Defense Evasion with obfuscated Empire
In this article, we will learn the technique of Defense Evasion using the PowerShell Empire. PowerShell Empire is one of my favourite Post Exploitation tools and it is an applaudable one at that.
Table of Contents:
- Getting a session with Empire
- Obfuscating with Empire
When evading all the target defense with Empire, it is important to focus on installation. There are two methods to install Empire, obfuscating scripts would not work if you install Empire using apt install command. But this problem wouldn’t occur if you use the git clone command as shown in the image below.
git clone https://github.com/BC-SECURITY/Empire
The above command will download Empire on your system and to install it, use the following command:
cd Empire/ cd setup/ .install.sh
Getting a session with Empire
With the above commands, your Empire is downloaded and installed. Let us now get the Empire up to and running and take a session of the target system. Once you start Empire, the first thing to do is to start a Listener. And to start a listener, use the set of following commands:
listeners uselistener http set Port 80 execute
The above commands will start a listener on port 80. Once the listener is active, we have to launch a stager. The stager that we are going to use in this article is of windows and is in batch language. To launch the stager, use the following set of commands:
back usestager windows/launcher_bat set Listener http execute
Once your malware is ready, it will be stored in /tmp directory by default as you can see in the image above. To send this bat file to the target system, you can use python one-liner server or any other method you like. We used a python server for our this practical. To use the python server, type the following command in the directory where the file is saved like in our case it was /tmp directory:
python -m SimpleHTTPServer
Once the file is executed in the target system. You will get your session as it is shown in the image below. To access the session or agent (as per the Empire terminology) use the following commands:
agents interact <agent name>
In the event viewer, you can go to the Applications and Services Logs > Microsoft > Windows > PowerShell > Operational and check the log made by the batch file from Empire as shown in the image below:
Obfuscating with Empire
Now, you can see in the image above that the log of the file gives proper detail of the malicious file. These details include the code of the file, where the file is stored, and other important details. These details, when readable by the system, makes it easy for the file to be detected. For successfully attacking the target, it is important to evade all the defenses put up by the target. And to do so, we will globally obfuscate the Empire and then create our malicious file. Obfuscating the Empire will mean all the malicious files that will be generated from Empire will be obscure i.e. they will be had to detect in the target system and will allow you to bypass the defence systems like antiviruses. To obfuscate the Empire, use the following command first:
The above command will download all the scripts required for the obfuscation.
The command executed above takes a bit of time but if it allows us to be successful in our attack then little time is no problem and most importantly it is worth it. Once all the obfuscating scripts are downloaded, execute the following command:
set Obfuscate true
This command will initiate the obfuscating and all the stagers developed and agents created will be obfuscated, which you can see in the image below:
Now once the obfuscation is active, we will once again execute the listener as shown previously in this article and once the listener is up and running we will launch a stager with the following set of commands:
usestager windows/launcher_bat set Listener http execute
Similarly, like before, use the python server to deliver the malicious file to the target system.
Once the file is executed in the target system; you will get a new session as shown in the image below. To access the new agent, use the following commands:
agents interact <agent name>
Now the session we have received is through obfuscation and we will confirm this by using Event Viewer. Follow the same path as earlier (Applications and Services Logs > Microsoft > Windows > PowerShell > Operational) in the Event Viewer to see the log created by our malicious file. AS you can see in the image below, the details that the log has now is vague and confusing. This makes the file unreadable by the system and is successful in dodging defenses such as anti-viruses.
This way the Obfuscated Empire can save you from getting caught in the target system. It is important to learn such techniques to glide by the defenses in the target system to test whether the defenses in the place are proper or not.