benpturner
commented
1 month ago Closed user1068 closed 1 month ago
benpturner
commented
1 month ago benpturner
commented
1 month ago You can turn those three features off with a hexeditor
user1068
commented
1 month ago Thank you for the quick response. This works, at least Windows 11 Defender does no complain about AMSI or ETW patching. Are there more "hidden" functionality like this? Would be nice to have this in the PoshC2 documentation. Or at least I have not seen this.
But, now I have another problem: Setting AMS=0 and ETW=0 broke some functionality:
benpturner
commented
1 month ago Hi, some features have not made it through to our public release and we are in the process of publishing some of the new features in a blog article so watch this space, for example the native Windows payload which is created now. In your screenshot, Stage2-Core.exe has been caught by defender and this is why the core modules are not now working, it tells you in the screenshot you shared this was caught by AntiVirus. This can be evaded by simple AMSI bypass techniques
user1068
commented
1 month ago Another very useful hint :D Thanks. When I only disabled ETW and the Stage2-Core.exe gets loaded and the functionality works. Looking forward to read your blog!
Is your feature request related to a problem? Please describe.
When I use the generated Implants with my custom loader, the Implants get caught because of the well know ETW and AMSI Patch patterns. My Loader does not use AMSI and ETW Patching, so I assume, it comes from the Implant. Is there a way to disable ETW and AMSI patching in the Implants?