Invoke-Ask - Empire Module
This page contains detailed information about how to use the powershell/privesc/ask Empire module. For list of all Empire modules, visit the Empire Module Library.
Module Overview
Name: Invoke-Ask
Module: powershell/privesc/ask
Source code [1]: empire/server/modules/powershell/privesc/ask.yaml
Source code [2]: empire/server/modules/powershell/privesc/ask.py
MITRE ATT&CK:
T1088
Language: PowerShell
Needs admin: No
OPSEC safe: No
Background: Yes
The ask module leverages Start-Process' -Verb runAs option inside a YES-Required loop to prompt the user for a high integrity context before running the agent code. UAC will report Powershell is requesting Administrator privileges. Because this does not use the BypassUAC DLLs, it should not trigger any AV alerts.
This module runs in a foreground and is OPSEC unsafe as it writes on the disk and therefore could be detected by AV/EDR running on the target system.
Note that the ask module does not need administrative privileges to work properly which means that a normal user can run this module.
Required Module Options
This is a list of options that are required by the ask module:
Agent
Agent to run module on.
Listener
Listener to use.
Additional Module Options
This is a list of additional options that are supported by the ask module:
Bypasses
Bypasses as a space separated list to be prepended to the launcher.
Default value: mattifestation etw
.
Obfuscate
Switch. Obfuscate the launcher powershell code, uses the ObfuscateCommand for obfuscation types. For powershell only.
Default value: False
.
ObfuscateCommand
The Invoke-Obfuscation command to use. Only used if Obfuscate switch is True. For powershell only.
Default value: Token\All\1
.
Proxy
Proxy to use for request (default, none, or other).
Default value: default
.
ProxyCreds
Proxy credentials ([domain\]username:password) to use for request (default, none, or other).
Default value: default
.
UserAgent
User-agent string to use for the staging request (default, none, or other).
Default value: default
.
Ask Example Usage
Here's an example of how to use the ask module in the Empire client console:
[+] New agent Y4LHEV83 checked in
[*] Sending agent (stage 2) to Y4LHEV83 at 192.168.204.135
(empire usestager/windows/ducky) > usemodule powershell/privesc/ask
Author Jack64
Background True
Comments https://github.com/rapid7/metasploit-
framework/blob/master/modules/exploits/windows/local/ask.rb
Description Leverages Start-Process' -Verb runAs option inside a YES-Required loop
to prompt the user for a high integrity context before running the
agent code. UAC will report Powershell is requesting Administrator
privileges. Because this does not use the BypassUAC DLLs, it should
not trigger any AV alerts.
Language powershell
Name powershell/privesc/ask
NeedsAdmin False
OpsecSafe False
Techniques http://attack.mitre.org/techniques/T1088
,Record Options----,--------------------,----------,-------------------------------------,
| Name | Value | Required | Description |
|------------------|--------------------|----------|-------------------------------------|
| Agent | | True | Agent to run module on. |
|------------------|--------------------|----------|-------------------------------------|
| Bypasses | mattifestation etw | False | Bypasses as a space separated list |
| | | | to be prepended to the launcher. |
|------------------|--------------------|----------|-------------------------------------|
| Listener | | True | Listener to use. |
|------------------|--------------------|----------|-------------------------------------|
| Obfuscate | False | False | Switch. Obfuscate the launcher |
| | | | powershell code, uses the |
| | | | ObfuscateCommand for obfuscation |
| | | | types. For powershell only. |
|------------------|--------------------|----------|-------------------------------------|
| ObfuscateCommand | Token\All\1 | False | The Invoke-Obfuscation command to |
| | | | use. Only used if Obfuscate switch |
| | | | is True. For powershell only. |
|------------------|--------------------|----------|-------------------------------------|
| Proxy | default | False | Proxy to use for request (default, |
| | | | none, or other). |
|------------------|--------------------|----------|-------------------------------------|
| ProxyCreds | default | False | Proxy credentials |
| | | | ([domain\]username:password) to use |
| | | | for request (default, none, or |
| | | | other). |
|------------------|--------------------|----------|-------------------------------------|
| UserAgent | default | False | User-agent string to use for the |
| | | | staging request (default, none, or |
| | | | other). |
'------------------'--------------------'----------'-------------------------------------'
(Empire: usemodule/powershell/privesc/ask) > set Agent Y4LHEV83
[*] Set Agent to Y4LHEV83
(Empire: usemodule/powershell/privesc/ask) > set Listener listener1
[*] Set Listener to listener1
(Empire: usemodule/powershell/privesc/ask) > execute
[*] Tasked Y4LHEV83 to run Task 1
...
Now wait for the results to come.
Author
- Jack64
References
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/powershell/privesc/ask.yaml
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/powershell/privesc/ask.py
- https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/ask.rb
- http://attack.mitre.org/techniques/T1088
See Also
Check also the following modules related to this module:
- powershell/privesc/bypassuac
- powershell/privesc/bypassuac_env
- powershell/privesc/bypassuac_tokenmanipulation
- powershell/privesc/winPEAS
- powershell/privesc/sweetpotato
- powershell/privesc/tater
- powershell/privesc/ms16-135
- powershell/privesc/bypassuac_wscript
- powershell/privesc/mcafee_sitelist
- powershell/privesc/privesccheck
- powershell/privesc/sherlock
- powershell/privesc/ms16-032
- powershell/privesc/bypassuac_eventvwr
- powershell/privesc/zerologon
- powershell/privesc/printdemon
- powershell/privesc/getsystem
- powershell/privesc/gpp
- powershell/privesc/bypassuac_sdctlbypass
- powershell/privesc/watson
- powershell/privesc/bypassuac_fodhelper
- powershell/privesc/printnightmare
- powershell/privesc/powerup/service_exe_useradd
- powershell/privesc/powerup/write_dllhijacker
- powershell/privesc/powerup/service_stager
- powershell/privesc/powerup/service_exe_restore
- powershell/privesc/powerup/service_exe_stager
- powershell/privesc/powerup/find_dllhijack
- powershell/privesc/powerup/service_useradd
- powershell/privesc/powerup/allchecks
- powershell/persistence/userland/schtasks
- powershell/persistence/elevated/schtasks
- powershell/lateral_movement/new_gpo_immediate_task
Version
This page has been created based on Empire version 4.1.3 (BC Security Fork).
Visit Empire Module Library for more modules.