Consider adding artifacts from PowerShell Empire #360
Comments
|
I add some references which might help hunting for Empire with already existing artifacts. Could you propose specific artifacts which you miss from the current repo and which you would like to be able to collect? I'm unsure if we should add a specific artifact for the EventViewer file hijacking (.msc file extension, HKCU:\Software\Classes\mscfile\shell\open\command). @joachimmetz must answer that question. What we already have is the collection of every command using the following artifact: Line 2518 in 9fdf452 The SSP persistence should be already covered with the following artifact: Line 1261 in 9fdf452 Other persistence mechanisms from Empire are run keys or scheduled tasks - we have Line 1824 in 9fdf452 and Line 1767 in 9fdf452 I think some of mentioned artifacts aren't generic artifacts per se, like .lnk files or added keys to the Registry and are malware family specific. The link triggers a command which is stored in a registry key (by default debug). Collecting every .lnk file or searching for registry keys with powershell in the value must be done outside of just collecting an artifact - of course, we could collect just the specific registry key with the default name, but I think that's to specific for Empire compared to other generic artifacts in the repo. |
Ie from https://github.com/EmpireProject/Empire/blob/master/data/module_source/persistence/Invoke-BackdoorLNK.ps1
https://github.com/EmpireProject/Empire/blob/master/data/module_source/persistence/Install-SSP.ps1
https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1
etc.
The text was updated successfully, but these errors were encountered: