Invoke-WinEnum - Empire Module
This page contains detailed information about how to use the powershell/situational_awareness/host/winenum Empire module. For list of all Empire modules, visit the Empire Module Library.
Module Overview
Name: Invoke-WinEnum
Module: powershell/situational_awareness/host/winenum
Source code [1]: empire/server/modules/powershell/situational_awareness/host/winenum.yaml
Source code [2]: empire/server/data/module_source/situational_awareness/host/Invoke-WinEnum.ps1
MITRE ATT&CK:
T1082
Language: PowerShell
Needs admin: No
OPSEC safe: Yes
Background: Yes
The winenum module collects revelant information about a host and the current user context.
This module runs in a foreground and is OPSEC unsafe as it writes on the disk and therefore could be detected by AV/EDR running on the target system.
Note that the winenum module does not need administrative privileges to work properly which means that a normal user can run this module.
Required Module Options
This is a list of options that are required by the winenum module:
Agent
Agent to run module on.
Additional Module Options
This is a list of additional options that are supported by the winenum module:
Keywords
Array of keywords to use in file searches.
UserName
UserName to enumerate. Defaults to the current user context.
Winenum Example Usage
Here's an example of how to use the winenum module in the Empire client console:
[+] New agent Y4LHEV83 checked in
[*] Sending agent (stage 2) to Y4LHEV83 at 192.168.204.135
(empire usestager/windows/ducky) > usemodule powershell/situational_awareness/host/winenum
Author @xorrior
Background True
Comments https://github.com/xorrior/RandomPS-Scripts/blob/master/Invoke-
WindowsEnum.ps1
Description Collects revelant information about a host and the current user
context.
Language powershell
Name powershell/situational_awareness/host/winenum
NeedsAdmin False
OpsecSafe True
Techniques http://attack.mitre.org/techniques/T1082
,Record Options----,----------,------------------------------------,
| Name | Value | Required | Description |
|----------|-------|----------|------------------------------------|
| Agent | | True | Agent to run module on. |
|----------|-------|----------|------------------------------------|
| Keywords | | False | Array of keywords to use in file |
| | | | searches. |
|----------|-------|----------|------------------------------------|
| UserName | | False | UserName to enumerate. Defaults to |
| | | | the current user context. |
'----------'-------'----------'------------------------------------'
(Empire: usemodule/powershell/situational_awareness/host/winenum) > set Agent Y4LHEV83
[*] Set Agent to Y4LHEV83
(Empire: usemodule/powershell/situational_awareness/host/winenum) > execute
[*] Tasked Y4LHEV83 to run Task 1
...
Now wait for the results to come.
Author
References
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/powershell/situational_awareness/host/winenum.yaml
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/data/module_source/situational_awareness/host/Invoke-WinEnum.ps1
- https://github.com/xorrior/RandomPS-Scripts/blob/master/Invoke-WindowsEnum.ps1
- http://attack.mitre.org/techniques/T1082
- https://social.technet.microsoft.com/Forums/scriptcenter/en-US/c8001c25-edb5-44b2-ad07-37b39285995f/systemdirectoryservicesaccountmanagement-and-powershell?forum=ITCG
- http://www.bgreco.net/powershell/get-clipboard/
- http://neophob.com/2010/03/wmi-query-windows-securitycenter2/
- http://thesurlyadmin.com/2013/05/20/using-powershell-to-get-adapter-information/
- http://blogs.microsoft.co.il/scriptfanatic/2011/02/10/how-to-find-running-processes-and-their-port-number/
- http://blogs.technet.com/b/heyscriptingguy/archive/2010/07/03/hey-scripting-guy-weekend-scripter-how-to-retrieve-enabled-windows-firewall-rules.aspx
See Also
Check also the following modules related to this module:
- powershell/situational_awareness/host/hostrecon
- powershell/situational_awareness/host/applockerstatus
- powershell/situational_awareness/host/get_uaclevel
- powershell/situational_awareness/host/dnsserver
- powershell/situational_awareness/host/antivirusproduct
- powershell/situational_awareness/host/get_pathacl
- powershell/situational_awareness/host/get_proxy
- powershell/situational_awareness/host/findtrusteddocuments
- powershell/situational_awareness/host/monitortcpconnections
- powershell/situational_awareness/host/seatbelt
- powershell/situational_awareness/host/paranoia
- powershell/situational_awareness/host/computerdetails
- python/situational_awareness/host/multi/WorldWriteableFileSearch
- python/situational_awareness/host/multi/SuidGuidSearch
- python/situational_awareness/host/osx/situational_awareness
- python/situational_awareness/host/osx/HijackScanner
- csharp/GhostPack/Rubeus
- csharp/GhostPack/SharpDPAPI
- csharp/GhostPack/SharpUp
- csharp/GhostPack/SharpDump
- csharp/GhostPack/Seatbelt
- csharp/GhostPack/SharpWMI
- python/situational_awareness/network/gethostbyname
Version
This page has been created based on Empire version 4.1.3 (BC Security Fork).
Visit Empire Module Library for more modules.