15 July 2023 PfiatDe /blog/2023/07/15/divideconqer.html
Poch, Poch, is this thing on? Bypass AMSI with Divide & Conquer
Everytime I play with Windows Defender detection, it surprises me, how many ways exist to bypass something. And some of them are really simple. Just break the static detection rule.
By splitting well-known powershell scripts, e.g. an AMSI Bypass, we can directly bypass Windows Defender or get at least the line, where the detection occurs.
Outcome: Several AMSI Bypasses and two scripts:
- One to split powershell snippets in multiple lines
- A second script to run all the files in an Oneliner, XOR obfuscated
The second script is also quite usefull for several other occurences. Got a webshell, XP_CMDSHELL, RCE, but AV is blocking your powershell -c(ommand)? This might be for you.
PoC of running multiple stages in one command, first two different AMSI Bypass, then mimikatz via IWR