Skip to content
/ Powershell-Smuggler Public

Decrypting a powershell script and executing it using scriptblock smuggling, bypassing AMSI and some telemetry.

1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Plxsmarex/Powershell-Smuggler

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
Powershell-Smuggler.ps1
Powershell-Smuggler.ps1
 
 
README.md
README.md
 
 

Repository files navigation

Powershell-Smuggler

Decrypting a powershell script and executing it using scriptblock smuggling, bypassing AMSI and some telemetry.

How it works

Powershell-Smuggler is a compact powershell script that works by base64 decoding and XOR decrypting an encrypted powershell command or script. After that it will execute the powershell command using scriptblock smuggling, bypassing AMSI and some powershell logging.

By default Powershell-Smuggler will just execute "Invoke-Mimikatz", a common command used to test the Windows Defender AMSI provider, you can change it by XOR encrypting and then base64 encoding your powershell payload, and replacing "$a" and "$b" in Powershell-Smuggler with a key for XOR decryption and your encoded payload.

Examples

Bypassing AMSI for the Invoke-Mimikatz command:

amsibypass

Hiding the real command that will be executed:

telemetrybypass

More information about the scriptblock smuggling technique can be found here:

https://bcsecurity.io/blog/scriptblock_smuggling/

About

Decrypting a powershell script and executing it using scriptblock smuggling, bypassing AMSI and some telemetry.

Topics

windows obfuscation script powershell ps1 in-memory encrypted evasion bypass payload high-level av-evasion av-bypass amsi living-off-the-land fileless amsi-bypass amsi-evasion edr-bypass edr-evasion

Resources

Readme
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Languages