EmpireProject / Empire

Empire is a PowerShell and Python post-exploitation agent.
http://www.powershellempire.com/
BSD 3-Clause "New" or "Revised" License
7.47k stars 2.82k forks source link

Is there a way to configure Obfuscation for the stagers and agent? #1352

Open Hubbl3 opened 5 years ago

Hubbl3 commented 5 years ago

Empire Version

dev branch

OS Information (Linux flavor, Python version)

Kali 2019.1

Expected behavior and description of the error, including any actions taken immediately prior to the error. The more detail the better.

AMSI bypass is working for the initial launcher but stagers are being flagged by AMSI in Windows 10 Pro.

Screenshot of error, embedded text output, or Pastebin link to the error

Any additional information

Interestingly enough I modified the macro launcher to use the RDS.DataSpace to execute the launcher and the stagers/agent are nto flagged when using VBA. However, if I use the same RDS.DataSpace method from within powershell to execute the launcher the stager is immediately flagged by AMSI. My understanding of how AMSI works is not good enough to figure out why this is. I thought the RDS.DataSpace was evading AMSI because of designating the powershell process that is launched as a business object for data handling but that shouldn't change between VBA and Powershell.

Hubbl3 commented 5 years ago

O also forget ti mention that while the VBA launch via RDS.DataSpace does avoid AMSI as soon as I try to inject into a new process that agent/stager is flagged