This project was created to explore the various evasion techniques involving PowerShell

• Amsi
• ScriptBlockLogging
• Constrained Language Mode
• AppLocker

The module manages the delivery of an hta file and a stager ps1 file. When the hta is executed it extracts the dll and runs it via rundll32. The metasploit payload is an Empire custom stager without Amsi bypass parts and ScriptBlockLogging, will be executed outside powershell. This prevents the logging bypass code from remaining logged.

This .Net class library is used to run PowerShell scripts from c #. The bypasses are executed and then the scriptblock that invokes the stager is executed. Using the DllExport package the .Net DLL exports a function that allows it to be executed via rundll32 and this results in a bypass of the default AppLocker rules

Put the hta_sharp.rb file in the $ (HOME) /.msf4/modules/exploits/windows/misc folder

Put in powershell_empire_http.rb file in the $ (HOME) /.msf4/payloads/singles/windows/x64 folder

Complete the solution Create the $ (metasploit_data_dir) / hta_sharp folder Copy the bin\Release\x64\HiddenPowerShellDll.dll file to $(metasploit_data_dir)/hta_sharp renaming it to HiddenPowerShellDllx64.dll

If you run a payload meterpreter set PrependMigrate advanced property to true

To run the Empire payload:

• Create the http listener in Empire framework and use the StagingKey property to set the STAGINGKEY option of the powershell_empire_http payload
• set PrependMigrate advanced property to false.

To maximize evasion it is necessary to use the https protocol for all the phases. Self signed or cloned certificates are supported. Do not use the default metasploit certificates.

AMSI Bypass @_RastaMouse version
ScriptBlockLogging @cobbr_io
General inspiration runspace @Cneelis