Empire PowerShell Post-Exploitation
Empire is a post-exploitation framework that includes a pure-PowerShell2.0 Windows agent, and a pure Python 2.6/2.7 Linux/OS X agent. It is the merge of the previous PowerShell Empire and Python EmPyre projects. The framework offers cryptologically-secure communications and a flexible architecture. On the PowerShell side, Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability-focused framework.
Why PowerShell?
PowerShell offers a multitude of offensive advantages, including full .NET access, application whitelisting, direct access to the Win32 API, the ability to assemble malicious binaries in memory, and a default installation on Windows 7+. Offensive PowerShell had a watershed year in 2014, but despite the multitude of useful projects, many pentesters still struggle to integrate PowerShell into their engagements in a secure manner.
Listeners 101
The first thing you need to do when you start Empire it set up a local listener. The listeners command will jump you to the listener management menu. Any active listeners will be displayed, and this information can be redisplayed at any time with the list command. The info command will display the currently set listener options.
PowerShell Empire Module Categories
Currently Empire Power Shell has the following categories for modules:
- Code Execution – Ways to run more code
- Collection – Post exploitation data collection
- Credentials – Collect and use creds
- Exfiltration – Identify egress channels
- Lateral Movement – Move around the network
- Management – Host management and auxilary
- Persistence – Survive reboots
- Privesc – Privilege escalation capabilities
- Recon – Test further entry points (HTTP Basic Auth etc)
- Situational Awareness – Network awareness
- Trollsploit – For the lulz