Quick Reference: Empire Persistence Modules

During a penetration test you may find yourself in a situation where your foothold in the network is tenuous and you need to establish persistence. Such as when your only foothold is on a workstation, the end of day is quickly approaching, and the user may shutdown their system. In these cases you’ll likely have to save something to the hard disk, but what type of persistence will you use? Will the user detect it? How exactly will it trigger? Are there any caveats?

These are the questions you need answered and can’t always research them in a time crunch. To assist in answering those questions quickly I familiarized myself with the various persistence modules available in the Empire project. Since my I typically use Empire as my post-exploitation framework I focused my efforts on that tool specifically. If you’re not familiar with Empire, it’s a post-exploitation framework for powershell and python and it’s available on GitHub.

Empire has several branches of persistence modules, the two I’ll cover are userland and elevated branches. The userland modules generally have a way for the user to detect them, like a powershell or command prompt window appearing. The elevated modules are harder to detect. It shouldn’t come as much surprise that you’ll want to drop persistence with the highest privileges you can.

Since this article is about a quick reference, I’ll present the reference quickly (best viewed in its original resolution). Also available as a Google sheet.

Additional notes on the modules are included afterwards.

Empire persistence module reference.

 

Notes on Detection:

Detecting Persistence During Installation

Only one module was found to be detectable by the user during installation without the aid of security tools, and that was the backdoor_lnk module. If the user has sight of the shortcut you are modifying, they may see the icon change to a “blank white paper” icon.

Backdoored .lnk file

Backdoored .lnk file

Detecting Persistence During Execution

Many of the userland modules are detectable during execution, a powershell or Windows command prompt will appear momentarily when the agent launches. The length of time is dependent on the performance of the victim’s system. If the user closes the window during the time it appears on their screen, it will stop the execution of the agent.

Notes on Storage:

Payload Storage: RegPath vs. ADSPath

The ADSPath option stores the payload in a file that you specify. This has the advantage of breaking up the powershell command which in one case avoided detection from Anti-Virus. However, the cleanup routine does not remove this payload form the file system. The RegPath option stores the payload in the Windows registry.

Module-Specific Notes:

userland/schtasks – DailyTime

  • This will only launch if the user is logged on during the DailyTime you specify.
  • The user will not detect the installation of this module unless they inspect their scheduled tasks.
  • User can detect a command prompt when the agent launches.
  • Consider differences in time zones and work habits.
  • Increase the likelihood of an agent calling back by running the module multiple time and specifying a different DailyTime for each.

userland/schtasks – IdleTime

  • This agent will launch when the system is idle for (15:00 + IdleTime) minutes.  Windows determines idle time based on low CPU and disk utilization and the absence of user input. This has nothing to do with a screensaver or desktop locking policy.
  • This is the stealthiest method of persistence for userland privileges, but also unreliable.
  • The agent that is returned by this is very fragile and will be killed when the system is no longer idle. In order to preserve access you should PSInject into a stable process to spawn a new agent that will persist. Don’t try to user another launcher or runas to get more shells, use PSInject! The other methods will be killed.

userland/backdoor_lnk

  • This will launch an agent when the user clicks on the specific .LNK file (Windows shortcut) that you specify when you run the module.
  • You need to know the file path to the shortcut.
  • The user may detect it during installation when their desktop icon changes.
  • User may deect it when they use their shortcut. The shortcut will hang and they may detect a suspicious icon in their taskbar.
  • User can inspect the shortcut and detect the powershell payload in the .LNK properties.

userland/registry

  • Agent will launch when the user logs onto the system.
  • A command prompt will flash when the agent launches and the agent will be killed if the command prompt is closed during this time.

userland/normal

  • This module didn’t function when tested with Word 2016.
  • Intended to launch an agent when the user opens MS Word.
  • Only available in the Master branch.

elevated/registry

  • Launches an agent as the user who logs on. This may not be a privileged user!
  • There is no visual cue when the agent launches.

elevated/schtasks – DailyTime

  • Launches an elevated agent at the appointed time.
  • There is no visual cue when the agent launches.

elevated/schtasks – OnLogon

  • Launches an elevated agent when any user logs on to the system.
  • There is no visual cue when the agent launches.
  • This option overwrites the DailyTime.

elevated/wmi – DailyTime

  • Launches an elevated agent 2-3 minutes after the appointed time.
  • There is no visual cue when the agent launches.

elevated/wmi – AtStartup

  • Launches an elevated agent 2-3 minute after system start.
  • There is no visual cue when the agent launches.

 

thor_vath

thor_vath

Penetration Tester at SecureState
Penetration tester and offensive security enthusiast with a background in server hardware, networking, systems administration and systems engineering.
thor_vath

Latest posts by thor_vath (see all)