# Bypassing AV Signatures for PowerShell * can use the AMSlTrigger * * tool to identify the exact part of a script that is detected. * * * identify code and strings from a binary / file that Windows Defender may flag. * Simply provide path to the script file to scan it: ``` AmsiTrigger_x64. exe -i powerup.ps1 ``` ``` DefenderCheck.exe powerup.ps1 ``` * For full obfuscation of PowerShell scripts, see * * Steps to avoid signature based detection are pretty simple: * Scan using AMSlTrigger * Modify the detected code snippet * Rescan using AMSlTrigger * Repeat the steps 2 & 3 till we get a result as "AMSI RESULT NOT DETECTED" or "Blank" ### Example * using powerup * Scan using AMSlTrigger * ```

``` * need to manually get which word is a problem - it does not give the exact string - needs to be done manually * once you know what is the problem find a solution * in above example `System.Appomain` was the issue * so reverse the strings * ```

``` ### Ideas for Bypassing * Remove default comments. * Rename the script, function names and variables. * Modify the variable names of the Win32 API calls that are detected. * Obfuscate PEBytes content PowerKatz dll using packers. * if another tool is used * ie daisy chaining * you might need to rework that tool * * Implement a reverse function for Bytes to avoid any static signatures. * example could be convert the DLL to base 64 and reverse it * Add a sandbox check to waste dynamic analysis resources. \* ```

``` * add other DLL to check into the code * intentions is to waste time * also gets to know if your code is executed in a sandbox * in this case we are looking for vmware and virtual box dll * since a sandbox will not contain these dll * Remove Reflective warnings for a clean output. * Use obfuscated commands for example in Invoke-MimiEx execution. * `sekurlsa::ekeys` can be broken down to * ```

``` * Analysis using DefenderCheck.