Detecting Empire with USM Anywhere

October 18, 2018 | Jose Manuel Martin
X

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

Empire is an open source post-exploitation framework that acts as a capable backdoor on infected systems.  It provides a management platform for infected machines. Empire can deploy PowerShell and Python agents to infect both Windows and Linux systems.

Empire can:

  • Deploy fileless agents to perform command and control.
  • Exploit vulnerabilities to escalate privileges.
  • Install itself for persistence.
  • Steal user credentials.

It has also evolved to support the initial attack phases of an attack, and can create malicious documents to deploy its agent.

Empire’s features are classified into listeners, stagers and modules. Below, we describe how AlienVault USM can detect these stages below on a Windows target.

Staging

Empire first attempts to deploy an agent using one of multiple stager modules. USM will generically detect the agent after Powershell is invoked with an encoded payload. Commands executed with encoded arguments are commonly used by attackers as an obfuscation technique, so they produce the USM alert ‘Defense Evasion - Obfuscated Command - Powershell Execution of Encoded Command’:

staging Empire first attempts to deploy an agent using one of multiple stager modules

This alert detects most Empire stagers on Windows, when they use Powershell to execute an encoded command.

If enabled, the Windows Antimalware Scan Interface should also block the PowerShell command.  The ‘Malware Infection - Windows Defender Malware Detected’ alert, shows the necessary information to locate the malicious file:

If enabled, the Windows Antimalware Scan Interface should also block the PowerShell command

An alternative for an attacker is to craft an Office document with a macro, which will execute the agent command by running a crafted Windows process from the WMI Service:

Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")

Set objStartup = objWMIService.Get("Win32_ProcessStartup")

Set objConfig = objStartup.SpawnInstance_

objConfig.ShowWindow = 0

Set objProcess = GetObject("winmgmts:\\.\root\cimv2:Win32_Process")

objProcess.Create str, Null, objConfig, intProcessID

When the macro runs, the Windows Management Instrumentation Command will create a new process. USM will listen the Windows events to detect the WMIC call, commonly used in lateral movement scenarios. The ‘Lateral Movement - Remote WMIC Activity’ alert will raise displaying the malicious Powershell command:

When the macro runs, the Windows Management Instrumentation Command will create a new process. USM will listen the Windows events to detect the WMIC call, commonly used in lateral movement scenarios

Another way for an attacker to implant the Empire agent into their victims machine is to create a HTML Application using the Empire module windows/hta. In weak security configuration system, a simple spear phishing mail with a link to the crafted HTML application will be enough to get the agent running.

For each alert, the USM provides detailed information about the nature of the issue and useful recommendations for the security staff to follow:

For each alert, the USM provides detailed information about the nature of the issue and useful recommendations for the security staff to follow

As this is a common technique for installing malware, USM identifies applications such as Powershell executed by HTML Applications. In this instance, USM creates an alarm for ‘Code Execution - Suspicious Process Created by mshta.exe’:

As this is a common technique for installing malware, USM identifies applications such as Powershell executed by HTML Applications. In this instance, USM creates an alarm for ‘Code Execution - Suspicious Process Created by mshta.exe

Escalating Privileges

After infection, the attacker will try to escalate privileges. For that, they can use one of the ‘privesc’ Empire modules.

One of the most dangerous will try to bypass Windows UAC by abusing the native Event Viewer. When Event Viewer runs, it tries to execute mmc.exe from  HKCU\Software\Classes\mscfile\shell\open\command registry. Thus, an attacker can use that location to place a process that will run with high level integrity.

Trying this would result in a registry key hijack attempt, that is detected by AlienVault agent and deployed in USM with a ‘Privilege Escalation - Windows UAC Bypass’ alert:

Trying this would result in a registry key hijack attempt, that is detected by AlienVault agent and deployed in USM with a ‘Privilege Escalation - Windows UAC Bypass’ alert

Empire C&C


The Empire agent will access the network through a crafted powershell command. Although this command combines a number of obfuscation techniques (such as case switching) and Base64 encoding, some features in its structure are invariant and allow for detection.

When the decoded command is registered by ‘Windows Powershell Login Channel’ and sent to the USM engine, it will trigger a ‘Hacking Tool - Powershell Empire agent CnC activity’ alert announcing that Empire has been detected on the machine:

Other features

The Empire framework also provides several modules to enable persistence on the infected machine such as: scheduled tasks, a number of registry keys, or WMI event subscriptions.

USM Anywhere alerts of each scheduled task with a low priority alarm:

These alerts provide full information about the task content, responsible user, and other key data.

To steal system credentials, an attacker can also rely on Empire modules. The mimikatz module can operate after a high privileges agent is installed in the victim’s machine. Executing mimikatz leverages an iterative file listing process easy to detect with USM:

To steal system credentials, an attacker can also rely on Empire modules. The mimikatz module can operate after a high privileges agent is installed in the victim’s machine. Executing mimikatz leverages an iterative file listing process easy to detect with USM

The alert  ‘Credential Access - Powershell script executing mimikatz’ deploys the command and other interesting data.

Empire also uses registry keys for persistence. Some interesting registries to monitor with USM are SOFTWARE\Microsoft\Windows\CurrentVersion\Run and SOFTWARE\Microsoft\Windows\CurrentVersion\Debug.

Thanks Chris Doman for collaboration

Appendix

Host detection

Empire is detected as it is installed and executed on a machine with the following detections:

Malware Infection - Windows Defender Malware Detected

Defense Evasion - Obfuscated Command - Powershell Execution of Encoded Command

Code Execution - Suspicious Process Created by mshta.exe

Privilege Escalation - Windows UAC Bypass

Hacking Tool - Powershell Empire agent CnC Activity

Credential Access - Powershell script executing mimikatz

Security Critical Event - Windows Scheduled Job Created

Network detection

Empire is detected as it communicates over the network via the following network detections:

ETPRO TROJAN Observed PS Empire Downloader SSL Cert via MalDoc Oct 20

ETPRO TROJAN PowerShell Empire Request HTTP Pattern

ETPRO TROJAN PowerShell Empire Response HTTP Pattern

ETPRO TROJAN PowerShell Empire Malicious SSL Certificate Detected

ETPRO TROJAN PowerShell Empire SSL Cert

ETPRO TROJAN Receiving Possible PowerShell Empire Stager

ETPRO CURRENT_EVENTS PowerShell Empire Session via MSOffice Doc Macro

ETPRO CURRENT_EVENTS PowerShell Empire Session Initial Activity

ETPRO CURRENT_EVENTS PowerShell Empire Session via Excel Macro

Jose Manuel Martin

About the Author: Jose Manuel Martin
Jose is a Security Researcher and a part of the AlienVault Labs team. His interest in development led Jose to work as an Application Security Engineer and Scrum Master in the past. Nowadays he enjoys watching old-fashioned movies, researching threat models, and finding new mechanisms to detect malware. Also, he is an enthusiast of information theory and physics.
Read more posts from Jose Manuel Martin ›

‹ BACK TO ALL BLOGS

Watch a Demo ›
GET PRICE FREE TRIAL