Listen to this Post
GitHub – BlackSnufkin/NyxInvoke: NyxInvoke is a Rust CLI tool for executing .NET assemblies, PowerShell scripts, and Beacon Object Files (BOFs) with Patchless AMSI and ETW bypass capabilities. It features dual-build support for flexibility in offensive security operations.
You Should Know:
1. Key Features of NyxInvoke
- Patchless AMSI Bypass: Evades Anti-Malware Scan Interface (AMSI) without direct patching.
- ETW Bypass: Disables Event Tracing for Windows (ETW) logging to avoid detection.
- Dual-Build Support: Compatible with different compilation modes for evasion.
- Rust-Based: Provides memory safety and performance benefits.
2. Practical Usage & Commands
Clone & Build NyxInvoke:
git clone https://github.com/BlackSnufkin/NyxInvoke cd NyxInvoke cargo build --release
Execute a .NET Assembly:
./nyxinvoke --dotnet /path/to/assembly.dll --args "arguments"
Run PowerShell Script with AMSI Bypass:
./nyxinvoke --ps1 /path/to/script.ps1
Load a BOF (Beacon Object File):
./nyxinvoke --bof /path/to/bof.o --entrypoint main
3. Defensive Countermeasures (Blue Team)
- Monitor ETW Disabling Events:
Get-WinEvent -LogName "Microsoft-Windows-EventTracing/Operational" | Where-Object { $_.Id -eq 2 } - Detect AMSI Bypass Attempts:
Get-WinEvent -LogName "Microsoft-Windows-Windows Defender/Operational" | Where-Object { $_.Id -eq 1116 }
What Undercode Say
NyxInvoke is a powerful tool for red teams, leveraging Rust for stealthy execution of offensive payloads. Defenders should focus on ETW and AMSI telemetry to detect such bypass techniques. Always test in controlled environments.
Expected Output:
[+] .NET assembly executed: /path/to/assembly.dll [+] AMSI bypass successful. [+] ETW logging disabled.
Relevant URLs:
References:
Reported By: Florian Hansemann – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
