected itself. These evolve over time as AMSI blocks more ways, but attackers are quick to find new bypasses by obfuscating certain parts in different ways.
There are 2 types of bypasses, as explained clearly in the post below:
PowerShell-only: This only prevents the ScriptContainedMaliciousContent
check from blocking your exploit, but not anything more. When loading .NET assemblies it might still fail
Global: Disable all AMSI protections, including .NET assemblies
Some PowerShell-only bypasses like the following will disable AMSI for all future PowerShell commands in that same process:
Afterward, you can successfully run scripts that AMSI would normally block, like Invoke-Mimikatz
. But with such a bypass not every protection is gone yet. When you load a .NET assembly for example you might receive the following cryptic error:
To get past this, we'll need a global bypass that disables it completely. If you have done the PowerShell-only bypass already, you don't even need to obfuscate it anymore:
After running this, every AMSI protection should be disabled and you are able to run .NET assemblies again. For example, WinPEAS can be run like this:
When dealing with Windows Defender, an Administrator account can manage the settings of Defender. Simply trying to disable it via the command line will seem suspicious and likely get you blocked. Instead, you can take a look at the exclusions that Defender won't check.
Managing Exclusions requires an elevated shell. Check UAC Bypass for more info.
If you can write your payload in any of the above directories, you will fully bypass Defender. If there is no such directory, you can add one to the list with the following command. You just have to successfully execute it once to fully bypass Windows Defender in the future.