USAGE

amber [options] file.exe

OPTIONS:
  -k, --key      [string]    Custom cipher key
  -ks,--keysize  <length>    Size of the encryption key in bytes (Max:255/Min:8)
  --staged                   Generated a staged payload
  --iat                      Uses import address table entries instead of hash api
  --no-resource              Don't add any resource
  -v, --verbose              Verbose output mode
  -h, --help                 Show this massage

• -k/--key: This parameter sets the following custom string as cipher key.
  
• -ks/--keysize: This parameter specifies the length of the randomly generated cipher key.
  
• --staged: If this flag is set, amber generates a reflective payload that can be used in multi stage attacks.
  
• --iat: When this flag is set amber uses the import address table entries when calling the Windows API functions. (This option can be used for additional stealth against exploit mitigations such as Windows Defender Exploit Guard & EMET)
  
• --no-resource: When this flag passed amber don't add any resource or metadata to the output binary.(Also makes it smaller)

USAGE VIA DOCKER

In order to pack a file using docker image the folder that is containing the target file should be mounted with -v parameter.

Example: docker run -it -v /tmp/:/tmp/ egee/amber /tmp/file.exe

EXAMPLE USAGE VIDEOS

• Fileless ransomware deployment with powershell
• Multi Stage EXE deployment with metasploit stagers