search

EmpireProject / Empire

Empire is a PowerShell and Python post-exploitation agent.
http://www.powershellempire.com/
BSD 3-Clause "New" or "Revised" License
7.43k stars 2.81k forks source link

Added AMSI Bypass Redux to Csharp Stager #1305

Open adoreste opened 5 years ago

adoreste commented 5 years ago

REF: https://www.cyberark.com/threat-research-blog/amsi-bypass-redux/ REF: https://rastamouse.me/2018/10/amsiscanbuffer-bypass---part-2/

generatorada commented 5 years ago

crash Имя события проблемы: CLR20r3 Сигнатура проблемы 01: cmd.exe Сигнатура проблемы 02: 1.0.6959.3454 Сигнатура проблемы 03: 5c439cbc Сигнатура проблемы 04: mscorlib Сигнатура проблемы 05: 4.6.1590.0 Сигнатура проблемы 06: 5787ee1b Сигнатура проблемы 07: 6b47 Сигнатура проблемы 08: 24 Сигнатура проблемы 09: PUYL1YSRBZLI4302TJNBZ1HF4QQMYKVP Версия ОС: 6.1.7601.2.1.0.256.1 Код языка: 1049 Дополнительные сведения 1: dbf8 Дополнительные сведения 2: dbf8663c220ef0bf1c57544dee05a35b Дополнительные сведения 3: 6720 Дополнительные сведения 4: 672008b0a1f8f7a2a8804ee91dcda582

generatorada commented 5 years ago

crash at System.Collections.Hashtable.HashtableEnumerator.MoveNext() at System.Management.Automation.ParserOps.MoveNext(ExecutionContext context, Token token, IEnumerator enumerator) --- End of inner exception stack trace --- at System.Management.Automation.StatementListNode.ExecuteStatement(ParseTreeNode statement, Array input, Pipe outputPipe, ArrayList& resultList, ExecutionContext context) at System.Management.Automation.StatementListNode.Execute(Array input, Pipe outputPipe, ArrayList& resultList, ExecutionContext context) at System.Management.Automation.ScriptBlock.InvokeWithPipe(Boolean useLocalScope, Boolean writeErrors, Object dollarUnder, Object input, Object scriptThis, Pipe outputPipe, ArrayList& resultList, Object[] args) at System.Management.Automation.ScriptBlock.InvokeUsingCmdlet(Cmdlet contextCmdlet, Boolean UseLocalScope, Boolean writeErrors, Object dollarUnder, Object input, Object scriptThis, Object[] args) at Microsoft.PowerShell.Commands.InvokeExpressionCommand.ProcessRecord() at System.Management.Automation.Cmdlet.DoProcessRecord() at System.Management.Automation.CommandProcessor.ProcessRecord() --- End of inner exception stack trace --- at System.Management.Automation.Runspaces.PipelineBase.Invoke(IEnumerable input) at System.Management.Automation.Runspaces.Pipeline.Invoke() at cmd.Program.Main(String[] args)

adoreste commented 5 years ago

Hi @generatorada how are you trying to launch the agent? Maybe missing a reference? Example: System: Windows 10 Enterprise LTSC C:\windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /t:exe /out:program.exe .\program.cs /r:System.Management.Automation.dll ./program.exe (Empire) > [*] Sending POWERSHELL stager (stage 1) to 192.168.1.38 [*] New agent LM57CPUS checked in [+] Initial agent LM57CPUS from 192.168.1.38 now active (Slack) [*] Sending agent (stage 2) to LM57CPUS at 192.168.1.38

generatorada commented 5 years ago

I'm building VS 2015 connect with empire i get only exe crashes in a minute well maybe 2 minutes)