The document discusses PowerShell Empire, a PowerShell post-exploitation framework that aims to provide a flexible and extensible platform for integrating offensive PowerShell capabilities. It provides an overview of Empire's architecture, including its client-server design with a backend database, listeners for command and control, and modules for additional functionality. The document demonstrates Empire's capabilities through modules for process injection, privilege escalation, credential dumping, and lateral movement. It also discusses considerations for detecting and analyzing Empire agents on compromised systems.
You'll understand how hackers can attack resources hosted in the Azure and protect Azure infrastructure by identifying vulnerabilities, along with extending your pentesting tools and capabilities.
[errata] For more information on DCSync and associated permissions, as well as AdminSDHolder and associated permissions, see Sean Metcalf's respective posts at https://adsecurity.org/?p=1729 and https://adsecurity.org/?p=1906 .
"An ACE Up the Sleeve: Designing Active Directory DACL Backdoors" was presented at BlackHat and DEF CON 2017.
A follow on to the Encyclopedia Of Windows Privilege Escalation published by InsomniaSec at Ruxcon 2011, this talk is aimed at detailing not just escalation from user to admin and admin to system, but persistence and forced authentication as well as a few other treats.
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
This talk covers PowerShell for offensive Active Directory operations with PowerView. It was given on April 21, 2016 at the PowerShell Conference EU 2016.
This presentation was given at PSConfEU and covers common privilege escalation vectors for Windows systems, as well as how to enumerate these issues with PowerUp.
Defending enterprise networks against attackers continues to present a difficult challenge for blue teams. Prevention has fallen short; improving detection & response capabilities has proven to be a step in the right direction. However, without the telemetry produced by adversary behavior, building and testing detection capabilities will be a challenging task.
PurpleSharp is an open-source adversary simulation tool written in C# that executes adversary techniques against Windows environments. The resulting telemetry can be leveraged to measure and improve the efficacy of a detection program. PurpleSharp executes different behavior across the attack lifecycle following the MITRE ATT&CK Framework’s tactics: execution, persistence, privilege escalation, credential access, lateral movement, etc.
Here Be Dragons: The Unexplored Land of Active Directory ACLsAndy Robbins
Presented by Andy Robbins, Rohan Vazarkar, and Will Schroeder at DerbyCon 7.0: Legacy, in Louisville, Kentucky, 2017.
See the video recording of the presentation here: https://www.youtube.com/watch?v=mfaFuXEiLF4
A collection of techniques that allow users to escalate privileges to local administrator and then to NT Authority\System. On a windows domain readers can use the described techniques to escalate to domain administrators.
The last few years have seen a dramatic increase in the number of PowerShell-based penetration testing tools. A benefit of tools written in PowerShell is that it is installed by default on every Windows system. This allows us as attackers to “”live off the land””. It also has built-in functionality to run in memory bypassing most security products.
I will walk through various methodologies I use surrounding popular PowerShell tools. Details on attacking an organization remotely, establishing command and control, and escalating privileges within an environment all with PowerShell will be discussed. You say you’ve blocked PowerShell? Techniques for running PowerShell in locked down environments that block PowerShell will be highlighted as well.
You'll understand how hackers can attack resources hosted in the Azure and protect Azure infrastructure by identifying vulnerabilities, along with extending your pentesting tools and capabilities.
[errata] For more information on DCSync and associated permissions, as well as AdminSDHolder and associated permissions, see Sean Metcalf's respective posts at https://adsecurity.org/?p=1729 and https://adsecurity.org/?p=1906 .
"An ACE Up the Sleeve: Designing Active Directory DACL Backdoors" was presented at BlackHat and DEF CON 2017.
A follow on to the Encyclopedia Of Windows Privilege Escalation published by InsomniaSec at Ruxcon 2011, this talk is aimed at detailing not just escalation from user to admin and admin to system, but persistence and forced authentication as well as a few other treats.
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
This talk covers PowerShell for offensive Active Directory operations with PowerView. It was given on April 21, 2016 at the PowerShell Conference EU 2016.
This presentation was given at PSConfEU and covers common privilege escalation vectors for Windows systems, as well as how to enumerate these issues with PowerUp.
Defending enterprise networks against attackers continues to present a difficult challenge for blue teams. Prevention has fallen short; improving detection & response capabilities has proven to be a step in the right direction. However, without the telemetry produced by adversary behavior, building and testing detection capabilities will be a challenging task.
PurpleSharp is an open-source adversary simulation tool written in C# that executes adversary techniques against Windows environments. The resulting telemetry can be leveraged to measure and improve the efficacy of a detection program. PurpleSharp executes different behavior across the attack lifecycle following the MITRE ATT&CK Framework’s tactics: execution, persistence, privilege escalation, credential access, lateral movement, etc.
Here Be Dragons: The Unexplored Land of Active Directory ACLsAndy Robbins
Presented by Andy Robbins, Rohan Vazarkar, and Will Schroeder at DerbyCon 7.0: Legacy, in Louisville, Kentucky, 2017.
See the video recording of the presentation here: https://www.youtube.com/watch?v=mfaFuXEiLF4
A collection of techniques that allow users to escalate privileges to local administrator and then to NT Authority\System. On a windows domain readers can use the described techniques to escalate to domain administrators.
The last few years have seen a dramatic increase in the number of PowerShell-based penetration testing tools. A benefit of tools written in PowerShell is that it is installed by default on every Windows system. This allows us as attackers to “”live off the land””. It also has built-in functionality to run in memory bypassing most security products.
I will walk through various methodologies I use surrounding popular PowerShell tools. Details on attacking an organization remotely, establishing command and control, and escalating privileges within an environment all with PowerShell will be discussed. You say you’ve blocked PowerShell? Techniques for running PowerShell in locked down environments that block PowerShell will be highlighted as well.
This presentation was given at DerbyCon 6 on 9/23/2016. It covers the fusion of the PowerShell Empire and Python EmPyre projects, as well as new Empire 2.0 transports.
PowerUp - Automating Windows Privilege EscalationWill Schroeder
This slidedeck was given as a firetalk at @BSidesBoston '14, and covers the genesis and implementation of PowerUp, a Powershell tool for Windows privilege escalation.
This presentation was given at BSides Austin '15, and is an expanded version of the "I hunt sys admins" Shmoocon firetalk. It covers various ways to hunt for users in Windows domains, including using PowerView.
This presentation done at DeepSec 2014 focuses on using PowerShell for Client Side attacks. New scripts which are part of the open-source toolkit Nishang were also released. NIshang is toolkit in PowerShell for Penetration Testing
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItNikhil Mittal
The talk I gave at Black Hat USA 2016 on Anti Malware Scan Interface. The talk looks at what good AMSI brings to Windows 10 and various methods of avoiding/bypassing it.
The session will provide an Introduction to PowerShell for IT professional to automate Windows Server 2008 and Windows Vista client administrative activities. The session will explore the features and capabilities of PowerShell, customer scenarios to manage day-to-day server and client administration activities, and Command Line syntax usage.
PowerShell for Cyber Warriors - Bsides Knoxville 2016Russel Van Tuyl
Powershell, the new hotness, is an interactive object-oriented command environment that has revolutionized the ability to interact with the Windows operating systems in a programmatic manner. This environment significantly increases the capabilities of administrators, attackers, defenders, and malware authors alike. This presentation introduces popular PowerShell tools and techniques used by penetration testers and blue team members. Tools range from in-memory only remote administration tools to Active Directory enumeration and from reverse engineering to incident response. Additionally, we will review a couple of pieces of malware that leverage PowerShell and provide information on detecting or defending against previously discussed attacks. If you're a CyberWarrior, this presentation will undoubtedly up your game by equipping you with knowledge on the almighty PowerShell.
In this presentation, I give an introduction to Windows PowerShell:
- What is it, and how does it work?
- How can you extend it to provide support for administering your own product or project?
NOTES:
1) Some of the text in this presentation is a little small for reading in a 400 pixel flash viewer. I'd recommend downloading the presentation instead.
2) The slides might not make sense without the notes that go with them. I've added the notes as comments to each slide. They still might not make much sense, but that's a different problem :-)
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...CODE BLUE
The very best attackers often use PowerShell to hide their scripts from A/V and application whitelisting technologies using encoded commands and memory-only payloads to evade detection. These techniques thwart Blue Teams from determining what was executed on a target system. However, defenders are catching on, and state-of-the-art detection tools now monitor the command line arguments for powershell.exe either in real-time or from event logs.
We need new avenues to remain stealthy in a target environment. So, this talk will highlight a dozen never-before-seen techniques for obfuscating PowerShell command line arguments. As an incident responder at Mandiant, I have seen attackers use a handful of these methods to evade basic command line detection mechanisms. I will share these techniques already being used in the wild so you can understand the value each technique provides the attacker.
Updated PowerShell event logging mitigates many of the detection challenges that obfuscation introduces. However, many organizations do not enable this PowerShell logging. Therefore, I will provide techniques that the Blue Team can use to detect the presence of these obfuscation methods in command line arguments. I will conclude this talk by highlighting the public release of Invoke-Obfuscation. This tool applies the aforementioned obfuscation techniques to user-provided commands and scripts to evade command line argument detection mechanisms.
--- Daniel Bohannon
Daniel Bohannon is an Incident Response Consultant at MANDIANT with over six years of operations and information security experience. His particular areas of expertise include enterprise-wide incident response investigations, host-based security monitoring, data aggregation and anomaly detection, and PowerShell-based attack research and detection techniques. As an incident response consultant, Mr. Bohannon provides emergency services to clients when security breach occur. He also develops new methods for detecting malicious PowerShell usage at both the host- and network-level while researching obfuscation techniques for PowerShell- based attacks that are being used by numerous threat groups. Prior to joining MANDIANT, Mr. Bohannon spent five years working in both IT operations and information security roles in the private retail industry. There he developed operational processes for the automated aggregation and detection of host- and network-based anomalies in a large PCI environment. Mr. Bohannon also programmed numerous tools for host-based hunting while leading the organization’s incident response team. Mr. Bohannon received a Master of Science in Information Security from the Georgia Institute of Technology and a Bachelor of Science in Computer Science from The University of Georgia.
PowerShell, the must have tool and the long overlooked security challenge. Learn how PowerShell’s deep integration with the Microsoft platform can be utilized as a powerful attack platform within the enterprise space. Watch as a malicious actor moves from a compromised end user PC to the domain controllers and learn how we can begin to defend these types of attacks.
This talk describes the current state of the Veil-Framework and the different tools included in it such as Veil-Evasion, Veil-Catapult, Veil-Powerview, Veil-Pillage, Veil-Ordnance
Video and slides synchronized, mp3 and slide download available at URL http://bit.ly/2m9gF93.
Kate Sills talks about some of the security issues using NPM packages, the EventStream incident that created a security breach in a package, and Realms and SES (Secure ECMAScript) as possible solutions to NPM package security vulnerabilities. Filmed at qconnewyork.com.
Kate Sills is a software engineer at Agoric, building composable smart contract components in a secure subset of JavaScript. Previously, she has researched and written on the potential uses of smart contracts to enforce agreements and create institutions orthogonal to legal jurisdictions.
This talk is about why I believe having the ability to write tools and/or scripts can help elevate a Pen Testers game to the next level.
The talk is case study driven by the different scenarios I've encountered on assessments and the scripts or tools that have been developed as a result.
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamersjasonjfrank
This presentation, given at BSidesPittsburgh 2015, discusses free tools and techniques penetration testers use that can be translated to network defenders for immediate impact and value.
Workflow story: Theory versus Practice in large enterprises by Marcin PiebiakNETWAYS
Uphill battle against large enterprise it environments and IT corporate culture. How those difficulties turned out opportunities and clever implementations. Interesting modules, integrations and workflow pieces.
This talk is about developing malware in higher level languages. Languages such as Python or C# can give you the flexibility to quickly develop malware and use it on client engagements.
New Jersey Red Hat Users Group Presentation: Provisioning anywhereRodrique Heron
This presentation is from the October 10, 2017, Red Hat Users Group meeting. Please check us out on meetup.com.
https://www.meetup.com/NorthernNJRHUG
Tools like Docker and Ansible enable new capabilities and speed, and this session will help you and your organization to put it all in context and be more successful and collaborative than ever before.
This session will provide both practical advice to improve your organization's provisioning process, as well as discuss best practices to achieve the much sought-after "push button infrastructure" across multi-cloud environments.
Provisioning means more than simply deploying VMs (or cloud instances) and participants will leave this session with a fresh understanding of the various aspects that go into providing a reliable, flexible and portable platform to their businesses' workloads.
Our Speaker: Andre Pitanga, Red Hat Solutions Architect
Andre is at heart just a chill and optimistic guy. He's delivered agile infrastructure projects with some of the world's biggest banks, financial analytics and media companies, but he swears he didn't break anything. When not reviewing or writing Ansible playbooks, he can be found working shoulder-to-shoulder with his awesome clients to build better platforms the open source way.
The Supporting Role of Antivirus Evasion while PersistingCTruncer
This talk goes over different techniques to evade detection by antivirus programs, talks about how Veil-Evasion evades the programs, and shows an AV signature bypass. It also then documents a large number of techniques on how actors can persist in networks.
How to build a tool for operating Flink on KubernetesAndreaMedeghini
Operating Flink on Kubernetes can be challenging. Which products are available? Do we need to build our own tool? Which tool do we need? How do we build it? This presentation provides some ideas how to build a Flink Operator and it contains a link to a proof of concept available on GitHub
apidays LIVE New York - Navigating the Sea of Javascript Tools to Discover Sc...apidays
apidays LIVE New York - API for Legacy Industries: Banking, Insurance, Healthcare and Retail
Navigating the Sea of Javascript Tools to Discover Scalable Tools for Continuous Delivery
Menelaos Kotsollaris, Senior Software Engineer
Viki Green, Senior Software Developer at Trulioo
Kerberoasting has become the red team’s best friend over the past several years, with various tools being built to support this technique. However, by failing to understand a fundamental detail concerning account encryption support, we haven’t understood the entire picture. This talk will revisit our favorite TTP, bringing a deeper understanding to how the attack works, what we’ve been missing, and what new tooling and approaches to kerberoasting exist.
The Unintended Risks of Trusting Active DirectoryWill Schroeder
This presentation was given at Sp4rkCon 2018. It covers the combination of Active Directory and host-based security descriptor backdooring and the associated security implications.
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
I have heard many times that architecture is not important for the front-end. Also, many times I have seen how developers implement features on the front-end just following the standard rules for a framework and think that this is enough to successfully launch the project, and then the project fails. How to prevent this and what approach to choose? I have launched dozens of complex projects and during the talk we will analyze which approaches have worked for me and which have not.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
1. Building an Empire
with PowerShell
Will Schroeder, Justin Warner
Veris Group’s Adaptive Threat Division (ATD)
2. First Things First
○ This tool and presentation would not be
possible if it wasn’t for the help and
phenomenal work from these people:
□ @mattifestation and @obscuresec
○ https://github.com/mattifestation/PowerSploit/
□ @carlos_perez / https://github.com/darkoperator/
□ @tifkin_ / https://github.com/leechristensen/
□ @ben0xa and @mwjcomputing
□ @enigma0x3 - The ATD Padawan
□ And the rest of the offensive PowerShell
community! All you guys rock!
3. @harmj0y
○ Security researcher and red teamer for the
Adaptive Threat Division of Veris Group
○ Co-founder of the Veil-Framework and
PowerTools
○ Cons: Shmoocon, Carolinacon, Defcon,
Derbycon, various BSides
4. @sixdub
○ Red Team Capability Lead for the
Adaptive Threat Division of Veris Group
○ Lots of interest: red team ops, reverse
engineering, adversarial tactics, etc
○ Developer on the Veil-Framework and co-
founder of PowerTools
5. tl;dr
○ Red Team Philosophy
○ (Offensive) PowerShell
○ RATs 101
○ Empire
○ Modules
○ Demo
○ Taking Down the Empire
○ The Future
7. Red Teaming
○ Red teaming means different things to
different people
□ physical ops, in-depth social engineering, custom
exploit dev, pure network based operations, etc.
○ Common thread of increased time frame,
more permissive scope and adversarial
mentality
○ We have a ‘assume breach’ perspective
□ It’s not a matter of ‘if’, but ‘when’
8. Malware
Motivations
○ Why did we decide to go custom?
□ Clients were signaturing tool sets
□ Needed rapid dev capability while on ops
to integrate unique vulnerabilities
○ And chance to build the RAT features we
always wanted
□ Wanted a better way to utilize existing
PowerShell capabilities
○ Attempt at solving the “weaponization
problem”
9. In Defense of
Offense
○ We want to help secure companies against
the level of threat that they’ve been
unknowingly facing for over a decade
□ So we need to be able to simulate at least some
of the actions of these advanced groups.
○ There is a balance between making OSS
useable for training and making the “next-
gen rootkit”
11. Why PowerShell
○ PowerShell provides (out of the box):
□ Full .NET access
□ application whitelisting
□ direct access to the Win32 API
□ ability to assemble malicious binaries in memory
□ default installation Win7+ !
○ “Why I Choose PowerShell as an Attack
Platform”
□ http://www.exploit-monday.com/2012/08/Why-I-
Choose-PowerShell.html
14. The Weaponization
Problem
○ There’s been an sharp increase in
offensive PowerShell projects over the
past year
○ But many people still struggle with how to
exactly work PowerShell into engagements
○ Using existing tech at this point hasn’t
always been the most straightforward
□ This is the problem we’re trying to solve!
16. Just RAT Things...
○ RAT vs Backdoor… Yes they differ
○ What different things do you need to focus
on when building a RAT?
□ Delivery
□ Staging & C2
□ Modularity / Expandability
□ Forensics
□ The list goes on!!!
17. The Staging
Problem
○ Exotic C2 channels are nice, but somehow
your agent code has to get to your target
○ This is often the most vulnerable point of
your entire process
□ staging can be be noisey
□ some kind of logic needs to be sent “in the clear”
□ stager needs to be able to detect and utilize
proxies as best as possible
18. Command &
Control
○ What are the characteristics of moderate to
advanced malware out there?
□ Asynchronous
○ Low and slow wins the race
□ Variable comms
○ HTTP, HTTPS, DNS, SMB, etc.
□ Flexible indicators
○ Survivability across defensive sensors or
boundary defensive solutions
□ Proxy awareness!
19. Extensibility
○ The core agent should be as small as
possible with only required functionality
○ It is best to make an module interface to
allow an operator to add/subtract features
□ Follow on payloads, scripts, persistence modules
○ The modules can be loaded and removed
during use
20.
21. Wait… What?
○ Empire is a full-featured PowerShell post-
exploitation agent
○ Aims to provide a rapidly extensible
platform to integrate offensive/defensive
PowerShell work
○ An attempt to train defenders on how to
stop and respond to PowerShell “attacks”
□ Another tool in the belt!
22. PowerShell = Just a
Toy Language?
○ Many people have written off PowerShell
as being a real malware solution because
it is a scripting language
□ “Easy” to defeat/block the interpreter
○ This has also caused incident responders
to overlook it as a malware vector
□ Helpful if we provide some real world demos :)
23. Server Features
○ Client-Server architecture
□ Server = Python | Client = PowerShell
○ A backend database preserves
agent/listener configurations
□ In case something goes down, your agents won’t!
○ Everything is logged, extensively
□ Taskings/results per agent, along with timestamps
□ Hashes of any files uploaded to target
□ --debug will dump a ton of output to empire.debug
24. Methods of
Execution
○ Small “stager” that can be manually
executed or easily implemented elsewhere
□ A powershell command block can load an Empire
agent
□ Generated per listener inside the menu
○ Stager Formats:
□ .vbs (macro), .bat, ducky script, etc.
□ Reflective Pick .DLL - Allows integration with
many other tools like MSF
26. Additional Listener
Stuff
○ IP whitelisting/blacklisting dynamically or
by a common config
○ Kill dates and working hours nicely
integrated into listener management
○ “foreign listeners” allow the passing of
agents within the team
□ and to other agents like Meterpreter/Beacon!
27. Empire Staging
Control Server Client
2. return key negotiation stager.ps1 w/ shared AES
staging key
3. gen priv/pub keys, post ENCstaging(PUB) to /<stage1>
5. decrypt session key, post ENCsession(sysinfo) to /<stage2>
6. return ENCsession(agent.ps1) patched with key/delay/etc.
and register agent. Agent starts beaconing.
1. GET /<stage0>
4. return ENCpub(epoch + AES session key)
28. C2
○ Utilizes the .NET backend with HTTP or
HTTPS
○ Nothing too magical here…
□ “Get” request is looking for tasking
□ “Post” is returning encrypted results
29. In the Agent:
Contexts
○ Shell - Run Empire or PowerShell cmds
○ Scripts - Import and run PowerShell
cmdlets
○ Modules - Utilize pre-built functionality to
execute PowerShell functions across
agents
○ More later during the demo...
31. Modules
○ Currently 90 released modules
□ several more in testing testing
○ First round of modules focused on
integrating all of the current projects
□ Wanted an operational beta to use in real
environments
○ We will show some of the top used ones…
32. Module Categories
○ Currently have the following categories for
modules:
□ code_execution - ways to run more code
□ collection - post exploitation data collection
□ credentials - collect and use creds
□ lateral_movement - move around the network
□ management - host management and auxiliary
□ persistence - survive the reboot
□ privesc - escalation capabilities
□ situational_awareness - network awareness
□ trollsploit - for the lulz
33. Module
Development
○ Development is extremely fast due to the
wealth of existing PowerShell tech and the
ease of development in a scripting language
○ Modules are essentially metadata
containers for an embedded PowerShell
script
○ Things like option sets, needs admin, opsec
safe, save file output, etc
34. management/
psinject
○ First up: our auto-magic process injection
module for Empire
□ Takes a listener name and an optional process
name/ID
○ Uses Invoke-PSInjector to inject our
ReflectivePick .DLL into the host or
specified process
□ The launcher code to stage the agent is
embedded in the .DLL
38. Invoke-BypassUAC
○ Second, we need a way to escape
medium-integrity process contexts
○ The .DLL used by Metasploit’s
bypassuac_injection is open source, and
works when combined with PowerSploit’s
Invoke--Shellcode.ps1
□ Works on Win 7 and 8.1!
○ Lets us spawn high-integrity agents
39. Invoke-Mimikatz
○ Everyone's favorite post-exploitation
capability
○ Not just dumping creds:
□ Golden tickets
□ Silver tickets
□ PTH
□ Skeleton key
○ Empire has Internal credential model
□ Lets you easily reuse creds you’ve stolen
40.
41. Invoke-WMI
○ Invoke-WMIMethod is our primary way of
moving around
□ Can take a listener name and transform it into
configurations for a launcher
□ Fairly lightweight and safe to use
○ Uses PowerShell’s Invoke-WMIMethod to
run the launcher code on a remote host
42.
43. PTH
○ “But what about pass-the-hash?!!”
○ The credentials/mimikatz/pth module
(alias- pth) lets you spawn a new process
with a local or domain user’s hash
□ You can then use the credentials/tokens module
to steal the token from this new process
○ Lets you execute whatever actions you
want with just a hash
48. Detection
○ The typical network indicators will reveal
some things
□ Not as proxy aware as some agents
□ High entropy byte strings in HTTP POSTs
○ Endpoint indicators are plentiful:
□ Prefetch with PowerShell
□ .NET Assemblies loaded into odd processes
□ The list goes on…
50. Memory Analysis
○ Memory analysis will reveal the entire
Empire agent plaintext in memory
□ No obfuscation is done at this point
□ Allows the extraction of AES keys
○ Decryption of malware C2
□ Useful for a red team because it rewards IR teams
to take the next step and chain analysis
52. Windows 10 :)
○ “ZOMG HACKING IS OVER!!” - harmj0y
○ But for real… major improvements in the
security and monitoring of PowerShell
□ Who knows when/how clients will actually
implement the added features
○ Initial testing:
□ Logging is very very noisy with Empire
□ Constrained mode might be circumvented with
PowerPick
54. Moving Forward
○ We’ve released full documentation and
demo videos hosted at
www.PowerShellEmpire.com
□ There’s also a formal spec on the agent and its
associated protocol
□ All future updates will be posted here
○ This will be a long-running and fully
supported project
55. Dream Capabilities
○ New C2 methods
□ SMB, DNS, SOCKS Proxying etc
○ Script obfuscation/mangling to help
prevent memory parsing and to increase
training value
○ Contribute modules! it’s super easy