Start-MonitorTCPConnections - Empire Module
This page contains detailed information about how to use the powershell/situational_awareness/host/monitortcpconnections Empire module. For list of all Empire modules, visit the Empire Module Library.
Module Overview
Name: Start-MonitorTCPConnections
Module: powershell/situational_awareness/host/monitortcpconnections
Source code [1]: empire/server/modules/powershell/situational_awareness/host/monitortcpconnections.yaml
Source code [2]: empire/server/data/module_source/situational_awareness/host/Start-MonitorTCPConnections.ps1
MITRE ATT&CK:
T1049
Language: PowerShell
Needs admin: No
OPSEC safe: Yes
Background: Yes
The monitortcpconnections module monitors hosts for TCP connections to a specified domain name or IPv4 address. Useful for session hijacking and finding users interacting with sensitive services.
This module runs in a foreground and is OPSEC unsafe as it writes on the disk and therefore could be detected by AV/EDR running on the target system.
Note that the monitortcpconnections module does not need administrative privileges to work properly which means that a normal user can run this module.
Required Module Options
This is a list of options that are required by the monitortcpconnections module:
Agent
Agent to monitor from.
CheckInterval
Interval in seconds to check for the connection.
Default value: 15
.
TargetDomain
Domain name or IPv4 address of target service.
Monitortcpconnections Example Usage
Here's an example of how to use the monitortcpconnections module in the Empire client console:
[+] New agent Y4LHEV83 checked in
[*] Sending agent (stage 2) to Y4LHEV83 at 192.168.204.135
(empire usestager/windows/ducky) > usemodule powershell/situational_awareness/host/monitortcpconnections
Author @erikbarzdukas
Background True
Comments Based on code from Tim Ferrell.
Description Monitors hosts for TCP connections to a specified domain name or IPv4
address. Useful for session hijacking and finding users interacting
with sensitive services.
Language powershell
Name powershell/situational_awareness/host/monitortcpconnections
NeedsAdmin False
OpsecSafe True
Techniques http://attack.mitre.org/techniques/T1049
,Record Options-,-------,----------,----------------------------------,
| Name | Value | Required | Description |
|---------------|-------|----------|----------------------------------|
| Agent | | True | Agent to monitor from. |
|---------------|-------|----------|----------------------------------|
| CheckInterval | 15 | True | Interval in seconds to check for |
| | | | the connection |
|---------------|-------|----------|----------------------------------|
| TargetDomain | | True | Domain name or IPv4 address of |
| | | | target service. |
'---------------'-------'----------'----------------------------------'
(Empire: usemodule/powershell/situational_awareness/host/monitortcpconnections) > set Agent Y4LHEV83
[*] Set Agent to Y4LHEV83
(Empire: usemodule/powershell/situational_awareness/host/monitortcpconnections) > set CheckInterval 15
[*] Set CheckInterval to 15
(Empire: usemodule/powershell/situational_awareness/host/monitortcpconnections) > set TargetDomain value
[*] Set TargetDomain to value
(Empire: usemodule/powershell/situational_awareness/host/monitortcpconnections) > execute
[*] Tasked Y4LHEV83 to run Task 1
...
Now wait for the results to come.
Author
References
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/powershell/situational_awareness/host/monitortcpconnections.yaml
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/data/module_source/situational_awareness/host/Start-MonitorTCPConnections.ps1
- http://attack.mitre.org/techniques/T1049
See Also
Check also the following modules related to this module:
- powershell/situational_awareness/host/hostrecon
- powershell/situational_awareness/host/winenum
- powershell/situational_awareness/host/applockerstatus
- powershell/situational_awareness/host/get_uaclevel
- powershell/situational_awareness/host/dnsserver
- powershell/situational_awareness/host/antivirusproduct
- powershell/situational_awareness/host/get_pathacl
- powershell/situational_awareness/host/get_proxy
- powershell/situational_awareness/host/findtrusteddocuments
- powershell/situational_awareness/host/seatbelt
- powershell/situational_awareness/host/paranoia
- powershell/situational_awareness/host/computerdetails
- python/situational_awareness/host/multi/WorldWriteableFileSearch
- python/situational_awareness/host/multi/SuidGuidSearch
- python/situational_awareness/host/osx/situational_awareness
- python/situational_awareness/host/osx/HijackScanner
- csharp/GhostPack/Rubeus
- csharp/GhostPack/SharpDPAPI
- csharp/GhostPack/SharpUp
- csharp/GhostPack/SharpDump
- csharp/GhostPack/Seatbelt
- csharp/GhostPack/SharpWMI
- python/situational_awareness/network/gethostbyname
Version
This page has been created based on Empire version 4.1.3 (BC Security Fork).
Visit Empire Module Library for more modules.