emu plugins not listed in operation, but exists in adversary definition #2818
timbrigham-oc
started this conversation in
General
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
I've been playing with the emu plugin. It's enabled, I have verified that the payloads are downloaded and in the correct folders for being served.
I've been building a custom adversary profile using strictly emu abilities, notably the following in varying orders.
Detect Anti-Virus (stepTwelve.ps1 payload)
Emotet Persistence (no payload, using reg.exe)
Enumerate AD subnets (adfind.exe payload)
Emotet Scrape Email Addresses from Outlook (no payload, pure powershell script)
Screenshot of end-users desktop (no payload listed, but references both a non existing script and a fact that hasn't been found yet).
After saving the profile and running on an endpoint the Detect Anti-Virus works. Obviously the payloads must exist to be used.
Emotet Persistence works, after a minor tweak (adding a /f to allow overwrites if my AV interferes with the agent).
No matter where I put it in the adversary, Enumerate AD subnets never shows up in my operations list.
The same goes for "Screenshot of end-users desktop". Why aren't they listed?
If I run sandcat interactively on the client I don't see any instructions being sent.. The three GUIDs listed are the detect AV, Emotet persist, and then Emotet persist cleanup.
Seems like I'm doing something obvious wrong here but I'm at a loss as to what it could be.
Beta Was this translation helpful? Give feedback.
All reactions