Added bypass module and fixed module obfuscation (BC-SECURITY#711)

* added bypass module and fixed module obfuscation * Update empire/server/modules/powershell/management/invoke_bypass.py Co-authored-by: Vincent Rose <[email protected]> * reformat --------- Co-authored-by: Vincent Rose <[email protected]>
AmirulAndalib · Oct 17, 2023 · 9c34547 · 9c34547
1 parent f0e8d06
commit 9c34547
Show file tree

Hide file tree

Showing 4 changed files with 80 additions and 5 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,7 +7,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
--   Fixed IronPython and Python stagers not getting obfuscation applied (@Cx01n)
+-   Fixed global obfuscation not working on modules (@Cx01N)
+-   Added bypass module in PowerShell to run bypasses after agent is staged (@Cx01N)
+-   Fixed IronPython and Python stagers not getting obfuscation applied (@Cx01N)
 
 ## [5.7.2] - 2023-09-28
 

diff --git a/empire/server/core/module_service.py b/empire/server/core/module_service.py
@@ -602,11 +602,9 @@ def finalize_module(
             module_name = script_end.lstrip().split(" ")[0]
             script = helpers.generate_dynamic_powershell_script(script, module_name)
 
-        if obfuscate:
-            script_end = self.obfuscation_service.obfuscate(
-                script_end, obfuscation_command
-            )
         script += script_end
+        if obfuscate:
+            script = self.obfuscation_service.obfuscate(script, obfuscation_command)
         script = self.obfuscation_service.obfuscate_keywords(script)
         return script
 

diff --git a/empire/server/modules/powershell/management/invoke_bypass.py b/empire/server/modules/powershell/management/invoke_bypass.py
@@ -0,0 +1,32 @@
+from typing import Dict
+
+from empire.server.core.db.base import SessionLocal
+from empire.server.core.module_models import EmpireModule
+
+
+class Module:
+    @staticmethod
+    def generate(
+        main_menu,
+        module: EmpireModule,
+        params: Dict,
+        obfuscate: bool = False,
+        obfuscation_command: str = "",
+    ):
+        script = ""
+
+        with SessionLocal.begin() as db:
+            for name in params["Bypasses"].split():
+                bypass = main_menu.bypassesv2.get_by_name(db, name)
+                if bypass:
+                    script += bypass.code
+
+        script = main_menu.modulesv2.finalize_module(
+            script=script,
+            script_end="",
+            obfuscate=obfuscate or params["Obfuscate"],
+            obfuscation_command=obfuscation_command
+            if obfuscation_command != ""
+            else params["ObfuscateCommand"],
+        )
+        return script
diff --git a/empire/server/modules/powershell/management/invoke_bypass.yaml b/empire/server/modules/powershell/management/invoke_bypass.yaml
@@ -0,0 +1,43 @@
+name: Invoke-Script
+authors:
+  - name: "Anthony Rose"
+    handle: "@Cx01N"
+    link: "https://twitter.com/Cx01N_"
+description: Run a bypasses from the server.
+software: ''
+tactics:
+  - TA0005
+techniques:
+  - T1562
+background: true
+output_extension:
+needs_admin: false
+opsec_safe: true
+language: powershell
+min_language_version: '2'
+comments: []
+options:
+  - name: Agent
+    description: Agent to run module on.
+    required: true
+    value: ''
+  - name: Bypasses
+    description: Bypasses as a space separated list to be prepended to the launcher.
+    required: true
+    value: mattifestation etw
+  - name: Obfuscate
+    description: Obfuscate the launcher powershell code, uses the ObfuscateCommand
+      for obfuscation types. For powershell only.
+    required: false
+    value: 'False'
+    strict: true
+    suggested_values:
+      - True
+      - False
+  - name: ObfuscateCommand
+    description: The Invoke-Obfuscation command to use. Only used if Obfuscate switch
+      is True. For powershell only.
+    required: false
+    value: Token\All\1
+advanced:
+  custom_generate: true