War Room

Shells from above

RSM logo

Home > Offense > Empire: An Elegant Weapon for a More Civilized Age

Empire: An Elegant Weapon for a More Civilized Age

By

 

Empire, developed by @harmj0y, @sixdub, and @enigma0x3, debuted earlier this month at BSides Las Vegas.  In the words of the developers, “Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability-focused framework.”

 

The average blue team doesn’t consider a small PowerShell process to be any threat, or they’d have a tighter defense. If you’re a red teamer, Empire should be the next tool you put into your belt.

This post is meant to be a high level overview of the information already available here.

 

Installation

Installing and getting started with Empire is very straightforward.

git clone https://github.com/PowerShellEmpire/Empire.git

cd Empire/setup/

./install.sh

Then, from the Empire folder, simply run empire.py.

 

Getting Started

On startup, Empire drops you into a screen that will closely resemble the following:

Welcome to Empire
Welcome to Empire
Help Menu, Main Menu
Help Menu, Main Menu

Empire is very intuitive, so anyone with experience in Metasploit, Termineter, Veil-Evasion, or other frameworks should be able to pick up the syntax and command structure pretty quickly. Type “help” or a simple ‘?’ to view your available options. All too easy.

 

 

The output of this command will change depending on where you are in the framework, as you will see as we move forward.

Listeners

Your first step is to spin up a listener. Type “listeners” to drop into the listeners prompt (which comes with a new Help menu). The “info” command displays all of your available options for creating a new listener, as seen below.

Options for Listeners
Options for Listeners

Many of the options are self explanatory (ie: Port). Some however, are definitely worth noting:

  • Name: Assign a worthwhile/distinguishing name for your listener
  • KillDate: Nice self-destruct option. It means victim systems will not be permanently damaged.
  • DefaultDelay: In seconds, this option determines how often will agents call back. The default value is 5, but for flying a little lower under the radar, set it to a higher value. The “DefaultJitter” option can be used to vary the callback time as well.

When all of your options are set appropriately, simply run the “execute” command to start your listener. “list” will output information on all of your current listeners.

There are a variety of ways to deploy agents that will call back to your newly created listener. From the listeners section, pass the “launcher” stager a single argument (the number of your desired listener) to spit out a PowerShell one-liner. Running that command on a victim machine will spawn a new agent.

Execute a New Listener and Run Launcher
Execute a New Listener and Run Launcher

There are usually multiple paths to a single goal in Empire. The usestager command can be used to accomplish the same end as seen in the screenshot below:

usestager to generate a one-liner
usestager Used to Generate a One-liner

There are all kinds of stagers in Empire. You’ll find it’s full of surprises. I would recommend taking some time to familiarize yourself with some more of the available options.

Agents

Empire notifies you of a new agent connection with the following output:

Active Agent
Active Agent

Use the following commands to enter the agent and then get a quick cross section of the agent and the system on which it is resting:

interact <agent_name>

info

Agent Info
Agent Info

Agents come with their own subset of useful commands. As in the rest of the framework, “help” or a question mark will show you the options.

Options for Agents
Options for Agents

There are certainly too many to review in this post, but here are a couple worth mentioning:

  • bypassuac: If the victim happens to be a member of the Local Admins group, this command will attempt to bypass UAC. If successful, a new agent will spawn, marked as elevated in the list by an asterix (*). This command requires a single argument, the number of the listener to which you want to point your new agent. Note: Depending on the UAC settings on the victim’s machine, a pop-up box may appear, making this particular command not OpSec safe. Thus, you will be given a warning before you run it, which is convenient.
  • injectshellcode: Shortcut to a module (which will be discussed below). Spin up a new agent (or send yourself a meterpreter shell, listener still necessary).
  • mimikatz: Like injectshellcode, this option is a shortcut to another module that will dump cleartext passwords from memory just like you’d expect.
  • shell: run shell commands on the target machine. Output will dump to the screen. Remember that because agents rely on beconning, it may take some time for the output to appear, if it does at all. Additionally, the shell option does not actually appear to be necessary for most commands (see below).
  • upload/download: They do just what they say.
Running Shell Commands
Running Shell Commands

Agents can also be renamed just like listeners for convenience’s sake which is nice.

 

Modules

The sheer diversity of the modules within Empire is ultimately what makes it such a useful toolset. To look on the complete list with your own eyes, from within the agents menu (or within an agent itself), type “usemodule” (with a space since the tab complete won’t automatically add it), and then tab out again.

Available Agent Modules
Available Agent Modules

Let’s explore a few of the more interesting modules.

credentials/powerdump

This modules will dump out the local hashes on the victim machine, assuming the agent is acting as a local admin. From an elevated agent, type the following commands:

usemodule credentials/powerdump

execute

You can use “info” to get additional information on the module once it’s loaded, but the only option for this one is an agent, and if you loaded it from within a live agent, that field will pre-populate.

Powerdump Module in Action
Powerdump Module in Action

 

collection/prompt

As any good Red Teamer knows, realistic system messages and text boxes can have a strong influence on the weak-minded. This module is a good way to collect creds after a successful phish or ducky drop. Setting the module is just like any other, but you’re probably going to want to take a look at the info for this one:

usemodule collection/prompt

info

The MsgText, IconType, and Title options can all be tailored to fit your needs. When executed, an alert will appear on the victim host followed by a credentials prompt. The latter will pre-populate the domain/workgroup which is a nice touch. It’s worth noting that if a victim closes the box, you’ll get a notice. The creds will also be tested, so if they’re incorrect, the prompt will reappear. Observe the screenshots below.

Collection/prompt Info
Collection/prompt Info
Alert Message
Alert Message
Creds Prompt
Creds Prompt

 

Conclusion

We’ve already added Empire into our internal bag of tricks, and I can’t recommend enough that you do the same. As more modules are added, and we get more field time with this useful framework, expect more posts in the future. Be sure to keep reading. Mind what you have learned. Save you it can.

 

Special thanks to steiner for help with the text at the beginning of the post and shadowman for his photoshop skills.