search

EmpireProject / Empire

Empire is a PowerShell and Python post-exploitation agent.
http://www.powershellempire.com/
BSD 3-Clause "New" or "Revised" License
7.39k stars 2.81k forks source link

Add rastamouse AMSI bypass, make bypasses configurable #1289

Closed phra closed 5 years ago

phra commented 5 years ago

fixes #1288 and #1290, supersede #1286

image

PoSHMagiC0de commented 5 years ago

I second this. Manually tested my own version of this which is probably the same (pretty much followed the example) and it works. In addition, Vis with Darren Kitchen from Hak5 has a youtube video showing disabling of defender and rolling back the sigs if you have admin. I would say it being ran as a background job to monitor and whenever defender wakes up it clears it out again. I have no discovered yet what to look for to see if Defender has turned itself back on again. it is a combination of using the mpcmdrun.exe and then using powershell set-mppreference to accomplish this.

Hak5 Youtube with Vis Disabling Defender

phra commented 5 years ago

@PoSHMagiC0de i know it :smile: , my two cents:

mr64bit commented 5 years ago

Merged in da5fc61. I kept the random capitalization in. It doesn't make a difference if you're further obfuscating the code, but if you're not, then at least it's harder to catch with a simple signature.