One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 854010 |
| Date de publication | 2018-10-18 18:13:00 (vue: 2018-10-18 23:06:11) |
| Titre | Detecting Empire with USM Anywhere |
| Texte |
Empire is an open source post-exploitation framework that acts as a capable backdoor on infected systems. It provides a management platform for infected machines. Empire can deploy PowerShell and Python agents to infect both Windows and Linux systems.
Empire can:
Deploy fileless agents to perform command and control.
Exploit vulnerabilities to escalate privileges.
Install itself for persistence.
Steal user credentials.
It has also evolved to support the initial attack phases of an attack, and can create malicious documents to deploy its agent.
Empire’s features are classified into listeners, stagers and modules. Below, we describe how AlienVault USM can detect these stages below on a Windows target.
Staging
Empire first attempts to deploy an agent using one of multiple stager modules. USM will generically detect the agent after Powershell is invoked with an encoded payload. Commands executed with encoded arguments are commonly used by attackers as an obfuscation technique, so they produce the USM alert ‘Defense Evasion - Obfuscated Command - Powershell Execution of Encoded Command’:
This alert detects most Empire stagers on Windows, when they use Powershell to executed an encoded command.
If enabled, the Windows Antimalware Scan Interface should also block the PowerShell command. The ‘Malware Infection - Windows Defender Malware Detected’ alert, shows the necessary information to locate the malicious file:
An alternative for an attacker is to craft an Office document with a macro, which will execute the agent command by running a crafted Windows process from the WMI Service:
Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
Set objStartup = objWMIService.Get("Win32_ProcessStartup")
Set objConfig = objStartup.SpawnInstance_
objConfig.ShowWindow = 0
Set objProcess = GetObject("winmgmts:\\.\root\cimv2:Win32_Process")
objProcess.Create str, Null, objConfig, intProcessID
When the macro runs, the Windows Management Instrumentation Command will create a new process. USM will listen the Windows events to detect the WMIC call, commonly used in lateral movement scenarios. The ‘Lateral Movement - Remote WMIC Activity’ alert will raise displaying the malicious Powershell command:
Another way for an attacker to implant the Empire agent into their victims machine is to create a HTML Application using the Empire module windows/hta. In weak security configuration system, a simple spear phishing mail with a link to the crafted HTML application will be enough to get the agent running.
For each alert, the USM provides detailed information about the nature of the issue and useful recommendations for the security staff to follow:
|
| Envoyé | Oui |
| Condensat | > anywhere border:0;margin:0;padding:0; com/i/twitter20 detecting empire feedblitz png style= tps://assets usm |
| Tags | |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.