EmpireProject/Empire

[Feature Request] Start and Hide Within a Registry Key

Open

#1,204 opened on Aug 16, 2018

View on GitHub
 (8 comments) (0 reactions) (0 assignees)PowerShell (7,836 stars) (2,920 forks)batch import
enhancementhelp wanted

Description

Can you add the option to start up and hide completely within the registry inside a key and not as a script or dell or exe, anywhere else on disk, this is explained better by a report from trendmicro.

https://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-malware-hides-in-windows-registry/

https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/TROJ_POWELIKS.A - shows the key near the bottom Thanks

Contributor guide

Tech stack
pythonshell
Domain
security
Issue type
feature
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
4
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
over 1 week
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
stale
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
unclear
Prerequisites
Empire agent internalsWindows registry manipulationPowerShell scripting
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
10
Research direction
Review the linked TrendMicro articles to understand the requested registry persistence technique. Examine existing persistence modules in the Empire codebase under data/modules/. Check the issue comments for any maintainer feedback or clarification. Determine if the feature aligns with Empire's goals and design a registry based startup method.