Invoke-Paranoia - Empire Module

This page contains detailed information about how to use the powershell/situational_awareness/host/paranoia Empire module. For list of all Empire modules, visit the Empire Module Library.

Module Overview

---

Name: Invoke-Paranoia
Module: powershell/situational_awareness/host/paranoia
Source code [1]: empire/server/modules/powershell/situational_awareness/host/paranoia.yaml
Source code [2]: empire/server/data/module_source/situational_awareness/host/Invoke-Paranoia.ps1
MITRE ATT&CK: T1057
Language: PowerShell
Needs admin: Yes
OPSEC safe: Yes
Background: Yes

Continuously check running processes for the presence of suspicious users, members of groups, process names, and for any processes running off of USB drives.

This module runs in a foreground and is OPSEC unsafe as it writes on the disk and therefore could be detected by AV/EDR running on the target system.

Note that the paranoia module does not need administrative privileges to work properly which means that a normal user can run this module.

Required Module Options

---

This is a list of options that are required by the paranoia module:

Agent
Agent to deploy Paranoia on.

Additional Module Options

---

This is a list of additional options that are supported by the paranoia module:

WatchGroups
AD Groups to watch out for (Default is 'Domain Admins').

WatchProcesses
Process names to watch out for. Default list is already appended.

WatchUsers
Users to watch out for in the form of domain\user, domain\user2, localuser.

Paranoia Example Usage

---

Here's an example of how to use the paranoia module in the Empire client console:

[+] New agent Y4LHEV83 checked in
[*] Sending agent (stage 2) to Y4LHEV83 at 192.168.204.135
(empire usestager/windows/ducky) > usemodule powershell/situational_awareness/host/paranoia

 Author       pasv                                                                   
 Background   True                                                                   
 Comments     http://shell.fishing/code/Invoke-Paranoia.ps1                          
 Description  Continuously check running processes for the presence of suspicious    
              users, members of groups, process names, and for any processes running 
              off of USB drives.                                                     
 Language     powershell                                                             
 Name         powershell/situational_awareness/host/paranoia                         
 NeedsAdmin   True                                                                   
 OpsecSafe    True                                                                   
 Techniques   http://attack.mitre.org/techniques/T1057                               


,Record Options--,-------,----------,-------------------------------------,
| Name           | Value | Required | Description                         |
|----------------|-------|----------|-------------------------------------|
| Agent          |       | True     | Agent to deploy Paranoia on.        |
|----------------|-------|----------|-------------------------------------|
| WatchGroups    |       | False    | AD Groups to watch out for (Default |
|                |       |          | is 'Domain Admins')                 |
|----------------|-------|----------|-------------------------------------|
| WatchProcesses |       | False    | Process names to watch out for.     |
|                |       |          | Default list is already appended.   |
|----------------|-------|----------|-------------------------------------|
| WatchUsers     |       | False    | Users to watch out for in the form  |
|                |       |          | of domain\user, domain\user2,       |
|                |       |          | localuser                           |
'----------------'-------'----------'-------------------------------------'

(Empire: usemodule/powershell/situational_awareness/host/paranoia) > set Agent Y4LHEV83
[*] Set Agent to Y4LHEV83
(Empire: usemodule/powershell/situational_awareness/host/paranoia) > execute
[*] Tasked Y4LHEV83 to run Task 1
...

Now wait for the results to come.

Author

---

• pasv

References

---

• https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/powershell/situational_awareness/host/paranoia.yaml
• https://github.com/BC-SECURITY/Empire/tree/master/empire/server/data/module_source/situational_awareness/host/Invoke-Paranoia.ps1
• http://shell.fishing/code/Invoke-Paranoia.ps1
• http://attack.mitre.org/techniques/T1057

See Also

---

Check also the following modules related to this module:

• powershell/situational_awareness/host/hostrecon
• powershell/situational_awareness/host/winenum
• powershell/situational_awareness/host/applockerstatus
• powershell/situational_awareness/host/get_uaclevel
• powershell/situational_awareness/host/dnsserver
• powershell/situational_awareness/host/antivirusproduct
• powershell/situational_awareness/host/get_pathacl
• powershell/situational_awareness/host/get_proxy
• powershell/situational_awareness/host/findtrusteddocuments
• powershell/situational_awareness/host/monitortcpconnections
• powershell/situational_awareness/host/seatbelt
• powershell/situational_awareness/host/computerdetails
• python/situational_awareness/host/multi/WorldWriteableFileSearch
• python/situational_awareness/host/multi/SuidGuidSearch
• python/situational_awareness/host/osx/situational_awareness
• python/situational_awareness/host/osx/HijackScanner
• csharp/GhostPack/Rubeus
• csharp/GhostPack/SharpDPAPI
• csharp/GhostPack/SharpUp
• csharp/GhostPack/SharpDump
• csharp/GhostPack/Seatbelt
• csharp/GhostPack/SharpWMI
• python/situational_awareness/network/gethostbyname

Version

---

This page has been created based on Empire version 4.1.3 (BC Security Fork).
Visit Empire Module Library for more modules.