“.. a pure PowerShell post-exploitation agent built on cryptologically-secure communications and a flexible architecture. Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability-focused framework. It premiered at BSidesLV in 2015.”
ReadMe file of Empire
Empire is a publicly available post-exploitation framework used by nation state threat actors and red teams. This demo is about gaining C&C and associated to MITRE ATT&CK (r) Tactic: Command and Control and Technique: T1086, T1071.
It is important to install Empire with this command to use all functions of it;
git clone https://github.com/BC-SECURITY/Empire
After installing Empire, we are creating a listener on port 80. I am using Ubuntu for this demo.
After enabling listener, we must use a stager. Here, we are using a batch stager;
With executing the commands above, a malicious batch file has been created in /tmp/ folder. When the victim executed this file in his/her machine, we get a session. With the “agents” command, we can see active sessions like below. Then with the “interact <agent id>” command, we can get the C&C connection to the victim.
Empire is a good and fast framework for C&C. But if we do not make obfuscation, it is very possible to detect these processes for defense teams. In EventViewer, we can find logs of the malicious behaviors;
For defense, it is important to use an EDR solution on endpoint machine. You can find here is my EDR Choosing Guide post.