Added AMSI Bypass Redux to Csharp Stager

[adoreste]

REF: https://www.cyberark.com/threat-research-blog/amsi-bypass-redux/
REF: https://rastamouse.me/2018/10/amsiscanbuffer-bypass---part-2/

[generatorada]

crash
Имя события проблемы: CLR20r3
Сигнатура проблемы 01: cmd.exe
Сигнатура проблемы 02: 1.0.6959.3454
Сигнатура проблемы 03: 5c439cbc
Сигнатура проблемы 04: mscorlib
Сигнатура проблемы 05: 4.6.1590.0
Сигнатура проблемы 06: 5787ee1b
Сигнатура проблемы 07: 6b47
Сигнатура проблемы 08: 24
Сигнатура проблемы 09: PUYL1YSRBZLI4302TJNBZ1HF4QQMYKVP
Версия ОС: 6.1.7601.2.1.0.256.1
Код языка: 1049
Дополнительные сведения 1: dbf8
Дополнительные сведения 2: dbf8663c220ef0bf1c57544dee05a35b
Дополнительные сведения 3: 6720
Дополнительные сведения 4: 672008b0a1f8f7a2a8804ee91dcda582

[generatorada]

crash
at System.Collections.Hashtable.HashtableEnumerator.MoveNext()
at System.Management.Automation.ParserOps.MoveNext(ExecutionContext context, Token token, IEnumerator enumerator)
--- End of inner exception stack trace ---
at System.Management.Automation.StatementListNode.ExecuteStatement(ParseTreeNode statement, Array input, Pipe outputPipe, ArrayList& resultList, ExecutionContext context)
at System.Management.Automation.StatementListNode.Execute(Array input, Pipe outputPipe, ArrayList& resultList, ExecutionContext context)
at System.Management.Automation.ScriptBlock.InvokeWithPipe(Boolean useLocalScope, Boolean writeErrors, Object dollarUnder, Object input, Object scriptThis, Pipe outputPipe, ArrayList& resultList, Object[] args)
at System.Management.Automation.ScriptBlock.InvokeUsingCmdlet(Cmdlet contextCmdlet, Boolean UseLocalScope, Boolean writeErrors, Object dollarUnder, Object input, Object scriptThis, Object[] args)
at Microsoft.PowerShell.Commands.InvokeExpressionCommand.ProcessRecord()
at System.Management.Automation.Cmdlet.DoProcessRecord()
at System.Management.Automation.CommandProcessor.ProcessRecord()
--- End of inner exception stack trace ---
at System.Management.Automation.Runspaces.PipelineBase.Invoke(IEnumerable input)
at System.Management.Automation.Runspaces.Pipeline.Invoke()
at cmd.Program.Main(String[] args)

[adoreste]

Hi @generatorada how are you trying to launch the agent? Maybe missing a reference?
Example:
System: Windows 10 Enterprise LTSC
C:\windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /t:exe /out:program.exe .\program.cs /r:System.Management.Automation.dll
./program.exe
(Empire) > [*] Sending POWERSHELL stager (stage 1) to 192.168.1.38 [*] New agent LM57CPUS checked in [+] Initial agent LM57CPUS from 192.168.1.38 now active (Slack) [*] Sending agent (stage 2) to LM57CPUS at 192.168.1.38

[generatorada]

I'm building VS 2015
connect with empire i get
only exe crashes in a minute well maybe 2 minutes)