Powershell Empire : Swiss-Army Knife for Windows Post-Exploitation (Part 2).

-

So for this entry, we will pickup where we left off. If you not yet read part 1 you can read it here: Powershell Empire :  Swiss-Army Knife for Windows Post-Exploitation (Part 1). I apologize for taking some time to post this due to other commitment and now I have the time to finish this series as I currently on long holiday.

To summarize the previous post, we have covered about Empire components and what it do, how to create listener, generating stager, execute the stager, getting connected with the agents and exiting Empire gracefully. So now, we will explore on how to performing post exploitation using module in Empire and do housekeeping tasks on the agents.

Side note here, some example shown might have different agent name due to connection lost. But, the essence of the activity and the principal of the action is still the same.


Managing Agents

To view, list and start interacting with agents registered to your Empire, use command agents.

In figure 1, you can see there are 2 active agent which is XHYGB4K5 and ZXRNBLUP. These 2 agents is originated from same machine.

This list shows operator brief details about the agent which are self-explanatory. In Process column, it shows which process your agent is spawned. Empire able to perform Process Injection. Thus, allow operator to hide agents under legitimate processes.

Can you spot any differences between this 2 agents? yes! the Asterisk [*] symbol on Username column. Asterisk [*] symbol indicate that your agents have elevated privileged access. Else, your agents is just have normal privilege that need to perform privilege escalation.

To show available command, just double tab to see command to interact with the agents.

Figure 1

Use help command to show help menu. This menu shows information on what these command do. Figure 2 shows the result of help command.

Figure 2

In this agents menu, I just want to highlight few command that will be essential for managing your agent such as interact, rename, remove and kill command.

To kill one of your agents, use command kill <agent name>, example:
(Empire: agents) > kill XHYGB4K5

To kill all agents, use command kill all. Example:
(Empire: agents) > kill all

After killing your agent, it will still remain in the agents list. For this, you need to remove them from the agents list. Use command remove <agent name> to remove that one particular agents. Example:
(Empire: agents) > remove XHYGB4K5

To remove all agent, use remove all command. Example:
(Empire: agents) > remove all

You should rename your agents to a meaningful name to differentiate them. To rename the agent, use command rename. There a tips in naming your agents such as:
  • Empire agents only accepting alphanumeric character, which mean letters and number. Symbol or special character is not allowed, including minus( ) and underscore ( ).
  • Agents name is not used by current or past agent. Even after you have remove them.
  • Best practice is to rename your agent with meaningful and descriptive name.
Refer to figure 3, to rename your agent, use rename <current agent name> <new agent name> command. Example:
(Empire: agents) > rename XHYGB4K5 V1Admin
(Empire: agents) > rename ZXRNBLUP V1

Figure 3


Interacting with the agent

Interacting with agent allow operator to perform many post-exploitation activity. It can be by passing command line using empire, using available module or uploading your own malware.

For this article, I will just cover the bread and butter of Empire, which the its module.

Refer to figure 4, to interact with one of your agents, use command interact <agent name>, example:
(Empire: agents) > interact V1

Figure 4


Double Tab to view available command and type help command to show help menu. Example:
(Empire: agents) > help

This menu shows information on what these command do like in figure 5.

Figure 5

To view brief info about this agent you can use info or sysinfo command as figure 6.
(Empire: V1) > info

Figure 6

To take screenshot, use command sc as shown in figure 7. 
(Empire: V1Admin) > sc

Figure 7

To list all running process on the machine, use command tasklist as shown in figure 8.
(Empire: V1Admin) > tasklist

You can observe, there are differences between these 2 list in figure 8. list on your left show is userland privileged while on your right is having elevated privileged. Thus, it can only show the username based on user privileged context only.

This command is essential specially if you consider to perform process injection on remote process for persistence and to evade detection by hiding on legitimate process.

Figure 8


Sending Command and Using Empire Module

To execute command line on the agent machine, use command shell <command parameter>  with command line parameter as shown in figure 9 and 10.
(Empire: V1Admin) > shell ping 8.8.8.8

Figure 9 : Enumerating Windows Defender using command line passed to Empire shell command


Figure 10 : Enumerating user using command line passed to Empire shell command

Next, we will interact with our agents and explore some interesting post-exploitation module offered by Powershell-Empire.

That part is what I can tell you about is the bread and butter of Empire Powershell and we will explore that quest in my next blog post. Thank you for stay tune until the end and see you again.

Till next time! Take care and stay safe everyone.

Comments

Post a Comment

Popular posts from this blog

Deploying open-source SOC lab with red team simulation, at home. Elasticsearch Stack EDR + SIEM (Part 1)

-
Image
Introduction I’m always want to have my own lab that can mimic enterprise monitoring at home which include EDR (Endpoint Detection and Response), SIEM (Security Information and Event Management), case management and have a threat intel platform. It must be something that can be built from open source and free... Since there is significant upgrade on my personal workstation, I’m able to ramp up my virtualization capacity to support my endeavor. let’s gooooo! Network & Resources Allocation For this lab, everything will be deployed in virtual machine (VM) and in private network, simple. These are minimum specification I used in this lab; you can allocate more if you have more resources. CPU: 2 cores Network: bridged connection and replicate physical network connection state Storage: 80 GB RAM: 8 GB (For both Ubuntu VM, I’m allocating 16GB for better performance) Architectural & System Design Refer to the diagram above We will deploy two (2) Ubuntu 20.04 Desktop a...
Read more

Deploying open-source SOC lab with red team simulation, at home. MISP, Cortex and TheHive (Part 2)

-
Image
Sorry for posting this a bit late for those who are waiting for part 2. During my time writing part 1 and part 2, I was in rush to prepare for the new addition to my family, we (me, wife & family) have been blessed with our firstborn baby boy. So yeah, with the birth of my son, Ramadhan, and preparation for Aidilfitri all together at once, time is a little bit tight. Hehe Thank you very much for all your wishes and thank you for still following this series, so this time we will set up and install components for MISP, Cortex, and TheHive. This includes installation and integration between these 3 components as described in part 1. Once you have completed all the installation and integration, this server will tremendously help your analysis and automate a lot of things, you can track your progress or investigation, manage case, alert, task, and IOCs found. With a click of a button, you can receive reports and threat intel from multiple sources. This can be your great tool as a ...
Read more

Android Application Security - obfuscation using ProGuard in Android Studio

-
There are many techniques out there for Android Application code obfuscation. Most popular and easy to be applied is using ProGuard in Android Studio. What it usually does is it will shorten your app's class name, optimize your code, remove unnecessary resources and code. The main goal of it is to make your app harder to be reverse engineered. Obfuscation in Android Application has been applied extensively by malware author to hide their malicious code and give security researcher like us a bad day. As developer, you can applied ProGuard in your Android App project by implement this additional rule in your project level build.grade(Module:app)  file. buildTypes { release { minifyEnabled true shrinkResources true proguardFiles getDefaultProguardFile ( 'proguard-android-optimize.txt' ), 'proguard-rules.pro' } debug { minifyEnabled false shrinkResources false proguardFiles getDefaultProguardFile ( 'proguard-and...
Read more