> For the complete documentation index, see [llms.txt](https://docs.wehost.co.in/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.wehost.co.in/cybersecurity/bypassing-av-signatures-for-powershell.md).

# Bypassing AV Signatures for PowerShell

* can use the AMSlTrigger
  * <https://github.com/RythmStick/AMSITrigger>
    * tool to identify the exact part of a script that is detected.
  * <https://github.com/matterpreter/DefenderCheck/tree/master>
    * <https://github.com/t3hbb/DefenderCheck/tree/master>
    * identify code and strings from a binary / file that Windows Defender may flag.
  * Simply provide path to the script file to scan it:

```
AmsiTrigger_x64. exe -i powerup.ps1
```

```
DefenderCheck.exe powerup.ps1
```

* For full obfuscation of PowerShell scripts, see
  * <https://github.com/danielbohannon/Invoke-Obfuscation>
* Steps to avoid signature based detection are pretty simple:
  * Scan using AMSlTrigger
  * Modify the detected code snippet
  * Rescan using AMSlTrigger
  * Repeat the steps 2 & 3 till we get a result as "AMSI RESULT NOT DETECTED" or "Blank"

### Example

* using powerup

  * Scan using AMSlTrigger
  *

  ```
  <figure><img src="/files/aNjXCBnSSFaM8mAMNvlj" alt=""><figcaption></figcaption></figure>
  ```

  * need to manually get which word is a problem - it does not give the exact string - needs to be done manually
    * once you know what is the problem find a solution

      * in above example `System.Appomain` was the issue
      * so reverse the strings
      *

      ```
      <figure><img src="/files/JY8QvXjEHmUjV2G9rJLs" alt=""><figcaption></figcaption></figure>
      ```

### Ideas for Bypassing

* Remove default comments.
* Rename the script, function names and variables.
* Modify the variable names of the Win32 API calls that are detected.
* Obfuscate PEBytes content PowerKatz dll using packers.
  * if another tool is used
    * ie daisy chaining
      * you might need to rework that tool
      * <https://github.com/mgeeky/ProtectMyTooling>
* Implement a reverse function for Bytes to avoid any static signatures.
  * example could be convert the DLL to base 64 and reverse it
* Add a sandbox check to waste dynamic analysis resources.
  \*

  ```
  <figure><img src="/files/4Bx1lN8v7rMVE5nl5Pud" alt=""><figcaption></figcaption></figure>
  ```

  * add other DLL to check into the code
    * intentions is to waste time&#x20;
    * also gets to know if your code is executed in a sandbox&#x20;
      * in this case we are looking for vmware and virtual box dll&#x20;
        * since a sandbox will not contain these dll
  * Remove Reflective warnings for a clean output.
    * Use obfuscated commands for example in Invoke-MimiEx execution.

      * `sekurlsa::ekeys` can be broken down to
      *

      ```
      <figure><img src="/files/3nalRu0ipxzM06ydjvdy" alt=""><figcaption></figcaption></figure>
      ```
  * Analysis using DefenderCheck.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.wehost.co.in/cybersecurity/bypassing-av-signatures-for-powershell.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.