search
BlogContact

Antivirus Evasion

Getting your payload and tools through antivirus protections by obfuscating them or disabling protections

hashtag
AMSI Bypass

Windows's Antimalware Scan Interface (AMSI) tries to protect systems against suspicious scripts, but like most things, can easily be bypassed. When you run PowerShell code from the command-line, or from a .ps1 script, AMSI will look at the code and if it finds any malicious-looking code, it will throw a ScriptContainedMaliciousContent error and not execute it. When you want to execute your exploit script, this can get in the way.

A straightforward way to test if AMSI is enabled is to include a string that is always blocked, such as "Invoke-Mimikatz".

There are many different bypasses that will disable AMSI, without being detected itself. These evolve over time as AMSI blocks more ways, but attackers are quick to find new bypasses by obfuscating certain parts in different ways.

There are 2 types of bypasses, as explained clearly in the post below:

LogoThe difference between Powershell only & process specific AMSI bypasses | S3cur3Th1sSh1ts3cur3th1ssh1t.github.iochevron-right
Powershell-only VS global AMSI bypasses explained

  1. PowerShell-only: This only prevents the ScriptContainedMaliciousContent check from blocking your exploit, but not anything more. When loading .NET assemblies it might still fail

  2. Global: Disable all AMSI protections, including .NET assemblies

LogoGitHub - S3cur3Th1sSh1t/Amsi-Bypass-Powershell: This repo contains some Amsi Bypass methods i found on different Blog Posts.GitHubchevron-right
List of many different known AMSI bypasses that are updated
AMSI.failamsi.failchevron-right
Automatic PowerShell AMSI bypass generator, creates a new bypass every time

Some PowerShell-only bypasses like the following will disable AMSI for all future PowerShell commands in that same process:

Afterward, you can successfully run scripts that AMSI would normally block, like Invoke-Mimikatz. But with such a bypass not every protection is gone yet. When you load a .NET assembly for example you might receive the following cryptic error:

Screenshot from @S3cur3Th1sSh1t when trying to execute something that requires loading a .NET assembly

To get past this, we'll need a global bypass that disables it completely. If you have done the PowerShell-only bypass already, you don't even need to obfuscate it anymore:

After running this, every AMSI protection should be disabled and you are able to run .NET assemblies again. For example, WinPEASarrow-up-right can be run like this:

hashtag
Defender: Exclusions

When dealing with Windows Defender, an Administrator account can manage the settings of Defender. Simply trying to disable it via the command line will seem suspicious and likely get you blocked. Instead, you can take a look at the exclusions that Defender won't check.

circle-info

Managing Exclusions requires an elevated shell. Check UAC Bypass for more info.

If you can write your payload in any of the above directories, you will fully bypass Defender. If there is no such directory, you can add one to the list with the following command. You just have to successfully execute it once to fully bypass Windows Defender in the future.

PreviousPersistenceNextMetasploit

Last updated