Tuesday, March 1, 2016

Using Powershell Empire as a phishing test tool...

Performing internal phishing tests is important for both user education and security metrics.  There are a lot of vendor options out there for helping organizations with their phishing exercises, but up until now most of ours have been created using in-house tools.  One tool we are beginning to use for phishing tests is "Powershell Empire".

Powershell Empire (or "Empire" for short) has become one of my favorite pentesting tools.  Empire is a PowerShell post-exploitation tool that implements the ability to run PowerShell "agents" against target systems.  It contains awesome post-exploitation modules ranging from key loggers to Mimikatz, and is very good at evading network detection. Even after landing a Meterpreter session I find myself pivoting more often to using Empire these days for post-exploitation.

By using PowerShell, Empire has some offensive advantages including full .NET access, direct access to the Win32 API, the ability to assemble malicious binaries in memory, and a default installation on Windows 7+.

Because PowerShell is native to Windows, I don't have to worry much about AV catching my payloads (for now - some script tweaking tests against our AV may be necessary in the future, and other tools do see the activity).  That makes Empire super useful for creating payloads for both pentesting and in-house phishing exercises.  

Empire has numerous options for creating different types of agents.  Creating an Empire agent as an Office macro using Empire is straight forward.  By embedding the macro into a Word or Excel document and adding some tempting text, it becomes a good phishing exercise.  Here's an example of an Excel attachment to an email stating that Macros must be enabled:

If the victim enables the content, here's an edited version of what appears:

The macro executes the Empire agent and that agent checks in with my Empire server and provides what I need for phishing statistics (Empire also saves this info to an agent log on disk for easy parsing with the usual awesome Linux tools).  Here's a generic screenshot of an agent's info:

After collecting this information, I kill the agents and everything is back to normal on the victim workstations again.

Check out Powershell Empire at http://www.powershellempire.com/ .


No comments:

Post a Comment