Empire
Associated Software Descriptions |
|
| Name | Description |
|---|---|
| EmPyre | (Citation: Github PowerShell Empire) |
| PowerShell Empire | (Citation: Github PowerShell Empire) |
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1548 | .002 | Abuse Elevation Control Mechanism: Bypass User Account Control |
Empire includes various modules to attempt to bypass UAC for escalation of privileges.(Citation: Github PowerShell Empire) |
| Enterprise | T1134 | .002 | Access Token Manipulation: Create Process with Token |
Empire can use |
| .005 | Access Token Manipulation: SID-History Injection |
Empire can add a SID-History to a user if on a domain controller.(Citation: Github PowerShell Empire) |
||
| Enterprise | T1087 | .001 | Account Discovery: Local Account |
Empire can acquire local and domain user account information.(Citation: Github PowerShell Empire) |
| .002 | Account Discovery: Domain Account |
Empire can acquire local and domain user account information.(Citation: Github PowerShell Empire)(Citation: SecureWorks August 2019) |
||
| Enterprise | T1557 | .001 | Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay |
Empire can use Inveigh to conduct name service poisoning for credential theft and associated relay attacks.(Citation: Github PowerShell Empire)(Citation: GitHub Inveigh) |
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Empire can conduct command and control over protocols like HTTP and HTTPS.(Citation: Github PowerShell Empire) |
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Empire can modify the registry run keys |
| .005 | Boot or Logon Autostart Execution: Security Support Provider |
Empire can enumerate Security Support Providers (SSPs) as well as utilize PowerSploit's |
||
| .009 | Boot or Logon Autostart Execution: Shortcut Modification |
Empire can persist by modifying a .LNK file to include a backdoor.(Citation: Github PowerShell Empire) |
||
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
Empire leverages PowerShell for the majority of its client-side agent tasks. Empire also contains the ability to conduct PowerShell remoting with the |
| .003 | Command and Scripting Interpreter: Windows Command Shell |
Empire has modules for executing scripts.(Citation: Github PowerShell Empire) |
||
| Enterprise | T1136 | .001 | Create Account: Local Account |
Empire has a module for creating a local user if permissions allow.(Citation: Github PowerShell Empire) |
| .002 | Create Account: Domain Account |
Empire has a module for creating a new domain user if permissions allow.(Citation: Github PowerShell Empire) |
||
| Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
Empire can utilize built-in modules to modify service binaries and restore them to their original state.(Citation: Github PowerShell Empire) |
| Enterprise | T1555 | .003 | Credentials from Password Stores: Credentials from Web Browsers |
Empire can use modules that extract passwords from common web browsers such as Firefox and Chrome.(Citation: Github PowerShell Empire) |
| Enterprise | T1484 | .001 | Domain Policy Modification: Group Policy Modification |
Empire can use |
| Enterprise | T1114 | .001 | Email Collection: Local Email Collection |
Empire has the ability to collect emails on a target system.(Citation: Github PowerShell Empire) |
| Enterprise | T1573 | .002 | Encrypted Channel: Asymmetric Cryptography |
Empire can use TLS to encrypt its C2 channel.(Citation: Github PowerShell Empire) |
| Enterprise | T1546 | .008 | Event Triggered Execution: Accessibility Features |
Empire can leverage WMI debugging to remotely replace binaries like sethc.exe, Utilman.exe, and Magnify.exe with cmd.exe.(Citation: Github PowerShell Empire) |
| Enterprise | T1567 | .001 | Exfiltration Over Web Service: Exfiltration to Code Repository |
Empire can use GitHub for data exfiltration.(Citation: Github PowerShell Empire) |
| .002 | Exfiltration Over Web Service: Exfiltration to Cloud Storage |
Empire can use Dropbox for data exfiltration.(Citation: Github PowerShell Empire) |
||
| Enterprise | T1574 | .001 | Hijack Execution Flow: DLL Search Order Hijacking |
Empire contains modules that can discover and exploit various DLL hijacking opportunities.(Citation: Github PowerShell Empire) |
| .004 | Hijack Execution Flow: Dylib Hijacking |
Empire has a dylib hijacker module that generates a malicious dylib given the path to a legitimate dylib of a vulnerable application.(Citation: Github PowerShell Empire) |
||
| .007 | Hijack Execution Flow: Path Interception by PATH Environment Variable |
Empire contains modules that can discover and exploit path interception opportunities in the PATH environment variable.(Citation: Github PowerShell Empire) |
||
| .008 | Hijack Execution Flow: Path Interception by Search Order Hijacking |
Empire contains modules that can discover and exploit search order hijacking vulnerabilities.(Citation: Github PowerShell Empire) |
||
| .009 | Hijack Execution Flow: Path Interception by Unquoted Path |
Empire contains modules that can discover and exploit unquoted path vulnerabilities.(Citation: Github PowerShell Empire) |
||
| Enterprise | T1070 | .006 | Indicator Removal: Timestomp |
Empire can timestomp any files or payloads placed on a target machine to help them blend in.(Citation: Github PowerShell Empire) |
| Enterprise | T1056 | .001 | Input Capture: Keylogging |
Empire includes keylogging capabilities for Windows, Linux, and macOS systems.(Citation: Github PowerShell Empire) |
| .004 | Input Capture: Credential API Hooking |
Empire contains some modules that leverage API hooking to carry out tasks, such as netripper.(Citation: Github PowerShell Empire) |
||
| Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory |
Empire contains an implementation of Mimikatz to gather credentials from memory.(Citation: Github PowerShell Empire) |
| Enterprise | T1021 | .003 | Remote Services: Distributed Component Object Model |
Empire can utilize |
| .004 | Remote Services: SSH |
Empire contains modules for executing commands over SSH as well as in-memory VNC agent injection.(Citation: Github PowerShell Empire) |
||
| Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
Empire has modules to interact with the Windows task scheduler.(Citation: Github PowerShell Empire) |
| Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
Empire can enumerate antivirus software on the target.(Citation: Github PowerShell Empire) |
| Enterprise | T1558 | .001 | Steal or Forge Kerberos Tickets: Golden Ticket |
Empire can leverage its implementation of Mimikatz to obtain and use golden tickets.(Citation: Github PowerShell Empire) |
| .002 | Steal or Forge Kerberos Tickets: Silver Ticket |
Empire can leverage its implementation of Mimikatz to obtain and use silver tickets.(Citation: Github PowerShell Empire) |
||
| .003 | Steal or Forge Kerberos Tickets: Kerberoasting |
Empire uses PowerSploit's |
||
| Enterprise | T1569 | .002 | System Services: Service Execution |
Empire can use PsExec to execute a payload on a remote host.(Citation: Github PowerShell Empire) |
| Enterprise | T1127 | .001 | Trusted Developer Utilities Proxy Execution: MSBuild |
Empire can use built-in modules to abuse trusted utilities like MSBuild.exe.(Citation: Github PowerShell Empire) |
| Enterprise | T1552 | .001 | Unsecured Credentials: Credentials In Files |
Empire can use various modules to search for files containing passwords.(Citation: Github PowerShell Empire) |
| .004 | Unsecured Credentials: Private Keys |
Empire can use modules like |
||
| Enterprise | T1550 | .002 | Use Alternate Authentication Material: Pass the Hash |
Empire can perform pass the hash attacks.(Citation: Github PowerShell Empire) |
| Enterprise | T1102 | .002 | Web Service: Bidirectional Communication |
Empire can use Dropbox and GitHub for C2.(Citation: Github PowerShell Empire) |
Groups That Use This Software |
||
| ID | Name | References |
|---|---|---|
| G0091 | Silence |
(Citation: Group IB Silence Aug 2019) |
| G0051 | FIN10 |
(Citation: FireEye FIN10 June 2017) |
|
(Citation: Talos Frankenstein June 2019) |
||
| G0010 | Turla |
(Citation: ESET Turla August 2018) (Citation: ESET Crutch December 2020) |
| G0101 | Frankenstein |
(Citation: Talos Frankenstein June 2019) |
| G0090 | WIRTE |
(Citation: Lab52 WIRTE Apr 2019) |
| G0065 | Leviathan |
(Citation: CISA AA21-200A APT40 July 2021) |
| G0073 | APT19 |
(Citation: NCSC Joint Report Public Tools) |
| G0119 | Indrik Spider |
(Citation: Crowdstrike Indrik November 2018) |
| G0052 | CopyKittens |
(Citation: ClearSky Wilted Tulip July 2017) |
| G1001 | HEXANE |
(Citation: SecureWorks August 2019) |
| G0096 | APT41 |
(Citation: Crowdstrike GTR2020 Mar 2020) |
| G0140 | LazyScripter |
(Citation: MalwareBytes LazyScripter Feb 2021) |
| G0069 | MuddyWater |
(Citation: TrendMicro POWERSTATS V3 June 2019) |
| G0064 | APT33 |
(Citation: FireEye APT33 Guardrail) (Citation: Symantec Elfin Mar 2019) |
| G0102 | Wizard Spider |
(Citation: CrowdStrike Grim Spider May 2019) (Citation: DHS/CISA Ransomware Targeting Healthcare October 2020) (Citation: FireEye KEGTAP SINGLEMALT October 2020) |
References
- Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
- Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020.
- Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
- Stepanic, D. (2018, September 2). attck_empire: Generate ATT&CK Navigator layer file from PowerShell Empire agent logs. Retrieved March 11, 2019.
- The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019.
- Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021.
- FireEye iSIGHT Intelligence. (2017, June 16). FIN10: Anatomy of a Cyber Extortion Operation. Retrieved June 25, 2017.
- Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020.
- Robertson, K. (2015, April 2). Inveigh: Windows PowerShell ADIDNS/LLMNR/mDNS/NBNS spoofer/man-in-the-middle tool. Retrieved March 11, 2019.
- ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.
- Group-IB. (2019, August). Silence 2.0: Going Global. Retrieved May 5, 2020.
- S2 Grupo. (2019, April 2). WIRTE Group attacking the Middle East. Retrieved May 24, 2019.
- SecureWorks 2019, August 27 LYCEUM Takes Center Stage in Middle East Campaign Retrieved. 2019/11/19
- Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019.
- Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.
- CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department. Retrieved August 12, 2021.
- Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.
- John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.
- DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.
- Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.
- Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021.
- ESET. (2018, August). Turla Outlook Backdoor: Analysis of an unusual Turla backdoor. Retrieved March 11, 2019.
- Faou, M. (2020, December 2). Turla Crutch: Keeping the “back door” open. Retrieved December 4, 2020.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.