How to bypass AMSI (The Simplest Way)
I was looking to run my own phishing campaigns on my current organization and was testing office document payloads. I tried the old fashioned VBA in the macro running the shell function as well as some others, and defender caught most if not all of them. Using this tool Macro-Pack works sometimes but often, it would get flagged or the powershell command would not properly run. I noticed that most of the issues i was running into was this AMSI popup
So i began researching AMSI as i never heard of it. The following resources break down AMSI and bypass options.
The first two explain what AMSI is and the last two go into the easier ways to bypass it. Security-Soup broke down how some actors bypassed it using excel 4.0 macros. Aka really old macros that still work. I used the following link to get more familiar with these macros.Excel Off The Grid. I pretty much right clicked my sheet. And clicked Excel 4.0 macro. This creates a new sheet called macro1. If you rename the first cell Auto_open it will run the sheet cell by cell. Dont forget to hide the sheet after this lol. You can run pretty much anything with the following function.
The issue i was running into at this point was not AMSI it was defender flagging certain lolbins like certil for example. So i decide to look for lolbins that could potentially bypass defender since AMSI was taken care of. I came across a post here on IronHackers That pretty much goes through alot of lolbins but what i noticed was they mentioned that. Mshta.exe doesnt get flagged.
So i found an HTA payload which contained some jscript and tried injecting that into my exec function. The macro1 sheet now looks like this
The HTA file looks like this
Im not very savy to Jscript or VB so i found this online entered my own powershell encoded command into it. And to my surprise it did not trigger defender and my reverse shell came in soon after. So with just using an old school method found with soome googling and leveraging mshta.exe you too can bypass defender as well as AMSI to get code execution.
How to bypass AMSI (The Harder Way)
but its more flexible and in depth
===> Hoang Bui’s Blog