Skip to content

Decrypting a powershell script and executing it using scriptblock smuggling, bypassing AMSI and some telemetry.

Notifications You must be signed in to change notification settings

Plxsmarex/Powershell-Smuggler

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
 
 
 
 

Repository files navigation

Powershell-Smuggler

Decrypting a powershell script and executing it using scriptblock smuggling, bypassing AMSI and some telemetry.

How it works

Powershell-Smuggler is a compact powershell script that works by base64 decoding and XOR decrypting an encrypted powershell command or script. After that it will execute the powershell command using scriptblock smuggling, bypassing AMSI and some powershell logging.

By default Powershell-Smuggler will just execute "Invoke-Mimikatz", a common command used to test the Windows Defender AMSI provider, you can change it by XOR encrypting and then base64 encoding your powershell payload, and replacing "$a" and "$b" in Powershell-Smuggler with a key for XOR decryption and your encoded payload.

Examples

Bypassing AMSI for the Invoke-Mimikatz command:

amsibypass

Hiding the real command that will be executed:

telemetrybypass

More information about the scriptblock smuggling technique can be found here:

https://bcsecurity.io/blog/scriptblock_smuggling/