Skip to content

Instantly share code, notes, and snippets.

View r00m33's full-sized avatar

r00m33

2 followers · 3 following
View GitHub Profile
@D3Ext
D3Ext / amsi-bypass.md
Last active April 11, 2025 19:30
All methods to bypass AMSI (2022)

AMSI Bypass

To perform all this techniques you can simply try them by typing "Invoke-Mimikatz" into your powershell terminal, you'll notice that even if you haven't imported Mimikatz it will detect that as malicious. But if the AMSI is off or you avoid it, it just will say that "it's not recognized as the name of a cmdlet", so you could say that you've bypassed the AMSI

However some methods may be detected by the AV but most of them actually work without problem

Powershell downgrade

The first and worst way to bypass AMSI is downgrading powershell version to 2.0.

@gwhite-so
gwhite-so / session-enumeration-runbook.toml
Last active July 29, 2024 01:26
session-enumeration-runbook
[[testCases]]
id = "1.0.0"
name = '1.0.0 - Enumerate SMB Sessions from Third-Party Utility On Disk (NetSess)'
description = "Using the third party NetSess.exe utility to enumerate active SMB sessions"
tooling.name = "NetSess.exe"
tooling.references = [
"http://www.joeware.net/freetools/tools/netsess/"
]
executionSteps = [
'agent> upload -File NetSess.exe',