AV Evasion 101 - Powershell

In this Twitch stream I showed Powershell protection mechanisms and techniques to bypass them. In addition some Obfuscators for Scripts as well as manual modification for AV signature evasion were shown.

Intruduction - 12:58

Bypass AMSI - 24:40

Load C# binaries into Powershell after patching AMSI - 45:55

Script Block Logging introduction and bypass - 52:22

Invoke-Obfuscation - 1:02:22

Script Block Logging bypass No. 2 - 1:09:23

Bypass Constrained Language Mode with MSBuildshell - 1:15:40

PSBypassCLM obfuscation fail from my side - 1:26:25

AmsiTrigger fails from my side - 1:38:23

Pyfuscation - automate string replacements - 1:52:19

Bypass the Defender in memory scanner for Mimikatz - 2:02:58

Bypass in memory scanner by using PPID Spoofing - 2:18:00

SandBox Evasion - 2:26:12

AmsiTrigger & ThreadCheck troubleshooting - 2:55:00

ISE-Steroids has pretty bad OPSec - 3:13:25

Links mentioned and used:

https://amsi.fail/
https://s3cur3th1ssh1t.github.io/Bypa...
http://www.powertheshell.com/isestero...
https://specterops.io/assets/resource...
https://github.com/itm4n/PrivescCheck
https://github.com/danielbohannon/Inv...
https://www.bc-security.org/post/powe...
https://github.com/RythmStick/AMSITri...
https://github.com/byt3bl33d3r/Offens...
https://github.com/Arvanaghi/CheckPlease
https://github.com/rasta-mouse/Threat...
https://s3cur3th1ssh1t.github.io/Cust...


Several Scripts were used from here:
https://github.com/S3cur3Th1sSh1t/Cre...