C&C with Empire – A Mitre Att&ck T1071 and T1086 Demo

.. a pure PowerShell post-exploitation agent built on cryptologically-secure communications and a flexible architecture. Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability-focused framework. It premiered at BSidesLV in 2015.
ReadMe file of Empire 

Empire is a publicly available post-exploitation framework used by nation state threat actors and red teams. This demo is about gaining C&C and associated to MITRE ATT&CK (r) Tactic: Command and Control and Technique: T1086, T1071.

It is important to install Empire with this command to use all functions of it;

        git clone https://github.com/BC-SECURITY/Empire

After installing Empire, we are creating a listener on port 80. I am using Ubuntu for this demo.

After enabling listener, we must use a stager. Here, we are using a batch stager;

With executing the commands above, a malicious batch file has been created in /tmp/ folder. When the victim executed this file in his/her machine, we get a session. With the “agents” command, we can see active sessions like below. Then with the “interact <agent id>” command, we can get the C&C connection to the victim. 

Empire is a good and fast framework for C&C. But if we do not make obfuscation, it is very possible to detect these processes for defense teams. In EventViewer, we can find logs of the malicious behaviors;

For defense, it is important to use an EDR solution on endpoint machine. You can find here is my EDR Choosing Guide post. 

Leave a Reply