Update: A previous version of this blog post mentioned an issue with scripting this bypass, which has since been solved. The post was updated to include the solution.More …
ObfuscatedEmpire is an integration of two fantastic projects, Invoke-Obfuscation and Empire. If you aren’t already familiar with those projects, you really should go check them out first. But here’s a quick summary for those who are unfamiliar:
- Empire is a PowerShell post-exploitation agent. It’s a powerful tool for attackers as it allows for a C2 channel to be run completely in-memory, without any malicious code touching disk, rendering traditional AV techniques ineffective.
- Invoke-Obfuscation is a PowerShell script obfuscator. As the use of in-memory PowerShell malware has grown, implementation of in-memory AV scanning of PowerShell scripts has begun. Invoke-Obfuscation challenges all assumptions these in-memory PowerShell AV signatures have been making.