Starkiller is a modern web-based interface for the Empire C2 framework, streamlining agent management, listener configuration, and post-exploitation workflows through an intuitive GUI instead of CLI-only operations.
Installation
| Method | Command | Notes |
|---|
| AppImage | Download from releases, chmod +x Starkiller*.AppImage && ./Starkiller*.AppImage | Standalone, no dependencies |
| Docker | docker run -p 3001:3001 bc1sdc/starkiller:latest | Isolated environment, easy deployment |
| Source | git clone https://github.com/BC-SECURITY/Starkiller && npm install && npm start | Requires Node.js 14+, full control |
| Binary | Download pre-built binaries from GitHub releases | Platform-specific (Linux, macOS, Windows) |
Server Connection
# Connect to Empire Server
# Default: localhost:1337 (Empire API)
# Alternative remote: https://empire-server.local:1337
# Connection Settings
- Username: empire (or custom admin)
- Password: empire (default, change on first login)
- API Token: Auto-generated after successful auth
- SSL/TLS: Configurable (required for production)
Listener Management
| Listener Type | Use Case | Configuration |
|---|
| HTTP | Standard web-based comms, lab/testing | Port 80, callback URL, user agent strings |
| HTTPS | Production, encrypted channel | Port 443, certificate/key, domain fronting |
| SMB | Lateral movement, internal networks | Pipe name, named pipes, SMB beacon |
| DNS | Covert tunnel, firewall evasion | Domain registration, DNS records, timing |
| Custom | Plugins, specialized protocols | Listener modules, Python-based |
Creating a Listener
1. Listeners → New Listener
2. Select type (HTTP/HTTPS/SMB/DNS)
3. Configure host (0.0.0.0 or specific IP)
4. Set port (80/443 for HTTP/HTTPS)
5. Optional: Domain fronting (CloudFlare, akamai)
6. Set callback headers, user agent
7. Test → Launch
Stager Generation
| Stager Type | Delivery | Output Format |
|---|
| Launcher | PowerShell one-liner, macro, script | Base64 encoded or PowerShell direct |
| Multi-Stage | Download agent, compile in-memory | Reduced initial footprint |
| Macro | Office documents (Word, Excel) | VBA payload embedded |
| Batch | CMD batch files, scheduled tasks | Windows native execution |
| HTA | HTML Application, mshta execution | Browser-based delivery |
| Embedded | Compiled binary, shellcode injection | .exe, .dll formats |
Generate Stager
1. Stagers → New Stager
2. Select listener (pre-configured)
3. Choose stager type and language
4. Set encode, obfuscation options
5. Generate payload
6. Copy/download for delivery
7. Track generated stagers in list
Agent Management
Agent Dashboard
Dashboard → Agents
- List all active/inactive agents
- Filter by listener, user, hostname, OS
- Last seen timestamp
- Stored credentials per agent
- Kill or interact with agent
Agent Interaction
| Function | Purpose | Notes |
|---|
| Shell Command | Execute system command | cmd.exe or powershell.exe |
| Load Module | Run exploitation module | Mimikatz, Sherlock, etc. |
| Upload File | Transfer file to agent | Binary/text, obfuscated |
| Download File | Exfiltrate data | Progress tracking, chunked |
| Rename Agent | Change display name | Internal tracking only |
| Kill Agent | Terminate session | Clean shutdown or force |
1. Agents → Click agent name
2. Interactive shell opens
3. Type commands (PowerShell syntax)
4. Output streams in real-time
5. Upload/download via buttons
6. Module execution from dropdown
Module Execution
Common Modules
| Module | Function | Example |
|---|
| Mimikatz | Credential dumping | credentials/mimikatz |
| Sherlock | Vulnerability detection | exploitation/sherlock |
| Bloodhound | AD mapping, pathfinding | recon/bloodhound |
| PowerUp | Privilege escalation checks | exploitation/powerup |
| Empire Launcher | Secondary payload | code_execution |
| WMI | Lateral movement | lateral_movement/wmi |
Execute Module
1. Agent → Interact
2. Select Module dropdown
3. Configure options (listener, target, etc.)
4. Set payload encoding/obfuscation
5. Execute module
6. Monitor output in shell
7. Download results or parse inline
Credential Management
Credential Types
| Type | Source | Data |
|---|
| Plaintext | Dumped passwords, manual entry | Username:password |
| Hash | Mimikatz, SAM dump | NTLM, LM hashes |
| Ticket | Kerberos ticket extraction | .kirbi, base64 encoded |
| Token | Token impersonation | OAuth, API tokens |
| Certificate | Certificate extraction | .pfx, .pem keys |
Credential Harvesting Workflow
1. Load Mimikatz module on agent
2. Execute: `privilege::debug` → `sekurlsa::logonpasswords`
3. Credentials appear in Credentials tab
4. Filter/search by username, hash type
5. Export CSV for offline cracking
6. Use credentials for pivot/lateral movement
7. Notes field for tracking source agent
Listener-Agent Binding
# Agent communicates with configured listener
# Listener type determines covert channel
# Multiple agents → Single listener (fan-in)
# Single agent → Multiple listeners (backup channels)
# Check agent beacon interval
# Modify in listener → Jitter (randomization)
# Detection: Beaconing patterns, metadata, DNS records
Team Collaboration Features
| Feature | Use Case | Details |
|---|
| User Accounts | Multi-operator access | Role-based (admin, operator, read-only) |
| API Tokens | Automation, CI/CD | Token auth for scripts |
| Audit Log | Operational tracking | Login, agent commands, downloads |
| Notes/Tags | Team communication | Attach to agents, operations |
| Operation Workspace | Campaign organization | Separate projects, isolated agents |
Create Operator Account
Settings → Users → New User
- Username: operator1
- Password: (auto-generate or set)
- Role: operator (can execute) or viewer (read-only)
- Save API token for scripting
Reporting & Export
Generate Report
1. Reports → New Report
2. Select date range (operations period)
3. Include: Agents, listeners, modules executed
4. Filter by operator, listener type
5. Format: PDF (formatted) or CSV (data analysis)
6. Export credentials (with/without hashes)
7. Share with stakeholders (redacted PII as needed)
Data Exports
- Agent list: CSV/JSON (for correlation)
- Module output: Plain text or JSON (parsing)
- Credentials: CSV (Excel, password managers)
- Network log: DNS, HTTP beacon analysis
- Timeline: Sorted by event timestamp
Plugin System
Custom Extensions
Plugins directory structure:
plugins/
├── listener_custom.py # Custom listener protocol
├── module_custom.py # Exploitation module
├── obfuscator_custom.py # Encoding/evasion
└── stager_custom.py # Delivery method
Load plugin: Settings → Plugins → Upload .zip
Enable/disable without restart
Starkiller vs Empire CLI
| Feature | Starkiller GUI | Empire CLI |
|---|
| Learning curve | Low (visual, intuitive) | Steep (command memorization) |
| Agent interaction | Real-time web shell | Command feedback loop |
| Listener setup | Form-based, validation | Manual config, error-prone |
| Reporting | One-click PDF export | Manual log parsing |
| Collaboration | Multi-user, audit log | Single-user, manual logging |
| Automation | REST API, limited | Python scripts, full control |
| Workflow speed | Fast (clicking) | Fast (scripting) |
| Advanced control | Limited (GUI constraints) | Full (direct Python) |
Common Workflows
Initial Access & Beaconing
1. Create HTTP/HTTPS listener (callback domain)
2. Generate PowerShell launcher stager
3. Deliver via phishing email or web compromise
4. Wait for first beacon (check Dashboard)
5. Interact with agent shell
6. Execute initial reconnaissance
Credential Dumping
1. Gain agent on domain-joined machine
2. Load/execute Mimikatz module
3. Extract NTLM hashes and plaintext
4. Credentials tab auto-populates
5. Use hashes for pass-the-hash attacks
6. Pivot to other systems (lateral movement)
Privilege Escalation
1. Run Sherlock module (vulnerability scan)
2. Execute PowerUp (privesc checks)
3. Review output for exploitable gaps
4. Load token impersonation module
5. Escalate to SYSTEM or admin token
6. Execute privileged commands
7. Dump SAM hive or LSASS process
Persistence & Cleanup
# Persistence
1. Load empire launcher module
2. Create scheduled task or registry run key
3. Generate base64 launcher
4. Execute on agent (maintains access)
# Cleanup
1. Kill scheduled task/registry entry
2. Clear Event Logs (via agent)
3. Remove temporary files
4. Disconnect agent gracefully
5. Delete listener (archive first)
Security Best Practices
| Practice | Implementation |
|---|
| SSL/TLS | Use HTTPS listeners, valid certificates |
| Firewall | Limit Empire API access to operator IPs |
| Credentials | Change default empire/empire on first login |
| Logs | Archive audit logs, review for anomalies |
| Network | Segment C2 from production networks |
| Obfuscation | Enable encoding, vary user agents, domain front |
| Monitoring | SIEM alerts on beacon patterns, failed auth |
| Encryption | Use encrypted channels (SMB pipes, DNS tunnels) |
Troubleshooting
| Issue | Solution |
|---|
| Agent not beaconing | Check listener IP/port accessible, agent can reach callback |
| Module execution timeout | Increase timeout in settings, retry with smaller scope |
| Connection refused | Verify Empire server running, API port open, credentials correct |
| SSL certificate error | Disable cert verification (labs only) or install valid cert |
| Memory errors on large exports | Export in date ranges, filter agents before export |
| Slow UI response | Clear browser cache, reduce agent count in view, restart Starkiller |
Resources
