Bypassing AMSI
AMSI is really helpful for defenders when it comes to preventing malicious code from getting executed. But attackers would not be attackers if they did not try to find a way to bypass AMSI. In this section, we will look at some common techniques.
Most bypasses I have come across are somehow trying to tamper with amsi.dll. Most of the time, the goal is to either manipulate the result so that malicious code appears clean by replacing amsi.dll with a custom one or by avoiding amsi.dll completely.
Often, when there’s a new bypass found that people blog about, it gets immediately fixed and detected shortly after it is released.
Joseph Bialek originally wrote the Invoke-Mimikatz.ps1 script to make all Mimikatz functions available via PowerShell.
Invoke-Mimikatz is a part of the nishang module and can be downloaded from GitHub: https://raw.githubusercontent.com/samratashok/nishang/master/Gather/Invoke-Mimikatz.ps1.
To demonstrate the examples here, I have...
