PowerShell Empire: advanced post-exploitation of Windows systems
PowerShell Empire is a unique post-operational PowerShell agent built on the basis of crypto-reliable connections and a flexible architecture. Empire provides the ability to run PowerShell agents without the need for powershell.exe, with quick launch of post-operational modules, which vary from keyloggers to Mimikatz, and allows you to successfully avoid network discovery, while all this functionality is assembled in one convenient and flexible framework.
Powershell Empire provides a modular platform for post-exploitation, leveraging the power of Windows PowerShell.
Empire agents are fully operational in RAM and are difficult to detect with security features, i.e. antivirus software and intrusion prevention systems due to the fact that they are written in a scripting language and at run time, an interpreter of the scripting language is between the agent and antivirus software, unlike the classic payloads compiled into assembler and executable file. This framework is actively used both for post-exploitation in Windows systems, and when creating phishing / social-technical campaigns.
Powershell Empire runs on Linux and resembles the Metasploit Framework in its structure. Installation is done by cloning from a git repository:
git clone https://github.com/adaptivethreat/Empire.git
After that, you need to run the installation script to install the necessary python dependencies:
Powershell Empire Features
The framework is constantly being improved, just the other day the next global update was released , containing many corrections and additions.
To work with a remote Windows system, you must deliver the so-called stager, which is an obfuscated code to run. After the stager is executed, the so-called agent, through which interaction with the attacked system occurs.
The stager delivery methods can have various vectors - from phishing attacks to compromising the system using identified (unpatched) vulnerabilities, etc.
Agents can be represented as follows:
- launcher_bat - the agent is delivered when the bat-file is launched;
- launcher_vbs - the agent is delivered when the vbs-script is executed;
- macro - macro code for implementation in office documents;
- dll - running the agent in the form of "dll hijacking" - implementation of the DLL in the process.
Stager dll allows you to integrate Empire with the Metasploit framework and other modern tools. Using the exploit, it is necessary to inject the malicious DLL into the attacked process, after which the Empire agent will be loaded into the RAM of the victim’s machine and executed.
The main features that I would like to note are ready-made tools for interacting with an attacked Windows system:
- integration with Metasploit Framework;
- privilege escalation;
- collecting information about the attacked system and exfiltration of data;
- consolidation in the system;
- sound recording from an integrated microphone;
- saving screenshots;
- Extract Windows passwords and hashes;
- and much more.
For ease of use, you can use the third-party PowerShell Empire Web Interface module .