InfoSec Write-ups – Medium–
Bypass AMSI in PowerShell — A Nice Case Study
Let me explain the Scenario…
I want to use SharpHound. SharpHound is the C# Rewrite of the BloodHound Ingestor.
When you run the SharpHound.ps1 directly in PowerShell, the latest version of AMSI prevents it from running:
Because this script is known as a malicious payload, Microsoft AMSI has its signature and prevented it from running.
Well, I fragmented this script and ran each part separately and directly in PowerShell. The reason for this is that I wanted to find out which parts of the malicious payload can detect by AMSI exactly.
OMG! AMSI cannot detect value of this parameter : $EncodedCompressedFile. This is the main part of malicious code. Now you need to use some other part of the script to execute it correctly in PowerShell.
You can bypass AMSI by base64 encoding and deflate compressing a malicious payload and then executing it. Here is the POC video.
Bypass AMSI in PowerShell — A Nice Case Study was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.