Find-DomainProcess - Empire Module
This page contains detailed information about how to use the powershell/situational_awareness/network/powerview/process_hunter Empire module. For list of all Empire modules, visit the Empire Module Library.
Module Overview
Name: Find-DomainProcess
Module: powershell/situational_awareness/network/powerview/process_hunter
Source code [1]: empire/server/modules/powershell/situational_awareness/network/powerview/process_hunter.yaml
Source code [2]: empire/server/data/module_source/situational_awareness/network/powerview.ps1
MITRE ATT&CK:
T1057, S0194
Language: PowerShell
Needs admin: No
OPSEC safe: Yes
Background: Yes
The process_hunter module querys the process lists of remote machines, searching for processes with a specific name or owned by a specific user. Part of PowerView.
This module runs in a foreground and is OPSEC unsafe as it writes on the disk and therefore could be detected by AV/EDR running on the target system.
Note that the process_hunter module does not need administrative privileges to work properly which means that a normal user can run this module.
Required Module Options
This is a list of options that are required by the process_hunter module:
Agent
Agent to run module on.
Additional Module Options
This is a list of additional options that are supported by the process_hunter module:
ComputerDomain
Specifies the domain to query for computers, defaults to the current domain.
ComputerLDAPFilter
Host filter name to query AD for, wildcards accepted.
ComputerName
Hosts to enumerate.
ComputerOperatingSystem
Return computers with a specific operating system, wildcards accepted.
ComputerSearchBase
Specifies the LDAP source to search through for computers.
ComputerServicePack
Return computers with the specified service pack, wildcards accepted.
ComputerSiteName
Return computers in the specific AD Site name, wildcards accepted.
ComputerUnconstrained
Switch. Search computer objects that have unconstrained delegation.
Delay
Delay between enumerating hosts, defaults to 0.
Domain
The domain to use for the query, defaults to the current domain.
Jitter
Specifies the jitter (0-1.0) to apply to any specified -Delay, defaults to +/- 0.3.
OutputFunction
PowerShell's output function to use ("Out-String", "ConvertTo-Json", "ConvertTo-Csv", "ConvertTo-Html", "ConvertTo-Xml").
Default value: Out-String.
Suggested values: Out-String, ConvertTo-Json, ConvertTo-Csv, ConvertTo-Html, ConvertTo-Xml.
ProcessName
The name of the process to hunt, or a comma separated list of names.
ResultPageSize
Specifies the PageSize to set for the LDAP searcher object.
SearchScope
Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
Server
Specifies an active directory server (domain controller) to bind to.
ServerTimeLimit
Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
StopOnSuccess
Switch. Stop hunting after finding after finding a target user.
Threads
The maximum concurrent threads to execute.
Tombstone
Switch. Specifies that the search should also return deleted/tombstoned objects.
UserAdminCount
Switch. Search for users with "(adminCount=1)" (meaning are/were privileged).
UserGroupIdentity
Specifies a group identity to query for target users, defaults to "Domain Admins".
UserIdentity
Specifies one or more user identities to search for.
UserLDAPFilter
A customized ldap filter string to use for user enumeration, e.g. "(description=*admin*).
UserSearchBase
Specifies the LDAP source to search through for target users.
Process_hunter Example Usage
Here's an example of how to use the process_hunter module in the Empire client console:
[+] New agent Y4LHEV83 checked in
[*] Sending agent (stage 2) to Y4LHEV83 at 192.168.204.135
(empire usestager/windows/ducky) > usemodule powershell/situational_awareness/network/powerview/process_hunter
Author @harmj0y
Background True
Comments https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/
Description Query the process lists of remote machines, searching for processes
with a specific name or owned by a specific user. Part of PowerView.
Language powershell
Name powershell/situational_awareness/network/powerview/process_hunter
NeedsAdmin False
OpsecSafe True
Software http://attack.mitre.org/software/S0194
Techniques http://attack.mitre.org/techniques/T1057
,Record Options-----------,------------,----------,-------------------------------------,
| Name | Value | Required | Description |
|-------------------------|------------|----------|-------------------------------------|
| Agent | | True | Agent to run module on. |
|-------------------------|------------|----------|-------------------------------------|
| ComputerDomain | | False | Specifies the domain to query for |
| | | | computers, defaults to the current |
| | | | domain. |
|-------------------------|------------|----------|-------------------------------------|
| ComputerLDAPFilter | | False | Host filter name to query AD for, |
| | | | wildcards accepted. |
|-------------------------|------------|----------|-------------------------------------|
| ComputerName | | False | Hosts to enumerate. |
|-------------------------|------------|----------|-------------------------------------|
| ComputerOperatingSystem | | False | Return computers with a specific |
| | | | operating system, wildcards |
| | | | accepted. |
|-------------------------|------------|----------|-------------------------------------|
| ComputerSearchBase | | False | Specifies the LDAP source to search |
| | | | through for computers |
|-------------------------|------------|----------|-------------------------------------|
| ComputerServicePack | | False | Return computers with the specified |
| | | | service pack, wildcards accepted. |
|-------------------------|------------|----------|-------------------------------------|
| ComputerSiteName | | False | Return computers in the specific AD |
| | | | Site name, wildcards accepted. |
|-------------------------|------------|----------|-------------------------------------|
| ComputerUnconstrained | | False | Switch. Search computer objects |
| | | | that have unconstrained delegation. |
|-------------------------|------------|----------|-------------------------------------|
| Delay | | False | Delay between enumerating hosts, |
| | | | defaults to 0. |
|-------------------------|------------|----------|-------------------------------------|
| Domain | | False | The domain to use for the query, |
| | | | defaults to the current domain. |
|-------------------------|------------|----------|-------------------------------------|
| Jitter | | False | Specifies the jitter (0-1.0) to |
| | | | apply to any specified -Delay, |
| | | | defaults to +/- 0.3. |
|-------------------------|------------|----------|-------------------------------------|
| OutputFunction | Out-String | False | PowerShell's output function to use |
| | | | ("Out-String", "ConvertTo-Json", |
| | | | "ConvertTo-Csv", "ConvertTo-Html", |
| | | | "ConvertTo-Xml"). |
|-------------------------|------------|----------|-------------------------------------|
| ProcessName | | False | The name of the process to hunt, or |
| | | | a comma separated list of names. |
|-------------------------|------------|----------|-------------------------------------|
| ResultPageSize | | False | Specifies the PageSize to set for |
| | | | the LDAP searcher object. |
|-------------------------|------------|----------|-------------------------------------|
| SearchScope | | False | Specifies the scope to search |
| | | | under, Base/OneLevel/Subtree |
| | | | (default of Subtree) |
|-------------------------|------------|----------|-------------------------------------|
| Server | | False | Specifies an active directory |
| | | | server (domain controller) to bind |
| | | | to |
|-------------------------|------------|----------|-------------------------------------|
| ServerTimeLimit | | False | Specifies the maximum amount of |
| | | | time the server spends searching. |
| | | | Default of 120 seconds. |
|-------------------------|------------|----------|-------------------------------------|
| StopOnSuccess | | False | Switch. Stop hunting after finding |
| | | | after finding a target user. |
|-------------------------|------------|----------|-------------------------------------|
| Threads | | False | The maximum concurrent threads to |
| | | | execute. |
|-------------------------|------------|----------|-------------------------------------|
| Tombstone | | False | Switch. Specifies that the search |
| | | | should also return |
| | | | deleted/tombstoned objects. |
|-------------------------|------------|----------|-------------------------------------|
| UserAdminCount | | False | Switch. Search for users with |
| | | | "(adminCount=1)" (meaning are/were |
| | | | privileged) |
|-------------------------|------------|----------|-------------------------------------|
| UserGroupIdentity | | False | Specifies a group identity to query |
| | | | for target users, defaults to |
| | | | "Domain Admins". |
|-------------------------|------------|----------|-------------------------------------|
| UserIdentity | | False | Specifies one or more user |
| | | | identities to search for. |
|-------------------------|------------|----------|-------------------------------------|
| UserLDAPFilter | | False | A customized ldap filter string to |
| | | | use for user enumeration, e.g. |
| | | | "(description=*admin*)" |
|-------------------------|------------|----------|-------------------------------------|
| UserSearchBase | | False | Specifies the LDAP source to search |
| | | | through for target users. |
'-------------------------'------------'----------'-------------------------------------'
(Empire: usemodule/powershell/situational_awareness/network/powerview/process_hunter) > set Agent Y4LHEV83
[*] Set Agent to Y4LHEV83
(Empire: usemodule/powershell/situational_awareness/network/powerview/process_hunter) > execute
[*] Tasked Y4LHEV83 to run Task 1
...
Now wait for the results to come.
Author
References
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/powershell/situational_awareness/network/powerview/process_hunter.yaml
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/data/module_source/situational_awareness/network/powerview.ps1
- https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/
- http://attack.mitre.org/software/S0194
- http://attack.mitre.org/techniques/T1057
See Also
Check also the following modules related to this module:
- powershell/situational_awareness/network/powerview/get_loggedon
- powershell/situational_awareness/network/powerview/get_cached_rdpconnection
- powershell/situational_awareness/network/powerview/find_foreign_user
- powershell/situational_awareness/network/powerview/find_gpo_computer_admin
- powershell/situational_awareness/network/powerview/get_subnet
- powershell/situational_awareness/network/powerview/get_ou
- powershell/situational_awareness/network/powerview/get_subnet_ranges
- powershell/situational_awareness/network/powerview/get_gpo_computer
- powershell/situational_awareness/network/powerview/get_forest
- powershell/situational_awareness/network/powerview/get_domain_controller
- powershell/situational_awareness/network/powerview/user_hunter
- powershell/situational_awareness/network/powerview/find_localadmin_access
- powershell/situational_awareness/network/powerview/find_foreign_group
- powershell/situational_awareness/network/powerview/get_group
- powershell/situational_awareness/network/powerview/get_session
- powershell/situational_awareness/network/powerview/get_computer
- powershell/situational_awareness/network/powerview/set_ad_object
- powershell/situational_awareness/network/powerview/get_domain_policy
- powershell/situational_awareness/network/powerview/get_gpo
- powershell/situational_awareness/network/powerview/get_domain_trust
- powershell/situational_awareness/network/powerview/get_forest_domain
- powershell/situational_awareness/network/powerview/map_domain_trust
- powershell/situational_awareness/network/powerview/get_fileserver
- powershell/situational_awareness/network/powerview/get_site
- powershell/situational_awareness/network/powerview/get_rdp_session
- powershell/situational_awareness/network/powerview/get_object_acl
- powershell/situational_awareness/network/powerview/get_localgroup
- powershell/situational_awareness/network/powerview/share_finder
- powershell/situational_awareness/network/powerview/get_group_member
- powershell/situational_awareness/network/powerview/get_user
- powershell/situational_awareness/network/powerview/find_gpo_location
- powershell/situational_awareness/network/powerview/get_dfs_share
- powershell/situational_awareness/network/powerview/find_managed_security_group
- powershell/trollsploit/process_killer
- powershell/management/start-processasuser
Version
This page has been created based on Empire version 4.1.3 (BC Security Fork).
Visit Empire Module Library for more modules.
