PowerBreachVarying Heuristics in a Network
PowerBreach is a series of in-memory PowerShell backdoors that provides triggers for various options. It is part of the PowerTools project at https://github.com/powershellempire/powertools.
All of the current backdoors in Empire take a listener specification, which will auto-patch the appropriate stager code for that listener into the PowerBreach script. When the particular trigger from the PowerBreach script hits, an Empire agent should re-stage to the C2 server.
These backdoors have a few good use cases. They act as a useful safetynet in case your main access is caught or otherwise dies. They also can be dropped on machines that may be monitored closely at some point, so traffic is minimized to them until you need to regain access later. Some of them (like the deaduser backdoor) can also act almost as an attacker IDS, alerting you to when admins modify some of your artifacts. I.E. you can add an obviously domain admin and set a deaduser backdoor on an admin’s workstation, so you gain a shell and notification when the admin kills the DA user.
Additionally, these backdoors have an OutFile argument, which allows you to set a (tab-completable) path for the backdoor to be output to instead of tasking it to an agent. This lets you easily combine these backdoors with the reboot-persistence options described later, which take an optional ExtFile argument.
The current options available in Empire are:
- persistence/powerbreach/deaduser – takes a username and a switch/flag as to whether the username is a domain name (as opposed to a local account). Every Sleep seconds, the script checks if the account still exists, firing the staging logic if it doesn’t. This backdoor does NOT need local admin privileges.
- persistence/powerbreach/eventlog – queries the Security eventlog on an interval, looking for events with a unique Trigger value. This backdoor DOES need admin privileges to access the security event log.
- persistence/powerbreach/resolver – takes a hostname to resolve and a trigger IP. Every Sleep seconds, the script checks if the hostname resolves to the trigger IP, firing the staging logic if it doesn’t. This backdoor does NOT need local admin privileges.