PowerChunker is tool designed to Bypass AMSI via PowerShell by splitting a file into multiple chunks. In a post on my blog, I discuss how malicious powershell scripts can evade detection by AMSI if they're run line-by-line, or in chunks. I've included Rasta-mouse's AmsiScanBuffer patch as a PoC to demonstrate how PowerChunker can automate this process to make a detected bypass execute without the need for obfuscation.
PowerChunker.py has no dependencies other than python3. The -s,--serve flag can be provided if the user wants to host the attack from the current server. Otherwise, all .ps1 files that are generated by this script must be transfered over to the web server that will serve them.
usage: PowerChunker.py [-h] [-s] [-o stager.ps1] file host
Split a powershell script to evade detection!
positional arguments:
file Name of powershell script to chunk
host Domain Name or IP Address of host that will serve
stager
optional arguments:
-h, --help show this help message and exit
-s, --serve Start HTTP Server to host stager (Optional)
-o stager.ps1, --out stager.ps1
Name of final stager (Optional)
See below for an example usage of the script:
