Empire PowerShell: A Post-Exploitation Agent
Introduction
In modern Offensive Cyber Security there are multiple phases involved with carrying out a successful operation. A phase, which is quite critical but is often overlooked, is the Post-Exploitation phase. This part of the offensive operation involves gaining persistent access to the targeted machine and employing facilities for further manipulation of a newly gained access.
PowerShell, a Microsoft developed task-based command-line shell and scripting language, helps system administrators and power-users rapidly automate tasks that manage operating systems (Linux, macOS, and Windows) and processes. It consists of a command-line shell and associated scripting language.
PowerShell is ideal for those who have tasks that they want to run automatically to manage operating systems and their processes. A couple of advantages PowerShell offers is the interaction with a vast number of technologies, incredible flexibility, improved ability to control and automate the many technologies it integrates with. Since PowerShell is built into the OS and is a built-in Microsoft product- it’s not going away anytime soon.
Post-Exploitation security
As the term suggests, post-exploitation basically means the phases of operation once a victim’s system has been compromised by the attacker. The value of the compromised system is determined by the value of the actual data stored in it and how an attacker may make use of it for malicious purposes such as collecting sensitive information, documenting it, and having an idea of the configuration settings, network interfaces, and other communication channels. These may be used to maintain persistent access to the system as per the attacker’s needs.
Because Post-Exploitation enables infinite implementation possibilities, there aren’t a lot of standardization regarding tools. However, there is one tool which aims to standardize Post-Exploitation on Windows machines: Empire.
Empire Advantages on Windows
Empire is a Post-Exploitation agent written on PowerShell making it a flexible architecture and one that combines cryptographically-secure communication. Empire’s main goal is to enable the usage of the immense power of PowerShell when employing Post-Exploitation tools.
The reasoning behind the usage of PowerShell instead of different scripting engines is quite strong. PowerShell, created for Windows system administration, enables the raw power of the .NET Framework while giving low level interface to the Win32 API, making it a great tool set for Post-Exploitation development. In addition, because PowerShell has such a deep relation to the Windows operating system, it is trusted by it and thus gives the exploitation team an advantage
of not having the chance of being blocked by the operating system.
As well as having local machine advantages, Empire also employs cryptographically strong communication, which allows network detection evasion. This allows the quiet minded communication development without the constant fear that the communication can be decrypted.
Empire and its potential impact on everyday users
Specialists and hackers are learning to stay off the disk to avoid file based detection technologies. Instead they are developing fascinating ways to live inside the memory of trusted, seemingly innocuous processes as PowerShell.
Empire proves what you can do with just PowerShell and is easy to use even if you aren’t a PowerShell expert. In case you are thinking that blocking or detecting Empire is simply a matter of locking down or watching for PowerShell — The makers of Empire have combined a number of sophisticated techniques to run PowerShell in a zombie process without ever firing up powershell.exe.
Due to the rapid advancements in the Empire and PowerShell scene, we here at SSD believe that the usage of such Post-Exploitation agents will increase with the years. Because these topics are not discussed as much as other infosec topics, there isn’t enough effort put into mitigating these technologies which will further attract the usage of such platforms in the long run.
— —
TyphoonCon, All Offensive Security Conference hosted by SSD will take place on June 14, 2020 in Seoul, South Korea. Take part in two days of amazing industry leaders conference and three days of extensive training. Visit www.typhoonCon.com to learn more! TyphoonPwn, a live hacking with prizes up to $500,000 will take place during TyphoonCon. Sign up now: https://typhooncon.com/typhooncon-201...
Visit SSD: https://ssd-disclosure.com/typhooncon
Join the conversation:
https://twitter.com/SecuriTeam_SSD
https://twitter.com/typhooncon
https://www.facebook.com/typhooncon/
linkedin.com/company/ssd-disclosure
https://t.me/joinchat/I6jTnFGgDuaJlhk...
