OneDrive

This listener is really useful because it runs in Microsoft’s infrastructure, which makes it very difficult to block for organizations that are utilizing Office 365 and other Microsoft products. The documentation for this comes from BC Security OneDrive Blog Post.

To run the OneDrive listener, type

uselistener onedrive

Azure Setup

The OneDrive listener does require a Microsoft Azure account to setup the application permissions. So you will either need to have one or set one up. Once your account is setup, login into https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade to access the App registrations page. Next, select New Registration.

Add your application name. It doesn’t matter what it is, so just type something in. You will want to enter the redirect URI as:

https://login.live.com/oauth20_desktop.srf

Once your application has been registered, you will be taken to the application overview page. Copy your ClientID over to Empire.

The Client Secret is the next field required by Empire. However, it is not automatically generated but can be easily created by navigating to the Certificates & Secrets tab. Once on this page, select New Client Secret to generate the new value.

Empire Configuration

Copy this value and enter it into Empire as the ClientSecret. At this point, the listener is nearly complete. However, we will need to copy the authentication code from the OAuth App. To obtain the AuthCode you will be required to login into your app from your Azure account. If you type in execute in Empire, you will be provided a web address that you can copy to navigate to the page to obtain your AuthCode.

Your browser will automatically redirect you to the page with the AuthCode. The AuthCode is contained in the URL and you will need to copy it over to Empire. Do not include the “&lc=1033” at the end of the URL as part of the AuthCode.

The last step for configuring the listener is to enter the AuthCode, as seen below, then execute.

Empire will automatically configure a folder on your OneDrive that will contain the results, staging, and taskings. You will not need to make any changes to these files.

Once you have started the listener, you can create stagers just like with any other stager by typing:

set Listener onedrive

Test your launcher and if you configured everything properly, you will successfully receive a callback using your OneDrive listener. The staging process is a bit slower than a typical listener due to the listener going through OneDrive, however, just give it a minute and it should populate.