Not Your Grandfather’s Empire I’ve wanted to put this blog together since returning home from DEFCON. Anytime we ran into someone who recognized our swag, they mentioned how much they loved Empire back in the day and didn’t realize it was being actively maintained. This made me reflect on all [...]
As part of the update to Empire that we pushed out today, the OneDrive listener has been fixed. This listener is really useful because it runs in Microsoft’s infrastructure, which makes it very difficult to block for organizations that are utilizing Office 365 and other Microsoft products. However, it’s not the most intuitive listener and the documentation out there for it is a bit lacking. This will be a quick blog post that walks through how to properly set up the OneDrive listener
To run the OneDrive listener, type
uselistener onedrive
and then
info
to view the configuration info.
The OneDrive listener does require a Microsoft Azure account to setup the application permissions. So you will either need to have one or set one up. Once your account is setup, login into https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade to access the App registrations page. Next, select New Registration.
Add your application name. It doesn’t matter what it is, so just type something in. You will want to enter the redirect URI as
https://login.live.com/oauth20_desktop.srf
Once your application has been registered, you will be taken to the application overview page. Copy your ClientID over to Empire.
The Client Secret is the next field required by Empire. However, it is not automatically generated but can be easily created by navigating to the Certificates & Secrets tab. Once on this page, select New Client Secret to generate the new value.
Copy this value and enter it into Empire as the ClientSecret. At this point, the listener is nearly complete. However, we will need to copy the authentication code from the OAuth App. To obtain the AuthCode you will be required to login into your app from your Azure account. If you type in execute in Empire, you will be provided a web address that you can copy to navigate to the page to obtain your AuthCode.
Your browser will automatically redirect you to the page with the AuthCode. The AuthCode is contained in the URL and you will need to copy it over to Empire. Do not include the “&lc=1033” at the end of the URL as part of the AuthCode.
The last step for configuring the listener is to enter the AuthCode, as seen below, then execute.
Empire will automatically configure a folder on your OneDrive that will contain the results, staging, and taskings. You will not need to make any changes to these files.
Once you have started the listener, you can create stagers just like with any other stager by typing
set Listener onedrive
Test your launcher and if you configured everything properly, you will successfully receive a callback using your OneDrive listener. The staging process is a bit slower than a typical listener due to the listener going through OneDrive, however, just give it a minute and it should populate. Happy Hunting!