Shellcode Inject x64 - Empire Module
This page contains detailed information about how to use the python/management/osx/shellcodeinject64 Empire module. For list of all Empire modules, visit the Empire Module Library.
Module Overview
Name: Shellcode Inject x64
Module: python/management/osx/shellcodeinject64
Source code [1]: empire/server/modules/python/management/osx/shellcodeinject64.yaml
Source code [2]: empire/server/modules/python/management/osx/shellcodeinject64.py
MITRE ATT&CK:
T1064
Language: Python
Needs admin: Yes
OPSEC safe: Yes
Background: No
The shellcodeinject64 module injects shellcode into a x64 bit process.
This module runs in a foreground and is OPSEC unsafe as it writes on the disk and therefore could be detected by AV/EDR running on the target system.
Note that the shellcodeinject64 module does not need administrative privileges to work properly which means that a normal user can run this module.
Required Module Options
This is a list of options that are required by the shellcodeinject64 module:
Agent
Agent to run the module on.
PID
Process ID.
Shellcode
local path to bin file containing x64 shellcode.
Shellcodeinject64 Example Usage
Here's an example of how to use the shellcodeinject64 module in the Empire client console:
[+] New agent Y4LHEV83 checked in
[*] Sending agent (stage 2) to Y4LHEV83 at 192.168.204.135
(empire usestager/osx/ducky) > usemodule python/management/osx/shellcodeinject64
Author @xorrior
@midnite_runr
Background False
Comments comment
https://github.com/secretsquirrel/osx_mach_stuff/blob/master/inject.c
Description Inject shellcode into a x64 bit process
Language python
Name python/management/osx/shellcodeinject64
NeedsAdmin True
OpsecSafe True
Techniques http://attack.mitre.org/techniques/T1064
,Record Options-----,----------,-----------------------------------,
| Name | Value | Required | Description |
|-----------|-------|----------|-----------------------------------|
| Agent | | True | Agent to run the module on |
|-----------|-------|----------|-----------------------------------|
| PID | | True | Process ID |
|-----------|-------|----------|-----------------------------------|
| Shellcode | | True | local path to bin file containing |
| | | | x64 shellcode |
'-----------'-------'----------'-----------------------------------'
(Empire: usemodule/python/management/osx/shellcodeinject64) > set Agent Y4LHEV83
[*] Set Agent to Y4LHEV83
(Empire: usemodule/python/management/osx/shellcodeinject64) > set PID value
[*] Set PID to value
(Empire: usemodule/python/management/osx/shellcodeinject64) > set Shellcode ..shellcode..
[*] Set Shellcode to ..shellcode..
(Empire: usemodule/python/management/osx/shellcodeinject64) > execute
[*] Tasked Y4LHEV83 to run Task 1
...
Now wait for the results to come.
Authors
References
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/python/management/osx/shellcodeinject64.yaml
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/python/management/osx/shellcodeinject64.py
- https://github.com/secretsquirrel/osx_mach_stuff/blob/master/inject.c
- http://attack.mitre.org/techniques/T1064
See Also
Check also the following modules related to this module:
- python/management/osx/screen_sharing
- python/trollsploit/osx/change_background
- python/trollsploit/osx/say
- python/trollsploit/osx/thunderstruck
- python/trollsploit/osx/login_message
- python/situational_awareness/host/osx/situational_awareness
- python/situational_awareness/host/osx/HijackScanner
- python/privesc/osx/piggyback
- python/privesc/osx/dyld_print_to_file
- python/collection/osx/osx_mic_record
- python/collection/osx/sniffer
- python/collection/osx/imessage_dump
- python/collection/osx/kerberosdump
- python/collection/osx/keychaindump_chainbreaker
- python/collection/osx/prompt
- python/collection/osx/hashdump
- python/collection/osx/keychaindump_decrypt
- python/collection/osx/browser_dump
- python/collection/osx/pillage_user
- python/collection/osx/webcam
- python/collection/osx/screenshot
- python/collection/osx/keychaindump
- python/collection/osx/search_email
- python/collection/osx/screensaver_alleyoop
- python/collection/osx/native_screenshot_mss
- python/collection/osx/clipboard
- python/collection/osx/keylogger
- python/collection/osx/native_screenshot
- python/persistence/osx/mail
- python/persistence/osx/LaunchAgent
- python/persistence/osx/loginhook
- python/persistence/osx/CreateHijacker
- python/persistence/osx/LaunchAgentUserLandPersistence
- python/persistence/osx/RemoveLaunchAgent
Version
This page has been created based on Empire version 4.1.3 (BC Security Fork).
Visit Empire Module Library for more modules.