ezEmu – Commands Execution for Defensive Research

ezEmu enables users to test adversary behaviors via various execution techniques. Sort of like an “offensive framework for blue teamers“, The tool does not have any networking/C2 capabilities and rather focuses on creating local test telemetry.

ezEmu - Simple Commands Execution for Defensive Tuning/Research
ezEmu – Simple Commands Execution for Defensive Tuning/Research

ezEmu is compiled as parent.exe to simplify process trees, and will track (and also kill) child processes to enable easy searches in logs/dashboards.

Current execution techniques for windows include:

  • Cmd.exe (T1059.003) – Adversaries may leverage cmd.exe to execute various commands and payloads. 
  • PowerShell (T1059.001) – Adversaries may abuse PowerShell commands and scripts for execution.
  • Unmanaged PowerShell (T1059.001)
  • CreateProcess() API (T1106) – Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. 
  • WinExec() API (T1106)
  • ShellExecute (T1106)
  • Windows Management Instrumentation (T1047)
  • VBScript (T1059.005)
  • Windows Fiber
  • WMIC XSL Script/Squiblytwo (T1220)
  • Microsoft Word VBA Macro (T1059)
  • Python (T1059.006)

Note: You need to enable some macro related trust center settings for the Word stuffz to work – https://support.office.com/en-us/article/enable-or-disable-macros-in-office-files-12b036fd-d140-4e74-b45e-16fed1a7e5c6. You also need Python installed and the PATH variable set for #12

Current execution techniques for linux include:

  • sh via system( ) ( T1059.004 )
  • Python via popen( ) ( T1059.006 )

Note: You need Python installed and the PATH variable set for #2

You can read more and download the tool over here: https://github.com/jwillyamz/ezEmu

Share
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments