Empire is an open source post-exploitation framework that acts as a capable backdoor on infected systems. It provides a management platform for infected machines. Empire can deploy PowerShell and Python agents to infect both Windows and Linux systems.
- Deploy fileless agents to perform command and control.
- Exploit vulnerabilities to escalate privileges.
- Install itself for persistence.
- Steal user credentials.
It has also evolved to support the initial attack phases of an attack, and can create malicious documents to deploy its agent.
Empire’s features are classified into listeners, stagers and modules. Below, we describe how AlienVault USM can detect these stages below on a Windows target.
Empire first attempts to deploy an agent using one of multiple stager modules. USM will generically detect the agent after Powershell is invoked with an encoded payload. Commands executed with encoded arguments are commonly used by attackers as an obfuscation technique, so they produce the USM alert ‘Defense Evasion - Obfuscated Command - Powershell Execution of Encoded Command’:
This alert detects most Empire stagers on Windows, when they use Powershell to execute an encoded command.
If enabled, the Windows Antimalware Scan Interface should also block the PowerShell command. The ‘Malware Infection - Windows Defender Malware Detected’ alert, shows the necessary information to locate the malicious file:
An alternative for an attacker is to craft an Office document with a macro, which will execute the agent command by running a crafted Windows process from the WMI Service:
Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
Set objStartup = objWMIService.Get("Win32_ProcessStartup")
Set objConfig = objStartup.SpawnInstance_
objConfig.ShowWindow = 0
Set objProcess = GetObject("winmgmts:\\.\root\cimv2:Win32_Process")
objProcess.Create str, Null, objConfig, intProcessID
When the macro runs, the Windows Management Instrumentation Command will create a new process. USM will listen the Windows events to detect the WMIC call, commonly used in lateral movement scenarios. The ‘Lateral Movement - Remote WMIC Activity’ alert will raise displaying the malicious Powershell command:
Another way for an attacker to implant the Empire agent into their victims machine is to create a HTML Application using the Empire module windows/hta. In weak security configuration system, a simple spear phishing mail with a link to the crafted HTML application will be enough to get the agent running.
For each alert, the USM provides detailed information about the nature of the issue and useful recommendations for the security staff to follow:
As this is a common technique for installing malware, USM identifies applications such as Powershell executed by HTML Applications. In this instance, USM creates an alarm for ‘Code Execution - Suspicious Process Created by mshta.exe’:
After infection, the attacker will try to escalate privileges. For that, they can use one of the ‘privesc’ Empire modules.
One of the most dangerous will try to bypass Windows UAC by abusing the native Event Viewer. When Event Viewer runs, it tries to execute mmc.exe from HKCU\Software\Classes\mscfile\shell\open\command registry. Thus, an attacker can use that location to place a process that will run with high level integrity.
Trying this would result in a registry key hijack attempt, that is detected by AlienVault agent and deployed in USM with a ‘Privilege Escalation - Windows UAC Bypass’ alert:
The Empire agent will access the network through a crafted powershell command. Although this command combines a number of obfuscation techniques (such as case switching) and Base64 encoding, some features in its structure are invariant and allow for detection.
When the decoded command is registered by ‘Windows Powershell Login Channel’ and sent to the USM engine, it will trigger a ‘Hacking Tool - Powershell Empire agent CnC activity’ alert announcing that Empire has been detected on the machine:
The Empire framework also provides several modules to enable persistence on the infected machine such as: scheduled tasks, a number of registry keys, or WMI event subscriptions.
USM Anywhere alerts of each scheduled task with a low priority alarm:
These alerts provide full information about the task content, responsible user, and other key data.
To steal system credentials, an attacker can also rely on Empire modules. The mimikatz module can operate after a high privileges agent is installed in the victim’s machine. Executing mimikatz leverages an iterative file listing process easy to detect with USM:
The alert ‘Credential Access - Powershell script executing mimikatz’ deploys the command and other interesting data.
Empire also uses registry keys for persistence. Some interesting registries to monitor with USM are SOFTWARE\Microsoft\Windows\CurrentVersion\Run and SOFTWARE\Microsoft\Windows\CurrentVersion\Debug.
Thanks Chris Doman for collaboration
Empire is detected as it is installed and executed on a machine with the following detections:
Malware Infection - Windows Defender Malware Detected
Defense Evasion - Obfuscated Command - Powershell Execution of Encoded Command
Code Execution - Suspicious Process Created by mshta.exe
Privilege Escalation - Windows UAC Bypass
Hacking Tool - Powershell Empire agent CnC Activity
Credential Access - Powershell script executing mimikatz
Security Critical Event - Windows Scheduled Job Created
Empire is detected as it communicates over the network via the following network detections:
ETPRO TROJAN Observed PS Empire Downloader SSL Cert via MalDoc Oct 20
ETPRO TROJAN PowerShell Empire Request HTTP Pattern
ETPRO TROJAN PowerShell Empire Response HTTP Pattern
ETPRO TROJAN PowerShell Empire Malicious SSL Certificate Detected
ETPRO TROJAN PowerShell Empire SSL Cert
ETPRO TROJAN Receiving Possible PowerShell Empire Stager
ETPRO CURRENT_EVENTS PowerShell Empire Session via MSOffice Doc Macro
ETPRO CURRENT_EVENTS PowerShell Empire Session Initial Activity
ETPRO CURRENT_EVENTS PowerShell Empire Session via Excel Macro