Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Empire

Empire is an open source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents are written in pure PowerShell for Windows and Python for Linux/macOS. Empire was one of five tools singled out by a joint report on public hacking tools being widely used by adversaries.(Citation: NCSC Joint Report Public Tools)(Citation: Github PowerShell Empire)(Citation: GitHub ATTACK Empire)
ID: S0363
Associated Software: EmPyre PowerShell Empire
Type: TOOL
Platforms: Windows
Version: 1.8
Created: 11 Mar 2019
Last Modified: 25 Sep 2024

Associated Software Descriptions

Name Description
EmPyre (Citation: Github PowerShell Empire)
PowerShell Empire (Citation: Github PowerShell Empire)

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

Empire includes various modules to attempt to bypass UAC for escalation of privileges.(Citation: Github PowerShell Empire)

Enterprise T1134 .002 Access Token Manipulation: Create Process with Token

Empire can use Invoke-RunAs to make tokens.(Citation: Github PowerShell Empire)

.005 Access Token Manipulation: SID-History Injection

Empire can add a SID-History to a user if on a domain controller.(Citation: Github PowerShell Empire)

Enterprise T1087 .001 Account Discovery: Local Account

Empire can acquire local and domain user account information.(Citation: Github PowerShell Empire)

.002 Account Discovery: Domain Account

Empire can acquire local and domain user account information.(Citation: Github PowerShell Empire)(Citation: SecureWorks August 2019)

Enterprise T1557 .001 Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay

Empire can use Inveigh to conduct name service poisoning for credential theft and associated relay attacks.(Citation: Github PowerShell Empire)(Citation: GitHub Inveigh)

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Empire can conduct command and control over protocols like HTTP and HTTPS.(Citation: Github PowerShell Empire)

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Empire can modify the registry run keys HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run for persistence.(Citation: Github PowerShell Empire)

.005 Boot or Logon Autostart Execution: Security Support Provider

Empire can enumerate Security Support Providers (SSPs) as well as utilize PowerSploit's Install-SSP and Invoke-Mimikatz to install malicious SSPs and log authentication events.(Citation: Github PowerShell Empire)

.009 Boot or Logon Autostart Execution: Shortcut Modification

Empire can persist by modifying a .LNK file to include a backdoor.(Citation: Github PowerShell Empire)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Empire leverages PowerShell for the majority of its client-side agent tasks. Empire also contains the ability to conduct PowerShell remoting with the Invoke-PSRemoting module.(Citation: Github PowerShell Empire)(Citation: NCSC Joint Report Public Tools)

.003 Command and Scripting Interpreter: Windows Command Shell

Empire has modules for executing scripts.(Citation: Github PowerShell Empire)

Enterprise T1136 .001 Create Account: Local Account

Empire has a module for creating a local user if permissions allow.(Citation: Github PowerShell Empire)

.002 Create Account: Domain Account

Empire has a module for creating a new domain user if permissions allow.(Citation: Github PowerShell Empire)

Enterprise T1543 .003 Create or Modify System Process: Windows Service

Empire can utilize built-in modules to modify service binaries and restore them to their original state.(Citation: Github PowerShell Empire)

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

Empire can use modules that extract passwords from common web browsers such as Firefox and Chrome.(Citation: Github PowerShell Empire)

Enterprise T1484 .001 Domain or Tenant Policy Modification: Group Policy Modification

Empire can use New-GPOImmediateTask to modify a GPO that will install and execute a malicious Scheduled Task/Job.(Citation: Github PowerShell Empire)

Enterprise T1114 .001 Email Collection: Local Email Collection

Empire has the ability to collect emails on a target system.(Citation: Github PowerShell Empire)

Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

Empire can use TLS to encrypt its C2 channel.(Citation: Github PowerShell Empire)

Enterprise T1546 .008 Event Triggered Execution: Accessibility Features

Empire can leverage WMI debugging to remotely replace binaries like sethc.exe, Utilman.exe, and Magnify.exe with cmd.exe.(Citation: Github PowerShell Empire)

Enterprise T1567 .001 Exfiltration Over Web Service: Exfiltration to Code Repository

Empire can use GitHub for data exfiltration.(Citation: Github PowerShell Empire)

.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

Empire can use Dropbox for data exfiltration.(Citation: Github PowerShell Empire)

Enterprise T1574 .001 Hijack Execution Flow: DLL Search Order Hijacking

Empire contains modules that can discover and exploit various DLL hijacking opportunities.(Citation: Github PowerShell Empire)

.004 Hijack Execution Flow: Dylib Hijacking

Empire has a dylib hijacker module that generates a malicious dylib given the path to a legitimate dylib of a vulnerable application.(Citation: Github PowerShell Empire)

.007 Hijack Execution Flow: Path Interception by PATH Environment Variable

Empire contains modules that can discover and exploit path interception opportunities in the PATH environment variable.(Citation: Github PowerShell Empire)

.008 Hijack Execution Flow: Path Interception by Search Order Hijacking

Empire contains modules that can discover and exploit search order hijacking vulnerabilities.(Citation: Github PowerShell Empire)

.009 Hijack Execution Flow: Path Interception by Unquoted Path

Empire contains modules that can discover and exploit unquoted path vulnerabilities.(Citation: Github PowerShell Empire)

Enterprise T1070 .006 Indicator Removal: Timestomp

Empire can timestomp any files or payloads placed on a target machine to help them blend in.(Citation: Github PowerShell Empire)

Enterprise T1056 .001 Input Capture: Keylogging

Empire includes keylogging capabilities for Windows, Linux, and macOS systems.(Citation: Github PowerShell Empire)

.004 Input Capture: Credential API Hooking

Empire contains some modules that leverage API hooking to carry out tasks, such as netripper.(Citation: Github PowerShell Empire)

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Empire contains an implementation of Mimikatz to gather credentials from memory.(Citation: Github PowerShell Empire)

Enterprise T1027 .010 Obfuscated Files or Information: Command Obfuscation

Empire has the ability to obfuscate commands using Invoke-Obfuscation.(Citation: Github PowerShell Empire)

Enterprise T1021 .003 Remote Services: Distributed Component Object Model

Empire can utilize Invoke-DCOM to leverage remote COM execution for lateral movement.(Citation: Github PowerShell Empire)

.004 Remote Services: SSH

Empire contains modules for executing commands over SSH as well as in-memory VNC agent injection.(Citation: Github PowerShell Empire)

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Empire has modules to interact with the Windows task scheduler.(Citation: Github PowerShell Empire)

Enterprise T1518 .001 Software Discovery: Security Software Discovery

Empire can enumerate antivirus software on the target.(Citation: Github PowerShell Empire)

Enterprise T1558 .001 Steal or Forge Kerberos Tickets: Golden Ticket

Empire can leverage its implementation of Mimikatz to obtain and use golden tickets.(Citation: Github PowerShell Empire)

.002 Steal or Forge Kerberos Tickets: Silver Ticket

Empire can leverage its implementation of Mimikatz to obtain and use silver tickets.(Citation: Github PowerShell Empire)

.003 Steal or Forge Kerberos Tickets: Kerberoasting

Empire uses PowerSploit's Invoke-Kerberoast to request service tickets and return crackable ticket hashes.(Citation: Github PowerShell Empire)

Enterprise T1569 .002 System Services: Service Execution

Empire can use PsExec to execute a payload on a remote host.(Citation: Github PowerShell Empire)

Enterprise T1127 .001 Trusted Developer Utilities Proxy Execution: MSBuild

Empire can use built-in modules to abuse trusted utilities like MSBuild.exe.(Citation: Github PowerShell Empire)

Enterprise T1552 .001 Unsecured Credentials: Credentials In Files

Empire can use various modules to search for files containing passwords.(Citation: Github PowerShell Empire)

.004 Unsecured Credentials: Private Keys

Empire can use modules like Invoke-SessionGopher to extract private key and session information.(Citation: Github PowerShell Empire)

Enterprise T1550 .002 Use Alternate Authentication Material: Pass the Hash

Empire can perform pass the hash attacks.(Citation: Github PowerShell Empire)

Enterprise T1102 .002 Web Service: Bidirectional Communication

Empire can use Dropbox and GitHub for C2.(Citation: Github PowerShell Empire)

Groups That Use This Software

ID Name References
G0091 Silence

(Citation: Group IB Silence Aug 2019)

G0051 FIN10

(Citation: FireEye FIN10 June 2017)

(Citation: Talos Frankenstein June 2019)

G0010 Turla

(Citation: ESET Turla August 2018) (Citation: ESET Crutch December 2020)

G0101 Frankenstein

(Citation: Talos Frankenstein June 2019)

G0090 WIRTE

(Citation: Lab52 WIRTE Apr 2019)

G0034 Sandworm Team

(Citation: mandiant_apt44_unearthing_sandworm)

G1040 Play

(Citation: Trend Micro Ransomware Spotlight Play July 2023)

G0065 Leviathan

(Citation: CISA AA21-200A APT40 July 2021)

G1016 FIN13

(Citation: Sygnia Elephant Beetle Jan 2022)

G0073 APT19

(Citation: NCSC Joint Report Public Tools)

G0119 Indrik Spider

(Citation: Crowdstrike Indrik November 2018)

G0052 CopyKittens

(Citation: ClearSky Wilted Tulip July 2017)

G1001 HEXANE

(Citation: SecureWorks August 2019)

G0096 APT41

(Citation: Crowdstrike GTR2020 Mar 2020)

G0140 LazyScripter

(Citation: MalwareBytes LazyScripter Feb 2021)

G0069 MuddyWater

(Citation: TrendMicro POWERSTATS V3 June 2019)

G0064 APT33

(Citation: FireEye APT33 Guardrail) (Citation: Symantec Elfin Mar 2019)

G0102 Wizard Spider

(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020) (Citation: CrowdStrike Grim Spider May 2019) (Citation: FireEye KEGTAP SINGLEMALT October 2020) (Citation: Mandiant FIN12 Oct 2021)

References

  1. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  2. Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020.
  3. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  4. Stepanic, D. (2018, September 2). attck_empire: Generate ATT&CK Navigator layer file from PowerShell Empire agent logs. Retrieved March 11, 2019.
  5. The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019.
  6. Robertson, K. (2015, April 2). Inveigh: Windows PowerShell ADIDNS/LLMNR/mDNS/NBNS spoofer/man-in-the-middle tool. Retrieved March 11, 2019.
  7. Group-IB. (2019, August). Silence 2.0: Going Global. Retrieved May 5, 2020.
  8. FireEye iSIGHT Intelligence. (2017, June 16). FIN10: Anatomy of a Cyber Extortion Operation. Retrieved June 25, 2017.
  9. ESET. (2018, August). Turla Outlook Backdoor: Analysis of an unusual Turla backdoor. Retrieved March 11, 2019.
  10. Faou, M. (2020, December 2). Turla Crutch: Keeping the “back door” open. Retrieved December 4, 2020.
  11. S2 Grupo. (2019, April 2). WIRTE Group attacking the Middle East. Retrieved May 24, 2019.
  12. SecureWorks 2019, August 27 LYCEUM Takes Center Stage in Middle East Campaign Retrieved. 2019/11/19
  13. Roncone, G. et al. (n.d.). APT44: Unearthing Sandworm. Retrieved July 11, 2024.
  14. Trend Micro Research. (2023, July 21). Ransomware Spotlight: Play. Retrieved September 24, 2024.
  15. CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department. Retrieved August 12, 2021.
  16. Sygnia Incident Response Team. (2022, January 5). TG2003: ELEPHANT BEETLE UNCOVERING AN ORGANIZED FINANCIAL-THEFT OPERATION. Retrieved February 9, 2023.
  17. Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021.
  18. ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.
  19. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.
  20. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021.
  21. Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020.
  22. Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019.
  23. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.
  24. DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.
  25. John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.
  26. Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.
  27. Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.