Invoke-CredentialInjection - Empire Module
This page contains detailed information about how to use the powershell/credentials/credential_injection Empire module. For list of all Empire modules, visit the Empire Module Library.
Module Overview
Name: Invoke-CredentialInjection
Module: powershell/credentials/credential_injection
Source code [1]: empire/server/modules/powershell/credentials/credential_injection.yaml
Source code [2]: empire/server/modules/powershell/credentials/credential_injection.py
MITRE ATT&CK:
T1214, T1003, S0194
Language: PowerShell
Needs admin: Yes
OPSEC safe: Yes
Background: No
The credential_injection module runs PowerSploit's Invoke-CredentialInjection to create logons with clear-text credentials without triggering a suspicious Event ID 4648 (Explicit Credential Logon).
This module runs in a foreground and is OPSEC unsafe as it writes on the disk and therefore could be detected by AV/EDR running on the target system.
Note that the credential_injection module does not need administrative privileges to work properly which means that a normal user can run this module.
Required Module Options
This is a list of options that are required by the credential_injection module:
Agent
Agent to run module on.
Additional Module Options
This is a list of additional options that are supported by the credential_injection module:
AuthPackage
authentication package to use (Kerberos or Msv1_0).
Default value: Kerberos
.
CredID
CredID from the store to use.
DomainName
The domain name of the user account.
ExistingWinLogon
Switch. Use an existing WinLogon.exe process.
LogonType
Logon type of the injected logon (Interactive, RemoteInteractive, or NetworkCleartext).
Default value: RemoteInteractive
.
NewWinLogon
Switch. Create a new WinLogon.exe process.
Password
Password of the user.
UserName
Username to log in with.
Credential_injection Example Usage
Here's an example of how to use the credential_injection module in the Empire client console:
[+] New agent Y4LHEV83 checked in
[*] Sending agent (stage 2) to Y4LHEV83 at 192.168.204.135
(empire usestager/windows/ducky) > usemodule powershell/credentials/credential_injection
Author @JosephBialek
Background False
Comments https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltratio
n/Invoke-CredentialInjection.ps1
Description Runs PowerSploit's Invoke-CredentialInjection to create logons with
clear-text credentials without triggering a suspicious Event ID 4648
(Explicit Credential Logon).
Language powershell
Name powershell/credentials/credential_injection
NeedsAdmin True
OpsecSafe True
Software http://attack.mitre.org/software/S0194
Techniques http://attack.mitre.org/techniques/T1214
http://attack.mitre.org/techniques/T1003
,Record Options----,-------------------,----------,-------------------------------------,
| Name | Value | Required | Description |
|------------------|-------------------|----------|-------------------------------------|
| Agent | | True | Agent to run module on. |
|------------------|-------------------|----------|-------------------------------------|
| AuthPackage | Kerberos | False | authentication package to use |
| | | | (Kerberos or Msv1_0) |
|------------------|-------------------|----------|-------------------------------------|
| CredID | | False | CredID from the store to use. |
|------------------|-------------------|----------|-------------------------------------|
| DomainName | | False | The domain name of the user |
| | | | account. |
|------------------|-------------------|----------|-------------------------------------|
| ExistingWinLogon | | False | Switch. Use an existing |
| | | | WinLogon.exe process |
|------------------|-------------------|----------|-------------------------------------|
| LogonType | RemoteInteractive | False | Logon type of the injected logon |
| | | | (Interactive, RemoteInteractive, or |
| | | | NetworkCleartext) |
|------------------|-------------------|----------|-------------------------------------|
| NewWinLogon | | False | Switch. Create a new WinLogon.exe |
| | | | process. |
|------------------|-------------------|----------|-------------------------------------|
| Password | | False | Password of the user. |
|------------------|-------------------|----------|-------------------------------------|
| UserName | | False | Username to log in with. |
'------------------'-------------------'----------'-------------------------------------'
(Empire: usemodule/powershell/credentials/credential_injection) > set Agent Y4LHEV83
[*] Set Agent to Y4LHEV83
(Empire: usemodule/powershell/credentials/credential_injection) > execute
[*] Tasked Y4LHEV83 to run Task 1
...
Now wait for the results to come.
Author
References
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/powershell/credentials/credential_injection.yaml
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/powershell/credentials/credential_injection.py
- https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-CredentialInjection.ps1
- http://attack.mitre.org/software/S0194
- http://attack.mitre.org/techniques/T1214
- http://attack.mitre.org/techniques/T1003
See Also
Check also the following modules related to this module:
- powershell/credentials/rubeus
- powershell/credentials/vault_credential
- powershell/credentials/invoke_kerberoast
- powershell/credentials/DomainPasswordSpray
- powershell/credentials/sessiongopher
- powershell/credentials/invoke_internal_monologue
- powershell/credentials/powerdump
- powershell/credentials/enum_cred_store
- powershell/credentials/invoke_ntlmextract
- powershell/credentials/get_lapspasswords
- powershell/credentials/sharpsecdump
- powershell/credentials/tokens
- powershell/credentials/mimikatz/pth
- powershell/credentials/mimikatz/silver_ticket
- powershell/credentials/mimikatz/cache
- powershell/credentials/mimikatz/command
- powershell/credentials/mimikatz/terminal_server
- powershell/credentials/mimikatz/extract_tickets
- powershell/credentials/mimikatz/keys
- powershell/credentials/mimikatz/sam
- powershell/credentials/mimikatz/trust_keys
- powershell/credentials/mimikatz/purge
- powershell/credentials/mimikatz/logonpasswords
- powershell/credentials/mimikatz/certs
- powershell/credentials/mimikatz/dcsync
- powershell/credentials/mimikatz/lsadump
- powershell/credentials/mimikatz/mimitokens
- powershell/credentials/mimikatz/golden_ticket
- powershell/credentials/mimikatz/dcsync_hashdump
- powershell/code_execution/invoke_reflectivepeinjection
- powershell/code_execution/invoke_dllinjection
Version
This page has been created based on Empire version 4.1.3 (BC Security Fork).
Visit Empire Module Library for more modules.