This document discusses techniques for bypassing antivirus software using PowerShell. It describes Empire, a post-exploitation framework that allows attackers to execute scripts on victim machines using PowerShell or Python. These scripts regularly connect to a C2 server using HTTP/HTTPS. It then focuses on how Empire's PowerShell scripts can bypass detection through obfuscation techniques like using alternative casing, escape characters, and encoding files in base64. Custom Invoke-Mimikatz scripts can execute any EXE file in memory, making detection difficult for antivirus software. Limiting PowerShell access and monitoring execution logs are recommended defenses.

1. Bypassing AntiVirus using
PowerShell

2. Profile
Satoshi Ogawa
Twitter：abend@number3to4
Burp Suite Japan User Group
ISOG-WG1

3. Empire
Post Exploitation
Framework
https://github.com/E
mpireProject/Empire

4. Empire
Victim Empire
http/https
Execution
Script
“Victim” is executed the script that is made by
Empire , Attacker can operate “Victim”.
C2 Server

5. Empire’s Script
Empire’s script has 2 types, PowerShell ,Python.
The attacker causes “Victim” to execute the script.
“Victim” regularly access the C2 server using
protocols such as http.

6. Empire’s PowerShell Script(PowerShell)

7. Empire’s PowerShell script
powershell –Nop –sta –w 1 –enc XXXXXXXX
Using these options
 NoP ・・・ NoProfile
 Sta ・・・ Single Thread Apartment
 w ・・・ WindowStyle
 enc ・・・ EncodedCommand(base64)

8. Empire’s PowerShell script
14 anti virus application can detect the script is
made by Empire.

9. Empire’s PowerShell script
Decode “EncodedCommand”

10. Empire’s PowerShell script
11 anti virus application can detect the script is
decoded BASE64.

11. Bypass one Anti Virus
One Anti Virus can’t detect “Invoke-Expression”
that is changed from “IEX”.

12. Technique of Obufcation 1
If($PSVERSIoNTabLe.PSVerSion.MAJoR -Ge 3)
Powershell is case-insensitive like MAJoR.

13. Technique of Obufcation 2
$GPF=[rEF].AsSEMBly.GetTypE('System.Managem
ent.Automation.Utils')."GETFiE`lD"('cachedGroup
PolicySettings','N'+'onPublic,Static');
Even if you write method or attribute value as a
character string, it is executed like “GETFiE`lD”.
> “abcd”.”Contains”(“bc”) ⇒ True

14. Technique of Obufcation 3
$GPF=[rEF].AsSEMBly.GetTypE('System.Managem
ent.Automation.Utils')."GETFiE`lD"('cachedGroup
PolicySettings','N'+'onPublic,Static');
“`” is an escape character and makes no sense
except reserved words.

15. Technique of Obufcation 4
Reserved word
`0 Null `r Carriage Return
`a alerm `t Tab
`b backspace `v Vertical Tab
`f form feed
`n new line

16. Technique of Obufcation 5
$GPF=[rEF].AsSEMBly.GetTypE('System.Managem
ent.Automation.Utils')."GETFiE`lD"('cachedGroup
PolicySettings','N'+'onPublic,Static');
“`l” is no meaning. “GETFiE`lD” is same GetField.

17. Invoke-Mimikatz
Invoke-Mimikatz is powershell script that can
execute Mimikatz.exe. Invoke-Mimikatz is
executed with the EXE file expanding the base64-
encoded character string on the memory.

18. Invoke-Mimikatz
For variable $PEBytes64, the character string
encoded with base64 of the 64-bit EXE file is set.
$PEBytes32 is for 32-bit.

19. Invoke-Mimikatz
Encode an arbitrary EXE file with base64 and set
it to variable $PEBytesXX. Also, delete
unnecessary options of the MAIN function. And
change the file name and function name.

20. Invoke-Mimikatz
By being able to execute arbitrary EXE files with
Powershell, it can be bypassed many antiviruses.

21. Invoke-Mimikatz
Change strings
that you want to
execute EXE file
is encoded
BASE64.

22. Invoke-Mimikatz
Maybe these
code is not
necessary your
exe file.

23. Invoke-Mimikatz
Customized Invoke-Mimikatz.ps1 is executed in
memory , it can be executed any exe file and
fileless.
Any EXE file
Invoke-Mimikatz.ps1
Anti Virus Software
I think that it is difficult for AV to detect
execution of malicious code.

24. Finally
• Pattern matching is difficult , so Sandbox is required.
(I expect Windows sandbox)
• Change settings to get execution log of powershell
• Limit PowerShell with AppLocker if you do not need to
run it
But, Applocker is not perfect because it is bypassable.
https://www.slideshare.net/abend_cve_9999_0001/bypassing-windows-security-functionsen