From 9c345472163363ec3b6e7a1ef4af220f2bbc24fd Mon Sep 17 00:00:00 2001 From: Anthony Rose <20302208+Cx01N@users.noreply.github.com> Date: Mon, 16 Oct 2023 22:39:19 -0400 Subject: [PATCH] Added bypass module and fixed module obfuscation (#711) * added bypass module and fixed module obfuscation * Update empire/server/modules/powershell/management/invoke_bypass.py Co-authored-by: Vincent Rose * reformat --------- Co-authored-by: Vincent Rose --- CHANGELOG.md | 4 +- empire/server/core/module_service.py | 6 +-- .../powershell/management/invoke_bypass.py | 32 ++++++++++++++ .../powershell/management/invoke_bypass.yaml | 43 +++++++++++++++++++ 4 files changed, 80 insertions(+), 5 deletions(-) create mode 100644 empire/server/modules/powershell/management/invoke_bypass.py create mode 100644 empire/server/modules/powershell/management/invoke_bypass.yaml diff --git a/CHANGELOG.md b/CHANGELOG.md index 0f7542e1e..d7e33d6c5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,7 +7,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] -- Fixed IronPython and Python stagers not getting obfuscation applied (@Cx01n) +- Fixed global obfuscation not working on modules (@Cx01N) +- Added bypass module in PowerShell to run bypasses after agent is staged (@Cx01N) +- Fixed IronPython and Python stagers not getting obfuscation applied (@Cx01N) ## [5.7.2] - 2023-09-28 diff --git a/empire/server/core/module_service.py b/empire/server/core/module_service.py index a0792ca17..5473c8ecc 100644 --- a/empire/server/core/module_service.py +++ b/empire/server/core/module_service.py @@ -602,11 +602,9 @@ def finalize_module( module_name = script_end.lstrip().split(" ")[0] script = helpers.generate_dynamic_powershell_script(script, module_name) - if obfuscate: - script_end = self.obfuscation_service.obfuscate( - script_end, obfuscation_command - ) script += script_end + if obfuscate: + script = self.obfuscation_service.obfuscate(script, obfuscation_command) script = self.obfuscation_service.obfuscate_keywords(script) return script diff --git a/empire/server/modules/powershell/management/invoke_bypass.py b/empire/server/modules/powershell/management/invoke_bypass.py new file mode 100644 index 000000000..66afff94c --- /dev/null +++ b/empire/server/modules/powershell/management/invoke_bypass.py @@ -0,0 +1,32 @@ +from typing import Dict + +from empire.server.core.db.base import SessionLocal +from empire.server.core.module_models import EmpireModule + + +class Module: + @staticmethod + def generate( + main_menu, + module: EmpireModule, + params: Dict, + obfuscate: bool = False, + obfuscation_command: str = "", + ): + script = "" + + with SessionLocal.begin() as db: + for name in params["Bypasses"].split(): + bypass = main_menu.bypassesv2.get_by_name(db, name) + if bypass: + script += bypass.code + + script = main_menu.modulesv2.finalize_module( + script=script, + script_end="", + obfuscate=obfuscate or params["Obfuscate"], + obfuscation_command=obfuscation_command + if obfuscation_command != "" + else params["ObfuscateCommand"], + ) + return script diff --git a/empire/server/modules/powershell/management/invoke_bypass.yaml b/empire/server/modules/powershell/management/invoke_bypass.yaml new file mode 100644 index 000000000..279987675 --- /dev/null +++ b/empire/server/modules/powershell/management/invoke_bypass.yaml @@ -0,0 +1,43 @@ +name: Invoke-Script +authors: + - name: "Anthony Rose" + handle: "@Cx01N" + link: "https://twitter.com/Cx01N_" +description: Run a bypasses from the server. +software: '' +tactics: + - TA0005 +techniques: + - T1562 +background: true +output_extension: +needs_admin: false +opsec_safe: true +language: powershell +min_language_version: '2' +comments: [] +options: + - name: Agent + description: Agent to run module on. + required: true + value: '' + - name: Bypasses + description: Bypasses as a space separated list to be prepended to the launcher. + required: true + value: mattifestation etw + - name: Obfuscate + description: Obfuscate the launcher powershell code, uses the ObfuscateCommand + for obfuscation types. For powershell only. + required: false + value: 'False' + strict: true + suggested_values: + - True + - False + - name: ObfuscateCommand + description: The Invoke-Obfuscation command to use. Only used if Obfuscate switch + is True. For powershell only. + required: false + value: Token\All\1 +advanced: + custom_generate: true