FullBypass icon indicating copy to clipboard operation
FullBypass copied to clipboard
Published 1 year ago verified publisher icon Sh3lldon

Do I need to bypass the AV before executing the MSbuild command

Open Ilyesdhiaeddine opened this issue 1 year ago • 4 comments

image

Ilyesdhiaeddine avatar Jun 08 '24 15:06 Ilyesdhiaeddine

Seems a powershell reverse shell detected by AV. Try to obfuscate or use another one. The AMSI bypass and FullLanguage mode work fine.

Sh3lldon avatar Jun 08 '24 16:06 Sh3lldon

@Ilyesdhiaeddine you should be able to IEX a ps1 that contains a reverse shell. That way the powershell section that is getting flagged by AV isn't there. In theory AMSI will be bypassed so the ps1 file can contain a generic reverse shell

beauknowstech avatar Sep 20 '24 17:09 beauknowstech

@Ilyesdhiaeddine I made a small change in my fork of this project that shouldn't get caught by AV. Link if you want to take a look: https://github.com/beauknowstech/FullBypass

beauknowstech avatar Nov 19 '24 07:11 beauknowstech

Thanks you! I will take a look. Also maybe I will made a good update in short time.

Sh3lldon avatar Nov 19 '24 07:11 Sh3lldon