[feature request] integrate Invoke-Obfuscation into powershell stagers

[thesle3p]

In the interest of Opsec would it be possible to have empire invoke https://github.com/danielbohannon/Invoke-Obfuscation before running a stager to get past AMSI (also have the option to obfuscate Invoke-Obfuscation would help) before the empire payload is staged? that way AMSI and AV that uses it will have a harder time detecting Empire and the utilities it runs?

[HarmJ0y]

So Invoke-Obfuscation is great, but it's a PowerShell script, so it won't work on our Python/Linux based Empire control server, so true integration is not going to be possible. We're also resistant to running all scripts through the obfuscator manually on a regular basis, as we don't want to get into a cat and mouse game with AV vendors. We would rather leave obfuscation at this point to the operator, but we will consider integrating a different obfuscation approach at some point in the future.

[thesle3p]

In that case would it be possible to give stagers the option to upload and run ANY script before it sends the actual agent? This would be useful not just for AV evasion but sandbox detection.

On 11/08/2016 03:15 PM, HarmJ0y wrote:

So Invoke-Obfuscation is great, but it's a PowerShell script, so it won't work on our Python/Linux based Empire control server, so true integration is not going to be possible. We're also resistant to running all scripts through the obfuscator manually on a regular basis, as we don't want to get into a cat and mouse game with AV vendors. We would rather leave obfuscation at this point to the operator, but we will consider integrating a different obfuscation approach at some point in the future.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/adaptivethreat/Empire/issues/390#issuecomment-259246941, or mute the thread https://github.com/notifications/unsubscribe-auth/AIqhyOSLrMdufg94Hd9ykdSjKI_SUJihks5q8NhwgaJpZM4KsrMj.