Scribd
Upload
163 views

9 Hunting Empire

Uploaded by

es169371
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
163 views

9 Hunting Empire

Uploaded by

es169371
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 11

Hunting Empire

© 2017 Caendra Inc. | Threat Hunting v1 | Hunting Empire 1


Your manager, Tony, wants to make sure that you can detect the widely used attacking tool,
Empire. A hunting exercise has been scheduled, where you are tasked with detecting
Empire’s presence on an endpoint.

You will need to extend the techniques mentioned in the course to detect Empire’s presence
on an endpoint.

The objective of this lab is to combine different detection techniques to detect Empire’s
presence on an endpoint. Specifically, you will learn to use EIF, Get-InjectedThread and
NorkNork, in conjunction, to detect Empire on an endpoint.

 EIF
 EIF Parser
 Get-InjectedThread
 NorkNork

© 2017 Caendra Inc. | Threat Hunting v1 | Hunting Empire 2


Organization: ELS-CHILD

 You:
o IP: 172.16.82.0/24
 child-dc01 (the server from where you will start your hunt):
o IP: 10.100.10.253
o VNC Credentials: vnc@3L$-CHILDL0c@l
o Domain Credentials: ELS-CHILD\Administrator | Admin@3L$-CHILDL0c@l*****
 UATSERVER [Optional if you want to take a closer look]
o IP: 10.100.11.150
o VNC Credentials: vnc@3L$-CHILDL0c@l
o Domain Credentials: ELS-CHILD\appsvc | la@3L$-CHILDL0c@l

1. Identify the most common technique being used by Empire for process injection.
You can use the internet for that or dive into the Empire Project’s source code.

HINTS: EIF, EIF Parser and Get-InjectedThread.ps1 are detection tools that can assist
you in detecting Empire’s most common process injection technique.

2. In the case of an attack that evaded your first line of defense, you can always catch an
attacker during post-exploitation activities. Identify the most common persistence
techniques employed by Empire. Once again, you can use the internet for that or dive
into the Empire Project’s source code.

HINTS: NorkNork is a detection tool that can assist you in detecting Empire’s most
common persistence mechanisms.

© 2017 Caendra Inc. | Threat Hunting v1 | Hunting Empire 3


Use the recommended tools above against the machine residing at 10.100.11.150
(UATSERVER) and try to identify any indicators of Empire presence.

© 2017 Caendra Inc. | Threat Hunting v1 | Hunting Empire 4


SOLUTIONS

© 2017 Caendra Inc. | Threat Hunting v1 | Hunting Empire 5


1. Attackers usually utilize the reflective DLL injection* capabilities of Empire.

Detecting reflective DLL injection, however, is not an easy task. Malicious code
injected into a process using reflective DLL injection will not touch disk. Process
memory introspection is therefore required to detect this kind of injection.

Specifically, Empire utilizes an injection/migration technique called PSInject.


Attackers usually utilize PSInject to migrate into a more stable/stealthy process such
as explorer.exe. PowerShell-related DLLs can be spotted in the target process’s
memory after PSInject against it.

EIF, EIF Parser and Get-InjectedThread.ps1 will assist you in looking for any PSInject-
like operations on an endpoint. They will actually detect most reflective DLL injection
cases, so, don’t jump into quick conclusions.

More details can be found on the following links:


 https://www.powershellempire.com/?page_id=273
 https://github.com/EmpireProject/Empire/search?utf8=%E2%9C%
93&q=inject&type=

2. Empire features multiple persistence mechanisms. Diving into the source code of
Empire, we can see that the registry, WMI, schtasks, debuggers and more are being
abused for persistence.

Any overly large base64 encoded strings stored in the registry or any suspicious-
looking WMI subscriptions can be an indication of Empire’s presence on an endpoint.

More details can be found on the following links:


 https://www.powershellempire.com/?page_id=139
 https://github.com/EmpireProject/Empire/search?utf8=%E2%9C%
93&q=persistence&type=

*Reflective DLL injection refers to loading a DLL from memory rather than from disk.
This is done through custom functions. Windows does not feature native functionality
to perform reflective DLL loading.

© 2017 Caendra Inc. | Threat Hunting v1 | Hunting Empire 6


Let’s now leverage the recommended tools to identify if Empire is present on UATSERVER.

We will start by using the EIF tool to detect if reflective DLL injection has occurred on any of
the running processes of the machine. [EIF will scan the memory of processes that are not
protected]

Use a Linux or Windows VNC client to connect to child-dc01 (10.100.10.253) from where
you will start your hunt, using the provided VNC and Domain credentials above. (Shift +
Ctrl + Alt + Del)

vncviewer 10.100.10.253  For Linux-based machines


tvnviewer.exe, Remote Host: 10.100.10.253  For Windows-based machines

Once you log in successfully to child-dc01 (10.100.10.253), open a PowerShell terminal as


Administrator, navigate to the ‘Hunting Empire’ folder, which is located in the Desktop and
execute the following.

cd '.\Detection Method 1 '


cd .\EIF_Parser-master
.\eif_parser.ps1 -ComputerName uatserver.els-child.els.local -EIF_Path
"C:\users\Administrator\Desktop\Hunting Empire\Detection Method 1\eif-
master\binaries\v64\EvilInjectFinder.exe"

You should see something similar to the following.

EIF Parser actually deploys EvilInjectFinder.exe into the remote machine and parses the
results. The results are saved into C:\users\Administrator\Desktop\Hunting
Empire\Detection Method 1\EIF_Parser-master\EIF_Results.

The results will look similar to the following.

© 2017 Caendra Inc. | Threat Hunting v1 | Hunting Empire 7


The above indicates that (probably) PSInject was executed against explorer.exe, since we
can see PowerShell-related DLLs being loaded into the explorer.exe process.

For example, we can see that the PowerShell core library System.Management.Automation
is loaded into the explorer.exe process. A word of caution: Many legitimate applications
load PowerShell. You should therefore combine this kind of detection with process
network activity analysis for optimum results.

Additional Indicator: It won’t be surprising to find a full .NET module (PE header present)
while examining the memory of a process against which PSInject was executed.

© 2017 Caendra Inc. | Threat Hunting v1 | Hunting Empire 8


Now, let’s verify our results using a similar detection script called Get-InjectedThread.

From inside your VNC session with child-dc01, perform the following.

 Open File Explorer and navigate to \\uatserver.els-child.els.local\c$


 Inside the “Hunting Empire” folder, which is located on the child-dc01 machine’s
desktop, open the “Detection Method 2” folder and copy the Get-InjectedThread.ps1
script.
 Copy that script somewhere into the uatserver.els-child.els.local machine (for
example in C:\ ).
 Now, from inside child-dc01, open a new PowerShell terminal as Administrator and
execute the following. [Connecting to UATSERVER using PSRemoting]

New-PSSession –Name PSC1 –ComputerName uatserver.els-child.els.local ;


Enter-PSSession –Name PSC1
cd C:\
Import-Module .\Get-InjectedThread.ps1
Get-InjectedThread

The result will be similar to the following.

© 2017 Caendra Inc. | Threat Hunting v1 | Hunting Empire 9


Get-InjectedThread identified a thread present into the explorer.exe process, which is a
result of memory injection.

You should now be confident that some kind of fileless malware is on that endpoint. We are
not yet sure that this malware is Empire. Many Remote Access Tools used by attackers
have the ability to reflectively inject malicious DLLs. Let’s continue our investigation….

Chances are that the malware has also implemented some kind of persistence into
UATSERVER. Let’s use a persistence detection tool called NorkNork to find out.

From inside your VNC session with child-dc01, perform the following.

 Inside the “Hunting Empire” folder, which is located on the child-dc01 machine’s
desktop, open the “Detection Method 3” folder and navigate to NorkNork-
master\bin.
 Copy NorkNork.exe, open File Explorer and navigate to \\uatserver.els-
child.els.local\c$
 Paste NorkNork.exe somewhere into the uatserver.els-child.els.local machine (for
example in C:\ )
 Now, from inside child-dc01, open a new PowerShell terminal as Administrator and
execute the following. [Connecting to UATSERVER using PSRemoting]

New-PSSession –Name PSC2 –ComputerName uatserver.els-child.els.local ;


Enter-PSSession –Name PSC2
cd C:\
.\NorkNork.exe

The result will be similar to the following.

© 2017 Caendra Inc. | Threat Hunting v1 | Hunting Empire 10


NorkNork identified something on the endpoint’s registry that resembles Empire’s modus
operandi. Further down NorkNork’s output, this overly large base64 string is decoded.

If you carefully analyze Empire’s source code, you will be able to conclude that the above
script is Empire-derived. The C2 URL format (login/process.php), the XOR routine and the K
variable (that almost certainly contains Empire’s staging key] all resemble the way the
Empire tool operates.

To conclude, in this lab four (3) ways were documented that, when combined, could assist
you in detecting Empire on an endpoint, under your supervision.

 EIF & EIF Parser (detect reflective DLL injection)


 Get-InjectedThread.ps1 (detect memory injection, incl. reflecting DLL injection)
 NorkNork (detect Empire’s persistence mechanisms)

© 2017 Caendra Inc. | Threat Hunting v1 | Hunting Empire 11

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy