Invoke-SharpLoginPrompt - Empire Module

This page contains detailed information about how to use the powershell/collection/SharpLoginPrompt Empire module. For list of all Empire modules, visit the Empire Module Library.

Module Overview

---

Name: Invoke-SharpLoginPrompt
Module: powershell/collection/SharpLoginPrompt
Source code [1]: empire/server/modules/powershell/collection/SharpLoginPrompt.yaml
Source code [2]: empire/server/data/module_source/collection/Invoke-SharpLoginPrompt.ps1
MITRE ATT&CK: T1056
Language: PowerShell
Needs admin: No
OPSEC safe: Yes
Background: No

The SharpLoginPrompt module creates a login prompt to gather username and password of the current user. This project allows red team to phish username and password of the current user without touching lsass and having administrator credentials on the system.

This module runs in a foreground and is OPSEC unsafe as it writes on the disk and therefore could be detected by AV/EDR running on the target system.

Note that the SharpLoginPrompt module does not need administrative privileges to work properly which means that a normal user can run this module.

Required Module Options

---

This is a list of options that are required by the SharpLoginPrompt module:

Agent
Agent to run on.

Additional Module Options

---

This is a list of additional options that are supported by the SharpLoginPrompt module:

Header
Customized heading for login prompt.

Subheader
Customized subheading for prompt.

SharpLoginPrompt Example Usage

---

Here's an example of how to use the SharpLoginPrompt module in the Empire client console:

[+] New agent Y4LHEV83 checked in
[*] Sending agent (stage 2) to Y4LHEV83 at 192.168.204.135
(empire usestager/windows/ducky) > usemodule powershell/collection/SharpLoginPrompt

 Author       @shantanu561993                                                        
              @S3cur3Th1sSh1t                                                        
 Background   False                                                                  
 Comments     https://github.com/shantanu561993/SharpLoginPrompt                     
 Description  This Program creates a login prompt to gather username and password of 
              the current user. This project allows red team to phish username and   
              password of the current user without touching lsass and having         
              administrator credentials on the system.                               
 Language     powershell                                                             
 Name         powershell/collection/SharpLoginPrompt                                 
 NeedsAdmin   False                                                                  
 OpsecSafe    True                                                                   
 Techniques   http://attack.mitre.org/techniques/T1056                               


,Record Options-----,----------,-----------------------------------,
| Name      | Value | Required | Description                       |
|-----------|-------|----------|-----------------------------------|
| Agent     |       | True     | Agent to run on.                  |
|-----------|-------|----------|-----------------------------------|
| Header    |       | False    | Customized heading for login      |
|           |       |          | prompt.                           |
|-----------|-------|----------|-----------------------------------|
| Subheader |       | False    | Customized subheading for prompt. |
'-----------'-------'----------'-----------------------------------'

(Empire: usemodule/powershell/collection/SharpLoginPrompt) > set Agent Y4LHEV83
[*] Set Agent to Y4LHEV83
(Empire: usemodule/powershell/collection/SharpLoginPrompt) > execute
[*] Tasked Y4LHEV83 to run Task 1
...

Now wait for the results to come.

Authors

---

• @shantanu561993
• @S3cur3Th1sSh1t

References

---

• https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/powershell/collection/SharpLoginPrompt.yaml
• https://github.com/BC-SECURITY/Empire/tree/master/empire/server/data/module_source/collection/Invoke-SharpLoginPrompt.ps1
• https://github.com/shantanu561993/SharpLoginPrompt
• http://attack.mitre.org/techniques/T1056
• https://stackoverflow.com/questions/33111014/redirecting-output-from-an-external-dll-in-powershell

See Also

---

Check also the following modules related to this module:

• powershell/collection/get_sql_query
• powershell/collection/file_finder
• powershell/collection/get_indexed_item
• powershell/collection/ninjacopy
• powershell/collection/clipboard_monitor
• powershell/collection/FoxDump
• powershell/collection/prompt
• powershell/collection/minidump
• powershell/collection/netripper
• powershell/collection/SauronEye
• powershell/collection/toasted
• powershell/collection/screenshot
• powershell/collection/find_interesting_file
• powershell/collection/inveigh
• powershell/collection/browser_data
• powershell/collection/WireTap
• powershell/collection/WebcamRecorder
• powershell/collection/ChromeDump
• powershell/collection/USBKeylogger
• powershell/collection/get_sql_column_sample_data
• powershell/collection/keylogger
• powershell/collection/get-winupdates
• powershell/collection/packet_capture
• powershell/collection/SharpChromium
• powershell/collection/vaults/remove_keepass_config_trigger
• powershell/collection/vaults/add_keepass_config_trigger
• powershell/collection/vaults/keethief
• powershell/collection/vaults/find_keepass_config
• powershell/collection/vaults/get_keepass_config_trigger

Version

---

This page has been created based on Empire version 4.1.3 (BC Security Fork).
Visit Empire Module Library for more modules.