This repository has been archived by the owner on Jan 29, 2020. It is now read-only.
Is there a way to configure Obfuscation for the stagers and agent? #1352
Comments
|
O also forget ti mention that while the VBA launch via RDS.DataSpace does avoid AMSI as soon as I try to inject into a new process that agent/stager is flagged |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Empire Version
dev branch
OS Information (Linux flavor, Python version)
Kali 2019.1
Expected behavior and description of the error, including any actions taken immediately prior to the error. The more detail the better.
AMSI bypass is working for the initial launcher but stagers are being flagged by AMSI in Windows 10 Pro.
Screenshot of error, embedded text output, or Pastebin link to the error
Any additional information
Interestingly enough I modified the macro launcher to use the RDS.DataSpace to execute the launcher and the stagers/agent are nto flagged when using VBA. However, if I use the same RDS.DataSpace method from within powershell to execute the launcher the stager is immediately flagged by AMSI. My understanding of how AMSI works is not good enough to figure out why this is. I thought the RDS.DataSpace was evading AMSI because of designating the powershell process that is launched as a business object for data handling but that shouldn't change between VBA and Powershell.
The text was updated successfully, but these errors were encountered: