Windows AV + AMSI Bypass скачать в хорошем качестве

Windows AV + AMSI Bypass

Essentially the attacker has gained access to an email account via the Office 365 phishing (previous videos) of which, they were able to spread a malicious .dll (dynamic linked library). The executable is a legitimate default windows application that requires a DLL called "printui.dll" it has no validation so it will just require the DLL once the DLL is required it will load into memory where the code will run. This bypasses Windows Anti-Virus and the AMSI (Advanced Malware Scan Interface) using two Power Shell scripts. Essentially, Windows AV is IoC based so just changing the entry point's main function name will provide a new hash of which you can mess with to get your bypass. Bypassing AMSI was via string concatenation. E.g., 's'+'t'+'r'+'i'+'n'+'g' = string. The reason the .dll had 0 Detections is because it's actually a stager. It loads into memory and calls the further two malicious files which bypass the Windows AV and AMSI. Why not just pass a malicious executable? Running an executable not many people will trust but if it's signed by Microsoft and or another company, they're expecting the file to be from E.g., NordVPN it will most likely get ran thus we get a more efficient Reverse Shell.