Empire is a post-exploitation framework used for the management of compromised victim hosts. Empire offers a range of command and control modules allowing command execution and data exfiltration capabilities. Empire’s HTTP-based stagers initiate C2 connections to the attacking host via HTTP requests. Requests are formed using ‘profiles’ contained within the framework. The default profile contains hardcoded user-agent and URI values that can be used for detection. An attacker can execute the stager to initiate C2 via pre-existing access to the victim host. The C2 server will provide instructions via encrypted data contained in its responses.
- The attacker executes HTTP-based stager on the victim machine that is configured with the default framework profile, initiating C2 communications.
- The HTTP connection to the C2 server is made using hardcoded user-agent and HTTP URI locations defined in the default profile. The agent makes an HTTP GET request to the C2 that is used to retrieve the next command.
- The C2 server responds with a fake IIS 7.5 landing page confirming successful callback. The static use of server headers is observed along with the non-standard ‘Expires’ header. The C2 server provides agents with instructions via encrypted data served after 200 OK.
The attacker must be able to utilize some other exploitation mechanism or attack vector to place the malicious code on the victim host.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.
Recommendations for Mitigation
Follow internal breach remediation policies. Ensure that any victim systems contain the latest up-to-date software.