Start-MonitorTCPConnections - Empire Module

This page contains detailed information about how to use the powershell/situational_awareness/host/monitortcpconnections Empire module. For list of all Empire modules, visit the Empire Module Library.

Module Overview

---

Name: Start-MonitorTCPConnections
Module: powershell/situational_awareness/host/monitortcpconnections
Source code [1]: empire/server/modules/powershell/situational_awareness/host/monitortcpconnections.yaml
Source code [2]: empire/server/data/module_source/situational_awareness/host/Start-MonitorTCPConnections.ps1
MITRE ATT&CK: T1049
Language: PowerShell
Needs admin: No
OPSEC safe: Yes
Background: Yes

The monitortcpconnections module monitors hosts for TCP connections to a specified domain name or IPv4 address. Useful for session hijacking and finding users interacting with sensitive services.

This module runs in a foreground and is OPSEC unsafe as it writes on the disk and therefore could be detected by AV/EDR running on the target system.

Note that the monitortcpconnections module does not need administrative privileges to work properly which means that a normal user can run this module.

Required Module Options

---

This is a list of options that are required by the monitortcpconnections module:

Agent
Agent to monitor from.

CheckInterval
Interval in seconds to check for the connection.
Default value: 15.

TargetDomain
Domain name or IPv4 address of target service.

Monitortcpconnections Example Usage

---

Here's an example of how to use the monitortcpconnections module in the Empire client console:

[+] New agent Y4LHEV83 checked in
[*] Sending agent (stage 2) to Y4LHEV83 at 192.168.204.135
(empire usestager/windows/ducky) > usemodule powershell/situational_awareness/host/monitortcpconnections

 Author       @erikbarzdukas                                                        
 Background   True                                                                  
 Comments     Based on code from Tim Ferrell.                                       
 Description  Monitors hosts for TCP connections to a specified domain name or IPv4 
              address. Useful for session hijacking and finding users interacting   
              with sensitive services.                                              
 Language     powershell                                                            
 Name         powershell/situational_awareness/host/monitortcpconnections           
 NeedsAdmin   False                                                                 
 OpsecSafe    True                                                                  
 Techniques   http://attack.mitre.org/techniques/T1049                              


,Record Options-,-------,----------,----------------------------------,
| Name          | Value | Required | Description                      |
|---------------|-------|----------|----------------------------------|
| Agent         |       | True     | Agent to monitor from.           |
|---------------|-------|----------|----------------------------------|
| CheckInterval | 15    | True     | Interval in seconds to check for |
|               |       |          | the connection                   |
|---------------|-------|----------|----------------------------------|
| TargetDomain  |       | True     | Domain name or IPv4 address of   |
|               |       |          | target service.                  |
'---------------'-------'----------'----------------------------------'

(Empire: usemodule/powershell/situational_awareness/host/monitortcpconnections) > set Agent Y4LHEV83
[*] Set Agent to Y4LHEV83
(Empire: usemodule/powershell/situational_awareness/host/monitortcpconnections) > set CheckInterval 15
[*] Set CheckInterval to 15
(Empire: usemodule/powershell/situational_awareness/host/monitortcpconnections) > set TargetDomain value
[*] Set TargetDomain to value
(Empire: usemodule/powershell/situational_awareness/host/monitortcpconnections) > execute
[*] Tasked Y4LHEV83 to run Task 1
...

Now wait for the results to come.

Author

---

• @erikbarzdukas

References

---

• https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/powershell/situational_awareness/host/monitortcpconnections.yaml
• https://github.com/BC-SECURITY/Empire/tree/master/empire/server/data/module_source/situational_awareness/host/Start-MonitorTCPConnections.ps1
• http://attack.mitre.org/techniques/T1049

See Also

---

Check also the following modules related to this module:

• powershell/situational_awareness/host/hostrecon
• powershell/situational_awareness/host/winenum
• powershell/situational_awareness/host/applockerstatus
• powershell/situational_awareness/host/get_uaclevel
• powershell/situational_awareness/host/dnsserver
• powershell/situational_awareness/host/antivirusproduct
• powershell/situational_awareness/host/get_pathacl
• powershell/situational_awareness/host/get_proxy
• powershell/situational_awareness/host/findtrusteddocuments
• powershell/situational_awareness/host/seatbelt
• powershell/situational_awareness/host/paranoia
• powershell/situational_awareness/host/computerdetails
• python/situational_awareness/host/multi/WorldWriteableFileSearch
• python/situational_awareness/host/multi/SuidGuidSearch
• python/situational_awareness/host/osx/situational_awareness
• python/situational_awareness/host/osx/HijackScanner
• csharp/GhostPack/Rubeus
• csharp/GhostPack/SharpDPAPI
• csharp/GhostPack/SharpUp
• csharp/GhostPack/SharpDump
• csharp/GhostPack/Seatbelt
• csharp/GhostPack/SharpWMI
• python/situational_awareness/network/gethostbyname

Version

---

This page has been created based on Empire version 4.1.3 (BC Security Fork).
Visit Empire Module Library for more modules.