Will not work on windows 10

[drforbin]

Empire Version

latest

OS Information (Linux flavor, Python version)

windows 10

Expected behavior and description of the error, including any actions taken immediately prior to the error. The more detail the better.

I cannot get the launcher to connect back to the listener.
When it's run on windows 10 the powershell launcher just exits
It works on windows 7

Screenshot of error, embedded text output, or Pastebin link to the error

Any additional information

[mr64bit]

The AMSI bypass included by default is currently detected by Defender (doesn't work in 1803 anyways). Try setting SafeChecks to false when generating the launcher. That should get you a working agent, but you may have to do something else about AMSI before running some of the modules. Powerview and anything that uses the reflective loader (like Mimikatz) will probably get detected by AMSI. Alternatively, start powershell with "-ver 2". Version 2 doesn't have AMSI, so that should also get you a running agent.

…

On Sun, Sep 16, 2018 at 10:50 AM Merlyn Cousins ***@***.***> wrote: Empire Version latest OS Information (Linux flavor, Python version) windows 10 Expected behavior and description of the error, including any actions taken immediately prior to the error. The more detail the better. I cannot get the launcher to connect back to the listener. When it's run on windows 10 the powershell launcher just exits It works on windows 7 Screenshot of error, embedded text output, or Pastebin link to the error Any additional information — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#1232>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ACFwUDl-EpKM-N_ZHlTgMfyVsmRvPXBVks5ubmVKgaJpZM4Wq4nY> .

[drforbin]

Interesting. Thank you. I have designed other powershell launchers which stage shellcode of my own design and it's not caught. Please explain to me why empire is being caught?

[mr64bit]

The Empire stager gets detected because of these commands specifically. `$Ref=[Ref].ASSEmBly.GetTYPe('System.Management.Automation.AmsiUtils');$ReF.GeTFIeLd('amsiInitFailed','NonPublic,Static')` This is from Matt Graeber's initial AMSI bypass, it's been used for for 2 years now by just about everyone, so it's no surprise there's a signature for it. In 1803, the AmsiUtils object can't be easily accessed through reflection, so the bypass doesn't work anyways.

…

On Sun, Sep 16, 2018 at 3:09 PM Merlyn Cousins ***@***.***> wrote: Interesting. Thank you. I have designed other powershell launchers which stage shellcode of my own design and it's not caught. Please explain to me why empire is being caught? — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#1232 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ACFwUCIzOs-lkCxf7b92PVmdNIe36HGIks5ubqHlgaJpZM4Wq4nY> .

[poopaapoopaa]

This trick was working until a few days ago. Now it's detected even when SafeChecks is false.

If the detection is overridden and the file is allowed to run, stage 1 stager is sent, and then blocked.
The process ends with:

[*] Sending POWERSHELL stager (stage 1) to ..

If real time virus protection is turned off completely, it works as before.

The -ver 2 option doesn't seem to work at all.

Any further ideas?

[drforbin]

Yes, I am having the same problem.
My costume made shellcode works fine.

Could you please share your method for generating said shellcode?