Invoke-EgressCheck - Empire Module

This page contains detailed information about how to use the powershell/exfiltration/egresscheck Empire module. For list of all Empire modules, visit the Empire Module Library.

Module Overview

---

Name: Invoke-EgressCheck
Module: powershell/exfiltration/egresscheck
Source code [1]: empire/server/modules/powershell/exfiltration/egresscheck.yaml
Source code [2]: empire/server/data/module_source/exfil/Invoke-EgressCheck.ps1
MITRE ATT&CK: T1041
Language: PowerShell
Needs admin: No
OPSEC safe: No
Background: No

The egresscheck module will generate traffic on a provided range of ports and supports both TCP and UDP. Useful to identify direct egress channels.

This module runs in a foreground and is OPSEC unsafe as it writes on the disk and therefore could be detected by AV/EDR running on the target system.

Note that the egresscheck module does not need administrative privileges to work properly which means that a normal user can run this module.

Required Module Options

---

This is a list of options that are required by the egresscheck module:

Agent
Agent to generate the source traffic on.

delay
Delay, in milliseconds, between ports being tested.
Default value: 50.

ip
Target IP Address.

portrange
The range of ports to connect on. This can be a comma separated list or dash-separated ranges.
Default value: 22-25,53,80,443,445,3306,3389.

protocol
The protocol to use. This can be TCP or UDP.
Default value: TCP.

Egresscheck Example Usage

---

Here's an example of how to use the egresscheck module in the Empire client console:

[+] New agent Y4LHEV83 checked in
[*] Sending agent (stage 2) to Y4LHEV83 at 192.168.204.135
(empire usestager/windows/ducky) > usemodule powershell/exfiltration/egresscheck

 Author       Stuart Morgan <[email protected]>                     
 Background   False                                                                 
 Comments     https://github.com/stufus/egresscheck-framework                       
 Description  This module will generate traffic on a provided range of ports and    
              supports both TCP and UDP. Useful to identify direct egress channels. 
 Language     powershell                                                            
 Name         powershell/exfiltration/egresscheck                                   
 NeedsAdmin   False                                                                 
 OpsecSafe    False                                                                 
 Techniques   http://attack.mitre.org/techniques/T1041                              


,Record Options-----------------------------,----------,------------------------------------,
| Name      | Value                         | Required | Description                        |
|-----------|-------------------------------|----------|------------------------------------|
| Agent     |                               | True     | Agent to generate the source       |
|           |                               |          | traffic on                         |
|-----------|-------------------------------|----------|------------------------------------|
| delay     | 50                            | True     | Delay, in milliseconds, between    |
|           |                               |          | ports being tested                 |
|-----------|-------------------------------|----------|------------------------------------|
| ip        |                               | True     | Target IP Address                  |
|-----------|-------------------------------|----------|------------------------------------|
| portrange | 22-25,53,80,443,445,3306,3389 | True     | The range of ports to connect on.  |
|           |                               |          | This can be a comma separated list |
|           |                               |          | or dash-separated ranges.          |
|-----------|-------------------------------|----------|------------------------------------|
| protocol  | TCP                           | True     | The protocol to use. This can be   |
|           |                               |          | TCP or UDP                         |
'-----------'-------------------------------'----------'------------------------------------'

(Empire: usemodule/powershell/exfiltration/egresscheck) > set Agent Y4LHEV83
[*] Set Agent to Y4LHEV83
(Empire: usemodule/powershell/exfiltration/egresscheck) > set delay 50
[*] Set delay to 50
(Empire: usemodule/powershell/exfiltration/egresscheck) > set ip value
[*] Set ip to value
(Empire: usemodule/powershell/exfiltration/egresscheck) > set portrange 22-25,53,80,443,445,3306,3389
[*] Set portrange to 22-25,53,80,443,445,3306,3389
(Empire: usemodule/powershell/exfiltration/egresscheck) > set protocol TCP
[*] Set protocol to TCP
(Empire: usemodule/powershell/exfiltration/egresscheck) > execute
[*] Tasked Y4LHEV83 to run Task 1
...

Now wait for the results to come.

Author

---

• Stuart Morgan

References

---

• https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/powershell/exfiltration/egresscheck.yaml
• https://github.com/BC-SECURITY/Empire/tree/master/empire/server/data/module_source/exfil/Invoke-EgressCheck.ps1
• https://github.com/stufus/egresscheck-framework
• http://attack.mitre.org/techniques/T1041
• https://github.com/stufus

See Also

---

Check also the following modules related to this module:

• powershell/exfiltration/exfil_dropbox

Version

---

This page has been created based on Empire version 4.1.3 (BC Security Fork).
Visit Empire Module Library for more modules.