It's still possible to bypass amsi protection in windows 10, 11?
-
XSS.stack #1 – первый литературный журнал от юзеров форума
AMSI
- Автор темы святой бог
- Дата начала
I bypassed it
- Автор темы
- Добавить закладку
- #3
How? It's possible to bypass it from power shell directly? The language which I'm working with it's Java, and the payload it's a powershell bash script
yes possible and works fine on 10,11 but you need to be creative and understand the bypass how it work then write your program , i suggest to use dll to bypass and patch amsi then from the exe load the dll entry point it will bypass amsi then you can load your encrypted malware
- Автор темы
- Добавить закладку
- #5
Could i write you on DM? And show you my actual work hahaha
send PM
you can also DM me too there are like 7-10 techniques and they all working I can give you free methods on that you can try
It was in my mind to create a group to develop Red team arsenal
https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell all public methods.
- Автор темы
- Добавить закладку
- #10
still workin'¿
No none of those work, they are all outdated. You need to be a little creative when trying to write them. I would recommend writing them in a compiled language then reflective injecting them into powershell or something similar. There are also newer methods that work if you look around on github.
All the known method r detected u need to be creative.. Learn from the public ones and create something just for u
If you can call Win32 function from Java using JNI, you can easily bypass AMSI by writting a `ret` in `AmsiScanBuffer()`.
Or better, you can use C# code (since powershell is also a CLR-hosted script interpreter) directly from powershell to patch AmsiScanBuffer.
You can test your paylods using elastic's open-source detection rules (https://github.com/elastic/detection-rules).
Or better, you can use C# code (since powershell is also a CLR-hosted script interpreter) directly from powershell to patch AmsiScanBuffer.
You can test your paylods using elastic's open-source detection rules (https://github.com/elastic/detection-rules).
- Автор темы
- Добавить закладку
- #14
so the steps should be
Write the native function in C/C++ that overrides the behavior of AmsiScanBuffer.
Use JNI in Java to load and call the native function from mine Java application.
Последнее редактирование:
Or you can simply use C# to patch it. For instance: https://github.com/S3cur3Th1sSh1t/A...e#patching-amsi-amsiscanbuffer-by-rasta-mouse
- Автор темы
- Добавить закладку
- #16
Na I don't like c#, but any way, i already achieve it, all I got say it's thanks so much bro!!! Thanks
can you please share how you achieved it ?
you can write many scripting language inside the language polylinguistic scripts can achieve bypass AV with lolbins and stuff ofcourse
can I pm you to know how you did the dll sideloading?
- Автор темы
- Добавить закладку
- #20
how many LOLBAS windows binaries do you know?
Последнее редактирование: