Montreal, August 31st, 2016.
With the multiplication of cyber-attacks reported in the news and popular TV series like Mr. Robot, which I strongly recommend watching, we can safely say that hackers and their magic tricks have gripped the people’s imagination. But how do they do it? It can seem almost magical from an outsider’s point of view. Well, in this blog post, we will briefly introduce a relatively new tool that makes the magic of hacking come true with a few simple command lines.
The tool is PowerShell Empire and is one of the biggest game changers as of late. It first came out just over a year ago, in August 2015, at BSides Las Vegas. Armed with this tool, one can generate a small piece of code which once executed on a target Windows machine can grant complete control over the victim’s computer.
There are several aspects of PowerShell Empire that makes it so special. It’s a “post-exploitation agent built on cryptologically-secure communications and a flexible architecture. Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability-focused framework.” Since PowerShell is based upon .NET framework and that it is tightly integrated with Windows, it will go unnoticed from most Anti-virus and IDS/IPS. Furthermore, “[…] there is no need to drop files on disk. Everything, with the possible exception of the script itself run entirely memory-resident.”[1]
To get started with Empire, one of the first things to do is to setup a “listener” with a self-signed certificate that will allow you, as its name implies, to listen to your target. Next, through the use of various types of stagers/launchers one can then create and execute an agent. An agent is basically a Base64 encoded piece of code that must be passed on to and executed by the target. Once that is done, the target will seamlessly connect back to the listeners via an encrypted channel.
Once the connection is established, PowerShell Empire allows for the usage of a wide range of modules, from key loggers to password recovery, all executable within memory. One of the most well-known and appreciated by the hacker community is Mimikatz: “It allows for the extraction of plaintext credentials from memory, password hashes from local SAM/NTDS.dit databases, advanced Kerberos functionality.” [2] It can […] “also perform pass-the-hash, pass-the-ticket or build Golden tickets.”[3]
For all these reasons, one can see the vast potential of PowerShell Empire. Now the question is, how will the IT security community will respond and defend against such a beast? If you think that you are safe because you are using a Mac OS, think again, EmPyre for Mac is on the way but that will be a discussion for another time. Meanwhile, feel free to leave your comments and discussions below.
David-Alexandre Alarie, IT Security Consultant at OKIOK
__________________________________________
[1] Graeber, M., 2012, August 17, Retrieved from https://www.exploit-monday.com/2012/08/Why-I-Choose-PowerShell.html
[2] Harmj0y, sixdub, & enigma0x3, 2015, Empire. Retrieved from powershellempire.com: https://www.powershellempire.com
[3] Delpy, B. (2015), gentilkiwi/mimikatz, Retrieved from GitHub: https://github.com/gentilkiwi/mimikatz
