the powershell script is detectable.

Question

the powershell script is detectable.

zisis912 opened this issue 4 years ago · 7 comments

as you can see in the image, i ran the AMSI bypass powershell command, but it was detected. Literally the only antivirus that i have is windows defender. (The normal non-AMSI command didn't even work, it just closes powershell)
I am using windows/meterpreter/reverse_https i think.

I followed this guide to use it.
https://null-byte.wonderhowto.com/how-to/hacking-windows-10-create-undetectable-payload-part-1-bypassing-antivirus-software-0185055/

Answer 1 · 2020-12-05T14:08:37.000Z

You should watch this: https://www.youtube.com/watch?v=6G9DD6SkVqk
then you will know why this happens.
It is normal. If it is detected, don't freak out, it's normal, like I said.

Answer 2 · 2020-12-05T17:29:20.000Z

Isn't this entire project made to create undetectable payloads? Why would you need to rewrite the tool to make it create undetectable scripts

Answer 3 · 2020-12-05T17:32:16.000Z

also, i should mention that powershell also blocks scripts for thefatrat

Answer 4 · 2020-12-05T17:34:28.000Z

Watch the video I sent and you will understand better how the tool works (hopefully).
Also, you don't have to re-write the entire tool for it to work.

Seriously, watch the YT video when you are bored or whatever. It will make better sense to you.

Answer 5 · 2020-12-05T22:15:17.000Z

I watched the video, and im wondering which one of these ways should I use to make the script bypass amsi? Modify the base64 code, use that project by rasta, or use that guide to modify metasploit's payload.dll

Also, shouldn't unicorn bypass amsi by default? Does a new amsi bypass get added every week?

Answer 6 · 2020-12-05T23:39:41.000Z

I suggest you join the discord server and ask in the #ask-help channel. https://discord.gg/trustedsec

Answer 7 · 2020-12-07T07:04:09.000Z

I asked, but it takes over a day for anyone to answer