Marathon API Create and Start App - Empire Module
This page contains detailed information about how to use the python/situational_awareness/network/dcos/marathon_api_create_start_app Empire module. For list of all Empire modules, visit the Empire Module Library.
Module Overview
Name: Marathon API Create and Start App
Module: python/situational_awareness/network/dcos/marathon_api_create_start_app
Source code:
empire/server/modules/python/situational_awareness/network/dcos/marathon_api_create_start_app.yaml
MITRE ATT&CK:
T1106
Language: Python
Needs admin: No
OPSEC safe: Yes
Background: Yes
The marathon_api_create_start_app module creates and Start a Marathon App using Marathon's REST API.
This module runs in a foreground and is OPSEC unsafe as it writes on the disk and therefore could be detected by AV/EDR running on the target system.
Note that the marathon_api_create_start_app module does not need administrative privileges to work properly which means that a normal user can run this module.
Required Module Options
This is a list of options that are required by the marathon_api_create_start_app module:
Agent
Agent to execute module on.
CPUs
The number of CPUs to assign to the app.
Cmd
The command to run.
Default value: env && sleep 300
.
Disk
The Disk Space (MiB) to assign to the app.
ID
The id of the marathon app.
Default value: app001
.
Instances
The number of instances to assign to the app.
Mem
The Memory (MiB) to assign to the app.
Default value: 128
.
Port
The port to connect to.
Default value: 8080
.
Target
FQDN, domain name, or hostname to lookup on the remote target.
Default value: marathon.mesos
.
Marathon_api_create_start_app Example Usage
Here's an example of how to use the marathon_api_create_start_app module in the Empire client console:
[+] New agent Y4LHEV83 checked in
[*] Sending agent (stage 2) to Y4LHEV83 at 192.168.204.135
(empire usestager/windows/ducky) > usemodule python/situational_awareness/network/dcos/marathon_api_create_start_app
Author @TweekFawkes
Background True
Comments Marathon REST API documentation version 2.0:
https://mesosphere.github.io/marathon/docs/generated/api.html
Marathon REST API: https://mesosphere.github.io/marathon/docs/rest-
api.html
Marathon REST API: https://open.mesosphere.com/advanced-
course/marathon-rest-api/
Description Create and Start a Marathon App using Marathon's REST API
Language python
Name python/situational_awareness/network/dcos/marathon_api_create_start_ap
p
NeedsAdmin False
OpsecSafe True
Techniques http://attack.mitre.org/techniques/T1106
,Record Options----------------,----------,-------------------------------------,
| Name | Value | Required | Description |
|-----------|------------------|----------|-------------------------------------|
| Agent | | True | Agent to execute module on. |
|-----------|------------------|----------|-------------------------------------|
| CPUs | 1 | True | The number of CPUs to assign to the |
| | | | app. |
|-----------|------------------|----------|-------------------------------------|
| Cmd | env && sleep 300 | True | The command to run. |
|-----------|------------------|----------|-------------------------------------|
| Disk | 0 | True | The Disk Space (MiB) to assign to |
| | | | the app. |
|-----------|------------------|----------|-------------------------------------|
| ID | app001 | True | The id of the marathon app. |
|-----------|------------------|----------|-------------------------------------|
| Instances | 1 | True | The number of instances to assign |
| | | | to the app. |
|-----------|------------------|----------|-------------------------------------|
| Mem | 128 | True | The Memory (MiB) to assign to the |
| | | | app. |
|-----------|------------------|----------|-------------------------------------|
| Port | 8080 | True | The port to connect to. |
|-----------|------------------|----------|-------------------------------------|
| Target | marathon.mesos | True | FQDN, domain name, or hostname to |
| | | | lookup on the remote target. |
'-----------'------------------'----------'-------------------------------------'
(Empire: usemodule/python/situational_awareness/network/dcos/marathon_api_create_start_app) > set Agent Y4LHEV83
[*] Set Agent to Y4LHEV83
(Empire: usemodule/python/situational_awareness/network/dcos/marathon_api_create_start_app) > set CPUs value
[*] Set CPUs to value
(Empire: usemodule/python/situational_awareness/network/dcos/marathon_api_create_start_app) > set Cmd env
[*] Set Cmd to env
(Empire: usemodule/python/situational_awareness/network/dcos/marathon_api_create_start_app) > set Disk value
[*] Set Disk to value
(Empire: usemodule/python/situational_awareness/network/dcos/marathon_api_create_start_app) > set ID app001
[*] Set ID to app001
(Empire: usemodule/python/situational_awareness/network/dcos/marathon_api_create_start_app) > set Instances value
[*] Set Instances to value
(Empire: usemodule/python/situational_awareness/network/dcos/marathon_api_create_start_app) > set Mem 128
[*] Set Mem to 128
(Empire: usemodule/python/situational_awareness/network/dcos/marathon_api_create_start_app) > set Port 8080
[*] Set Port to 8080
(Empire: usemodule/python/situational_awareness/network/dcos/marathon_api_create_start_app) > set Target marathon.mesos
[*] Set Target to marathon.mesos
(Empire: usemodule/python/situational_awareness/network/dcos/marathon_api_create_start_app) > execute
[*] Tasked Y4LHEV83 to run Task 1
...
Now wait for the results to come.
Author
References
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/python/situational_awareness/network/dcos/marathon_api_create_start_app.yaml
- https://mesosphere.github.io/marathon/docs/generated/api.html
- https://mesosphere.github.io/marathon/docs/rest-api.html
- https://open.mesosphere.com/advanced-course/marathon-rest-api/
- http://attack.mitre.org/techniques/T1106
See Also
Check also the following modules related to this module:
- python/situational_awareness/network/dcos/marathon_api_delete_app
- python/situational_awareness/network/dcos/chronos_api_delete_job
- python/situational_awareness/network/dcos/etcd_crawler
- python/situational_awareness/network/dcos/chronos_api_add_job
- python/situational_awareness/network/dcos/chronos_api_start_job
- powershell/situational_awareness/host/applockerstatus
- python/situational_awareness/network/http_rest_api
- powershell/management/start-processasuser
- powershell/management/restart
Version
This page has been created based on Empire version 4.1.3 (BC Security Fork).
Visit Empire Module Library for more modules.