Hubbl3
commented
5 years ago O also forget ti mention that while the VBA launch via RDS.DataSpace does avoid AMSI as soon as I try to inject into a new process that agent/stager is flagged
Open Hubbl3 opened 5 years ago
Hubbl3
commented
5 years ago O also forget ti mention that while the VBA launch via RDS.DataSpace does avoid AMSI as soon as I try to inject into a new process that agent/stager is flagged
Empire Version
dev branch
OS Information (Linux flavor, Python version)
Kali 2019.1
Expected behavior and description of the error, including any actions taken immediately prior to the error. The more detail the better.
AMSI bypass is working for the initial launcher but stagers are being flagged by AMSI in Windows 10 Pro.
Screenshot of error, embedded text output, or Pastebin link to the error
Any additional information
Interestingly enough I modified the macro launcher to use the RDS.DataSpace to execute the launcher and the stagers/agent are nto flagged when using VBA. However, if I use the same RDS.DataSpace method from within powershell to execute the launcher the stager is immediately flagged by AMSI. My understanding of how AMSI works is not good enough to figure out why this is. I thought the RDS.DataSpace was evading AMSI because of designating the powershell process that is launched as a business object for data handling but that shouldn't change between VBA and Powershell.