Building an Empire with PowerShell

Will Schroeder, Justin WarnerVeris Group’s Adaptive Threat Division (ATD)

First Things First

○ This tool and presentation would not be possible if it wasn’t for the help and phenomenal work from these people:□ @mattifestation and @obscuresec

○ https://github.com/mattifestation/PowerSploit/

□ @carlos_perez / https://github.com/darkoperator/

□ @tifkin_ / https://github.com/leechristensen/□ @ben0xa and @mwjcomputing□ @enigma0x3 - The ATD Padawan□ And the rest of the offensive PowerShell

community! All you guys rock!

@harmj0y

○ Security researcher and red teamer for the Adaptive Threat Division of Veris Group

○ Co-founder of the Veil-Framework and PowerTools

○ Cons: Shmoocon, Carolinacon, Defcon, Derbycon, various BSides

@sixdub

○ Red Team Capability Lead for the Adaptive Threat Division of Veris Group

○ Lots of interest: red team ops, reverse engineering, adversarial tactics, etc

○ Developer on the Veil-Framework and co-founder of PowerTools

tl;dr

○ Red Team Philosophy○ (Offensive) PowerShell○ RATs 101○ Empire○ Modules○ Demo○ Taking Down the Empire○ The Future

Red Team PhilosophyIn Defense of Offense

Red Teaming

○ Red teaming means different things to different people□ physical ops, in-depth social engineering,

custom exploit dev, pure network based operations, etc.

○ Common thread of increased time frame, more permissive scope and adversarial mentality

○ We have a ‘assume breach’ perspective□ It’s not a matter of ‘if’, but ‘when’

Malware Motivations

○ Why did we decide to go custom?□ Clients were signaturing tool sets□ Needed rapid dev capability while

on ops to integrate unique vulnerabilities○ And chance to build the RAT features we

always wanted

□ Wanted a better way to utilize existing PowerShell capabilities○ Attempt at solving the “weaponization

problem”

In Defense of Offense

○ We want to help secure companies against the level of threat that they’ve been unknowingly facing for over a decade□ So we need to be able to simulate at least

some of the actions of these advanced groups.

○ There is a balance between making OSS useable for training and making the “next-gen rootkit”

(Offensive)PowerShell“Microsoft’s Post-Exploitation Language”

-@obscuresec

Why PowerShell

○ PowerShell provides (out of the box):□ Full .NET access□ application whitelisting□ direct access to the Win32 API□ ability to assemble malicious binaries in

memory□ default installation Win7+ !

○ “Why I Choose PowerShell as an Attack Platform”□ http://www.exploit-monday.com/2012/08/Wh

y-I-Choose-PowerShell.html

“Bad Guys”

Existing Tech

○ PowerSploit□ Screenshots, keylogging, Mimikatz, etc.

○ PowerView□ Network situational awareness

○ PowerUp□ Privilege escalation

○ PowerBreach□ Additional persistence

○ Posh-SecMod□ Lots of goodies

The Weaponization

Problem○ There’s been an sharp increase in

offensive PowerShell projects over the past year

○ But many people still struggle with how to exactly work PowerShell into engagements

○ Using existing tech at this point hasn’t always been the most straightforward□ This is the problem we’re trying to solve!

RATs 101I smell a RAT….

Just RAT Things...

○ RAT vs Backdoor… Yes they differ

○ What different things do you need to focus on when building a RAT?□ Delivery□ Staging & C2□ Modularity / Expandability□ Forensics□ The list goes on!!!

The Staging Problem

○ Exotic C2 channels are nice, but somehow your agent code has to get to your target

○ This is often the most vulnerable point of your entire process□ staging can be be noisey□ some kind of logic needs to be sent “in the

clear”□ stager needs to be able to detect and utilize

proxies as best as possible

Command & Control

○ What are the characteristics of moderate to advanced malware out there?□ Asynchronous

○ Low and slow wins the race□ Variable comms

○ HTTP, HTTPS, DNS, SMB, etc.□ Flexible indicators

○ Survivability across defensive sensors or boundary defensive solutions□ Proxy awareness!

Extensibility

○ The core agent should be as small as possible with only required functionality

○ It is best to make an module interface to allow an operator to add/subtract features□ Follow on payloads, scripts, persistence

modules

○ The modules can be loaded and removed during use

Wait… What?

○ Empire is a full-featured PowerShell post-exploitation agent

○ Aims to provide a rapidly extensible platform to integrate offensive/defensive PowerShell work

○ An attempt to train defenders on how to stop and respond to PowerShell “attacks”□ Another tool in the belt!

PowerShell = Just a Toy Language?

○ Many people have written off PowerShell as being a real malware solution because it is a scripting language□ “Easy” to defeat/block the interpreter

○ This has also caused incident responders to overlook it as a malware vector□ Helpful if we provide some real world demos

:)

Server Features

○ Client-Server architecture□ Server = Python | Client = PowerShell

○ A backend database preserves agent/listener configurations□ In case something goes down, your agents

won’t!

○ Everything is logged, extensively□ Taskings/results per agent, along with

timestamps□ Hashes of any files uploaded to target□ --debug will dump a ton of output to

empire.debug

Methods of Execution

○ Small “stager” that can be manually executed or easily implemented elsewhere□ A powershell command block can load an

Empire agent□ Generated per listener inside the menu

○ Stager Formats:□ .vbs (macro), .bat, ducky script, etc.□ Reflective Pick .DLL - Allows integration with

many other tools like MSF

Listeners

○ The “server” side of the whole system□ Configuration of the agent set here

Additional Listener Stuff

○ IP whitelisting/blacklisting dynamically or by a common config

○ Kill dates and working hours nicely integrated into listener management

○ “foreign listeners” allow the passing

of agents within the team□ and to other agents like

Meterpreter/Beacon!

Empire Staging

Control Server Client

2. return key negotiation stager.ps1 w/ shared AES staging key

3. gen priv/pub keys, post ENCstaging(PUB) to /<stage1>

5. decrypt session key, post ENCsession(sysinfo) to /<stage2>

6. return ENCsession(agent.ps1) patched with key/delay/etc. and register agent. Agent starts beaconing.

1. GET /<stage0>

4. return ENCpub(epoch + AES session key)

C2

○ Utilizes the .NET backend with HTTP or HTTPS

○ Nothing too magical here…□ “Get” request is looking for tasking

□ “Post” is returning encrypted results

In the Agent: Contexts

○ Shell - Run Empire or PowerShell cmds

○ Scripts - Import and run PowerShell cmdlets

○ Modules - Utilize pre-built functionality to execute PowerShell functions across agents

○ More later during the demo...

ModulesBecause an agent actually needs functionality

Modules

○ Currently 90 released modules□ several more in testing testing

○ First round of modules focused on integrating all of the current projects□ Wanted an operational beta to use in real

environments

○ We will show some of the top used ones…

Module Categories

○ Currently have the following categories for modules:□ code_execution - ways to run more code□ collection - post exploitation data

collection□ credentials - collect and use creds□ lateral_movement - move around the

network□ management - host management and

auxiliary□ persistence - survive the reboot□ privesc - escalation capabilities□ situational_awareness - network

awareness□ trollsploit - for the lulz

Module Development

○ Development is extremely fast due to the wealth of existing PowerShell tech and the ease of development in a scripting language

○ Modules are essentially metadata containers for an embedded PowerShell script

○ Things like option sets, needs admin, opsec safe, save file output, etc

management/psinject

○ First up: our auto-magic process injection module for Empire□ Takes a listener name and an optional

process name/ID

○ Uses Invoke-PSInjector to inject our ReflectivePick .DLL into the host or specified process□ The launcher code to stage the agent is

embedded in the .DLL

ReflectivePick

*.exeInvoke-PSInjector

ReflectivePick

.NET AssemblyDownload Cradle

Invoke-PowerCeption?

PowerShell in LSASS? lol

Invoke-BypassUAC

○ Second, we need a way to escape medium-integrity process contexts

○ The .DLL used by Metasploit’s bypassuac_injection is open source, and works when combined with PowerSploit’s Invoke--Shellcode.ps1□ Works on Win 7 and 8.1!

○ Lets us spawn high-integrity agents

Invoke-Mimikatz

○ Everyone's favorite post-exploitation capability

○ Not just dumping creds:□ Golden tickets□ Silver tickets□ PTH□ Skeleton key

○ Empire has Internal credential model □ Lets you easily reuse creds you’ve stolen

Invoke-WMI

○ Invoke-WMIMethod is our primary way of moving around□ Can take a listener name and transform it

into configurations for a launcher□ Fairly lightweight and safe to use

○ Uses PowerShell’s Invoke-WMIMethod to run the launcher code on a remote host

PTH

○ “But what about pass-the-hash?!!”

○ The credentials/mimikatz/pth module (alias- pth) lets you spawn a new process with a local or domain user’s hash□ You can then use the credentials/tokens

module to steal the token from this new process

○ Lets you execute whatever actions you want with just a hash

Demo

Taking Down the EmpireHow to Find and Stop Us

Detection

○ The typical network indicators will reveal some things□ Not as proxy aware as some agents□ High entropy byte strings in HTTP POSTs

○ Endpoint indicators are plentiful:□ Prefetch with PowerShell□ .NET Assemblies loaded into odd processes□ The list goes on…

Umm… Weird?

Memory Analysis

○ Memory analysis will reveal the entire Empire agent plaintext in memory□ No obfuscation is done at this point□ Allows the extraction of AES keys

○ Decryption of malware C2□ Useful for a red team because it rewards IR

teams to take the next step and chain analysis

Yes… plaintext

Windows 10 :)

○ “ZOMG HACKING IS OVER!!” - harmj0y

○ But for real… major improvements in the security and monitoring of PowerShell□ Who knows when/how clients will actually

implement the added features

○ Initial testing:□ Logging is very very noisy with Empire□ Constrained mode might be circumvented

with PowerPick

The FutureThe Shiny Shiny Future

Moving Forward

○ We’ve released full documentation and demo videos hosted at www.PowerShellEmpire.com□ There’s also a formal spec on the agent and

its associated protocol□ All future updates will be posted here

○ This will be a long-running and fully supported project

Dream Capabilities

○ New C2 methods□ SMB, DNS, SOCKS Proxying etc

○ Script obfuscation/mangling to help prevent memory parsing and to increase training value

○ Contribute modules! it’s super easy

@harmj0y@sixdub

https://github.com/powershellempire/empire www.PowerShellEmpire.com

Any questions?