Making a Powershell Shellcode Downloader that Evades Defender (Without Amsi Bypass)

Hello everyone, today i’m going to show how to modify a powershell shellcode runner to download shellcode and run it while also evading Defender.

I’m going to use this shellcode runner I have used in the past.

I’m using a Windows VM with defender currently disabled. I’m going to copy the code and put in a new file on powershell ISE.

I’m going to add a $url variable containing the url from where we will download our .bin file then modify the $buf variable so it downloads the raw data and the [Byte[]] at the start makes sure the data will be read as bytes.

Now we need to make sure we allocate enough space for any shellcode we are going to run. I’m going to move the $cucumbers variable to be below the $buf variable.

$cucumbers variable contains the call to the VirtualAlloc function in Windows Api, I’m going to the edit the second argument which defines the size to be the size of the $buf variable.

Save the file and now lets test it!

I’m going make a reverse shell in msfvenom with raw type file and save it as rev.bin.

I’m going to set my python http server from where it will download the rev.bin.

Now i’m going to set netcat listener from where I’ll get my reverse shell.

Now let’s test our powershell script.

And we get shell!

However this won’t evade Defender yet.

I’m going to use AmsiTrigger to see what lines of code may be detected as malicious.

Even though it shows most of the code the first line of it may be what’s triggering it, it is pointing to the GetAssemblies() function.

The GetAssemblies() is called in the potatoes function

I’m going to put this part of the code in a separate file and use Invoke-Obfuscation to obfuscate it.

We import the module and then run Invoke-Obfuscation

then we set the scriptpath to our file to be obfuscated

now lets do token/all/1 so it applies all obfuscation techniques.

And we get our obfuscated code.

Note: The output of this will be different each time as it sort of randomizes how it applies obfuscation, sometimes this may break the code and you need to obfuscate it again.

Now we replace the lines of the potatoes function with our obfuscated code.

Now we save the file. Lets enable real time protection, move it to a folder that is not excluded in Defender and run the powershell script.

And we get our reverse shell fully evading Defender without needing amsi bypass!

Now we can use this to run any shellcode saved as .bin file while evading defender. Again don’t be surprised if this get caught some days later, just try to further improve it on your own.

Buy me a coffee and support me: https://buymeacoffee.com/lainkusanagi