cobbr / psamsi Goto Github PK

Hello all,

I don't know if I understood the wiki correctly and am just missing an embarrassing error,

in any case I wanted to create true / false values, but when I try to scan a malicious file with PSamsi, only the red error message comes up in powershell that the file was blocked by my antivirus, but also PSAmsi's execution is terminated...
So I can't get a true value for the scan anymore.
If I disable defender I get false and a warning for each malicious file, but that is logical in this case.

Does anyone know what I am doing wrong?

With kind regards
Luke

Section: Weaponized-version

Code-block:

...PSAmsiClient/ps1

Should be:

...PSAmsiClient.ps1

Title says it all.
https://pastebin.com/raw/NYHCfeQ4 is just a copy of https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1

Screenshot:

I'm running PS 5.1 + DotNet 4.7 on WIndows 7 x86,

During module import it gives me the following error:

PS c:\test\PSAmsi-master> import-module .\PSAmsiClient.ps1
PS c:\test\PSAmsi-master> $Scanner = [PSAmsiScanner]::new()
AmsiInitialize : You cannot call a method on a null-valued expression.
At c:\test\PSAmsi-master\PSAmsiClient.ps1:1396 char:19
+ ...   $Result = AmsiInitialize -appName $this.PSAmsiScannerAppName -amsiC ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [AmsiInitialize], RuntimeE
   xception
    + FullyQualifiedErrorId : InvokeMethodOnNull,AmsiInitialize

Any ideas?

Hey i see u are using "https://github.com/danielbohannon/Invoke-Obfuscation" Is there a way to bypass AMSI detection using obfuscation ? or the best way forsure is to create it on your own ..

I have a PSAMSi server being run on a Kali VM with the Client being run on a VM. PSAmsi is properly finding the flags when using the -FindAmsiSignatures switch but is simply returning the original script with no modifications when the -GetMinimallyObfuscated flag is used.

The obfuscation functionality fails and this line is reached:

# If we've run through all the strings and the string is still flagged, obfuscation fails
If (($TokenIndex -ge ($MatchingTokens.Count-1))) { $DoneObfuscating = $True }

(https://github.com/cobbr/PSAmsi/blob/master/PSAmsiClient.ps1#L3177)

Hi,

i think this is more a feature request than an issue. I tried to find the relevant amsi signature for my own script https://github.com/SecureThisShit/WinPwn, which gets flaged by amsi because of loaded scripts and not by the script content itself.

By starting a scan with the script on a server and PSAMSIClient the script is not flagged.

Start-PSAmsiServer -Port 80 -ScriptPath /root/WinPwn/WinPwn.ps1                          
ScriptName ScriptIsFlagged
---------- ---------------
WinPwn.ps1           False

It woult be nice if all scripts loaded by the scanned script itself are also checked for signatures.