Invoke-Shellcode - Empire Module
This page contains detailed information about how to use the powershell/code_execution/invoke_shellcode Empire module. For list of all Empire modules, visit the Empire Module Library.
Module Overview
Name: Invoke-Shellcode
Module: powershell/code_execution/invoke_shellcode
Source code [1]: empire/server/modules/powershell/code_execution/invoke_shellcode.yaml
Source code [2]: empire/server/modules/powershell/code_execution/invoke_shellcode.py
MITRE ATT&CK:
T1064, S0194
Language: PowerShell
Needs admin: No
OPSEC safe: Yes
Background: Yes
The invoke_shellcode module uses PowerSploit's Invoke--Shellcode to inject shellcode into the process ID of your choosing or within the context of the running PowerShell process. If you're injecting custom shellcode, make sure it's in the correct format and matches the architecture of the process you're injecting into.
This module runs in a foreground and is OPSEC unsafe as it writes on the disk and therefore could be detected by AV/EDR running on the target system.
Note that the invoke_shellcode module does not need administrative privileges to work properly which means that a normal user can run this module.
Required Module Options
This is a list of options that are required by the invoke_shellcode module:
Agent
Agent to run module on.
Shellcode
Custom shellcode to inject, 0xaa,0xab,... format.
Additional Module Options
This is a list of additional options that are supported by the invoke_shellcode module:
Lhost
Local host handler for the meterpreter shell.
Listener
Meterpreter/Beacon listener name.
Lport
Local port of the host handler.
ProcessID
Process ID of the process you want to inject shellcode into.
Invoke_shellcode Example Usage
Here's an example of how to use the invoke_shellcode module in the Empire client console:
[+] New agent Y4LHEV83 checked in
[*] Sending agent (stage 2) to Y4LHEV83 at 192.168.204.135
(empire usestager/windows/ducky) > usemodule powershell/code_execution/invoke_shellcode
Author @mattifestation
Background True
Comments http://www.exploit-monday.com
https://github.com/mattifestation/PowerSploit/blob/master/CodeExecutio
n/Invoke-Shellcode.ps1
Description Uses PowerSploit's Invoke--Shellcode to inject shellcode into the
process ID of your choosing or within the context of the running
PowerShell process. If you're injecting custom shellcode, make sure
it's in the correct format and matches the architecture of the process
you're injecting into.
Language powershell
Name powershell/code_execution/invoke_shellcode
NeedsAdmin False
OpsecSafe True
Software http://attack.mitre.org/software/S0194
Techniques http://attack.mitre.org/techniques/T1064
,Record Options-----,----------,------------------------------------,
| Name | Value | Required | Description |
|-----------|-------|----------|------------------------------------|
| Agent | | True | Agent to run module on. |
|-----------|-------|----------|------------------------------------|
| Lhost | | False | Local host handler for the |
| | | | meterpreter shell. |
|-----------|-------|----------|------------------------------------|
| Listener | | False | Meterpreter/Beacon listener name. |
|-----------|-------|----------|------------------------------------|
| Lport | | False | Local port of the host handler. |
|-----------|-------|----------|------------------------------------|
| ProcessID | | False | Process ID of the process you want |
| | | | to inject shellcode into. |
|-----------|-------|----------|------------------------------------|
| Shellcode | | True | Custom shellcode to inject, |
| | | | 0xaa,0xab,... format. |
'-----------'-------'----------'------------------------------------'
(Empire: usemodule/powershell/code_execution/invoke_shellcode) > set Agent Y4LHEV83
[*] Set Agent to Y4LHEV83
(Empire: usemodule/powershell/code_execution/invoke_shellcode) > set Shellcode ..shellcode..
[*] Set Shellcode to ..shellcode..
(Empire: usemodule/powershell/code_execution/invoke_shellcode) > execute
[*] Tasked Y4LHEV83 to run Task 1
...
Now wait for the results to come.
Author
References
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/powershell/code_execution/invoke_shellcode.yaml
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/powershell/code_execution/invoke_shellcode.py
- http://www.exploit-monday.com
- https://github.com/mattifestation/PowerSploit/blob/master/CodeExecution/Invoke-Shellcode.ps1
- http://attack.mitre.org/software/S0194
- http://attack.mitre.org/techniques/T1064
See Also
Check also the following modules related to this module:
- powershell/code_execution/invoke_metasploitpayload
- powershell/code_execution/invoke_ntsd
- powershell/code_execution/invoke_shellcodemsil
- powershell/code_execution/invoke_assembly
- powershell/code_execution/invoke_reflectivepeinjection
- powershell/code_execution/invoke_ironpython
- powershell/code_execution/invoke_clearscript
- powershell/code_execution/invoke_dllinjection
- powershell/code_execution/invoke_ironpython3
- powershell/code_execution/invoke_ssharp
- powershell/code_execution/invoke_boolang
- powershell/lateral_movement/invoke_psexec
- powershell/lateral_movement/invoke_sqloscmd
- powershell/exploitation/invoke_spoolsample
- powershell/credentials/invoke_kerberoast
- powershell/credentials/invoke_internal_monologue
- powershell/credentials/invoke_ntlmextract
- powershell/management/invoke_script
- powershell/management/invoke_sharpchisel
- powershell/management/invoke_socksproxy
- powershell/lateral_movement/invoke_psremoting
- powershell/lateral_movement/invoke_executemsbuild
- powershell/lateral_movement/invoke_dcom
- powershell/lateral_movement/invoke_portfwd
- powershell/lateral_movement/invoke_smbexec
- powershell/lateral_movement/invoke_wmi
- powershell/lateral_movement/invoke_wmi_debugger
- powershell/lateral_movement/invoke_sshcommand
- python/management/osx/shellcodeinject64
- python/code_execution/powershell_execution
Version
This page has been created based on Empire version 4.1.3 (BC Security Fork).
Visit Empire Module Library for more modules.