Closed careyjames closed 5 years ago
careyjames
commented
5 years ago I havent killed them because im tempted to send a message that says who are you and how did this happen.. but i dont want to interact with computers that are not mine and then officially break the law...
mr64bit
commented
5 years ago If the stager files were on a publicly available web server with predictable names, my first guess would be that they were found by a scanner, then run in a sandbox. You might be able to tell based on the external IP, and basic system info (CPU cores, amount of RAM)
It's pretty much impossible for you to get agents from somebody else's Empire install, (even if you have the IP of a previous Empire instance) since the staging key would be different.
careyjames
commented
5 years ago the server does not even have a domain attached so yes, they would have to find it by ip number, so im guessing someone really did download and install these, damn, how strange. after being up there one night.
Empire Version
2.5
OS Information (Linux flavor, Python version)
kali 2019.2
Expected behavior and description of the error, including any actions taken immediately prior to the error. The more detail the better.
this morning I wake up to 2 random agents that I did NOT hack...???
Screenshot of error, embedded text output, or Pastebin link to the error
[*] Active agents:
Name La Internal IP Machine Name Username Process PID Delay Last Seen Listener
9AT7MSZY ps 10.0.0.77 LISARAM LISARAM\xingcunnin powershell 3892 5/0.0 2019-07-21 12:14:29 WAN
5Y8WX3S7 ps 10.0.0.4 LAURECO LAURECO\chruiz powershell 1860 5/0.0 2019-07-21 12:14:33 WAN
Any additional information
I was taking the course on udemy and i did upload a stager to my server at snowVPS but nobody knows that IP address? does this mean: A. some poor fool (actually 2 of them) somehow stumbled into my server IP addess, no domain name setup, and downloaded these files, and then installed them?? B. somehow empire sent back someone elses agents to me?