Process Injection

While PowerShell offers a robust set of offensive features, many people have dismissed it as “just a toy language” due to fact that it’s an interpreted scripting language that can be blocked by blocking powershell.exe. This has caused many incident responders to overlook it as a realistic malware vector despite warnings from some in the community. If used offensively by operators, it’s often as a loading system to inject a C/C++ malware agent into memory.

However, Empire has the ability to inject an agent into another process using ReflectivePick to load up the .NET common language runtime into a process and execute a particular PowerShell command, all without starting a new powershell.exe process!

The module that does this is management/psinject. There’s an alias from an agent menu in the form inject <listener> <PID> (the listener name should be tab-completable). This will jump to the psinject module with appropriate options auto-populated for the listener. You can get PIDs from ps in an agent menu. Running execute will task the agent to inject a new agent into the specified PID.

empire_psinject

This works in most processes (except SearchIndexer.exe for some reason) including LSASS. WARNING: injection does crash the system when injecting into some of the lower-level PID SYSTEM processes like smss.exe. We haven’t done a ton of testing with this yet, so let us know what works. But yes, PowerShell in LSASS:

empire_psinject_lsass