Bypass AMSI in PowerShell

Original text by Aidin Naserifard

In one of the RedTeam projects, I was looking to use BloodHoundAD Script. BloodHound is a single page JavaScript web application, built on top of Linkurious, compiled with Electron, with a Neo4j database fed by a C# data collector. BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment. Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. Defenders can use BloodHound to identify and eliminate those same attack paths. Both blue and red teams can use BloodHound to easily gain a deeper understanding of privilege relationships in an Active Directory environment. [].

Let me explain the Scenario…

I want to use SharpHound. SharpHound is the C# Rewrite of the BloodHound Ingestor.

Image for post

When you run the SharpHound.ps1 directly in PowerShell, the latest version of AMSI prevents it from running:

Image for post

Because this script is known as a malicious payload, Microsoft AMSI has its signature and prevented it from running.

Well, I fragmented this script and ran each part separately and directly in PowerShell. The reason for this is that I wanted to find out which parts of the malicious payload can detect by AMSI exactly.

OMG! AMSI cannot detect value of this parameter : $EncodedCompressedFile. This is the main part of malicious code. Now you need to use some other part of the script to execute it correctly in PowerShell.

Image for post

You can bypass AMSI by base64 encoding and deflate compressing a malicious payload and then executing it. Here is the POC video.

Добавить комментарий

Этот сайт использует Akismet для борьбы со спамом. Узнайте как обрабатываются ваши данные комментариев.