Using the OneDrive Listener in Empire 3.1.3

Anthony Rose | Jake Krasnov

As part of the update to Empire that we pushed out today, the OneDrive listener has been fixed. This listener is really useful because it runs in Microsoft’s infrastructure, which makes it very difficult to block for organizations that are utilizing Office 365 and other Microsoft products. However, it’s not the most intuitive listener and the documentation out there for it is a bit lacking. This will be a quick blog post that walks through how to properly set up the OneDrive listener

To run the OneDrive listener, type

uselistener onedrive

and then

info

to view the configuration info.

The OneDrive listener does require a Microsoft Azure account to setup the application permissions. So you will either need to have one or set one up. Once your account is setup, login into https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade to access the App registrations page. Next, select New Registration.

Add your application name. It doesn’t matter what it is, so just type something in. You will want to enter the redirect URI as

https://login.live.com/oauth20_desktop.srf

Once your application has been registered, you will be taken to the application overview page. Copy your ClientID over to Empire.

The Client Secret is the next field required by Empire. However, it is not automatically generated but can be easily created by navigating to the Certificates & Secrets tab. Once on this page, select New Client Secret to generate the new value.

Copy this value and enter it into Empire as the ClientSecret. At this point, the listener is nearly complete. However, we will need to copy the authentication code from the OAuth App. To obtain the AuthCode you will be required to login into your app from your Azure account. If you type in execute in Empire, you will be provided a web address that you can copy to navigate to the page to obtain your AuthCode.

Your browser will automatically redirect you to the page with the AuthCode. The AuthCode is contained in the URL and you will need to copy it over to Empire. Do not include the “&lc=1033” at the end of the URL as part of the AuthCode.

The last step for configuring the listener is to enter the AuthCode, as seen below, then execute.

Empire will automatically configure a folder on your OneDrive that will contain the results, staging, and taskings. You will not need to make any changes to these files.

Once you have started the listener, you can create stagers just like with any other stager by typing

set Listener onedrive

Test your launcher and if you configured everything properly, you will successfully receive a callback using your OneDrive listener. The staging process is a bit slower than a typical listener due to the listener going through OneDrive, however, just give it a minute and it should populate. Happy Hunting!

The post Using the OneDrive Listener in Empire 3.1.3 appeared first on BC Security.