Press "Enter" to skip to content

Category: Empire

Empire Fails

Everyone makes mistakes, and we’re certainly no exception. Empire has suffered from a few security issues since its original release at BSides LV in 2015, and for a while, I’ve wanted to give some technical details on the specific mistakes we’ve made along the way for the sake of transparency. Thanks to a recent second disclosure by Spencer McIntyre (@zeroSteiner) several weeks ago, it seemed to be an appropriate time to own up to our transgressions. This post will cover the crypto issue disclosed right after release by Jon Cave (@joncave), as well as the two separate RCE issues disclosed by Spencer. Crypto…

The Empire Strikes Back

We recently made some of the biggest changes to Empire since its release at BSidesLV in 2015. This post will summarize many of the modifications for the Empire 2.0 beta release, but also check out @enigma0x3‘s and my “A Year in the Empire” presentation we gave at Derbycon 6 for more information (slides here). This also marks an expansion of the Empire Development Team, which now includes @enigma0x3, @sixdub, @rvrsh3ll, @xorrior, and @killswitch_gui. The beta code is current in the 2.0_beta branch of the newly-relocated Empire repository – we want to stress again that this code is beta, so use with…

Empire’s RESTful API

This post is part of the ‘Empire Series’ with some background and an ongoing list of series posts [kept here]. [tl;dr] The Empire RESTful API is documented here on the Empire GitHub wiki. Last week, Empire’s 1.5 release included a RESTful API implementation which I hinted about previously. This effort was inspired by a conversation with @antisnatchor from the BeEF project while at the Troopers conference this year- big shoutout to him and Carlos Perez for inspiration and feedback as the API was being developed. This post (and the code itself) wouldn’t exist if it wasn’t for both of your efforts. RESTwut REST stands for ‘REpresentational State Transfer’, and an…

Empire 1.5

Three months have elapsed since the Empire 1.4 release, and we have some awesome new features for our next release! The notes for Empire 1.5 are below, but a quick warning- this release modifies part of the backend database schema, so do not apply this update if you have existing agents on your Empire server. You will need to run ./setup/reset.sh to reinitialize the database, and will likely need to rerun setup.sh or pip install flask to install the Flask dependencies necessary for the RESTful API. New Modules The core version of PowerView was updated with the newest version from PowerSploit’s dev branch. With…

Empire’s CLI

This post is part of the ‘Empire Series’ with some background and an ongoing list of series posts [kept here]. Recently, an Empire user requested that we build a ‘standalone payload generator’, similar to msfvenom’s functionality. The motivation is to provide a scriptable capability that makes integration with other tools relatively easy. This short post will cover the newly integrated command line options for Empire which allow for the scripted generation of stagers. To display the currently available options, run ./empire -h

In order to effectively use Empire’s CLI, you need to have a listener currently set up so the data is stored in…

Nothing Lasts Forever: Persistence with Empire

This post is part of the ‘Empire Series’ with some background and an ongoing list of series posts [kept here]. Code execution is great and remote control is awesome, but if you don’t have a persistence strategy planned nothing can throw a wrench in your engagement like an unplanned reboot or user logout. This post covers 17 current Empire persistence modules that can help you with retaining hard-fought access, broken into userland/elevated options, PowerBreach, and miscellaneous approaches. We like to break reboot persistence down into a three different questions. First, are you installing the persistence from userland or an elevated context? Second, where are you storing the…

Expanding Your Empire

The “Empire Series”: 1/21/16 – Expanding Your Empire 1/28/16 – An Empire Case Study 2/4/16 – Nothing Lasts Forever: Persistence with Empire 2/11/16 – Empire & Tool Diversity: Integration is Key 2/25/16 – Empire’s CLI 3/15/16 – Phishing With Empire 3/31/16 – Empire 1.5 4/5/16 – Empire’s RESTful API [Note: This has been cross posted on the Adaptive Threat Division blog] This is the first in the “Empire Series”, a set of articles that will cover various aspects of Empire’s functionality and usage. These posts will be split between various Empire authors and contributors with a running set of links updated at the top of…

Empire 1.4

It’s been another two months since the last major Empire point release, and development has continued to move along steadily. Empire has a TON of new modules from 10 different authors and a smattering of additional bug fixes/feature adds. We want to give a big thanks and shout out to all the contributors who are helping to expand Empire with new capabilities! New Modules situational_awareness/network/powerview/find_managed_security_groups integrates @ukstufus‘s pull to identify Active Directory groups which have the ‘managedBy’ attribute set. In some cases this can help to uncover misconfiguration in AD that may allow for elevation. There’s more information on this module in the…

Empire 1.3

It’s been about two months since the release of Empire 1.2. We took a quick breather after coming down from our sprint to BSidesLV and the two follow-up releases. Part of this lull was to work on massive rewrite of PowerView 2.0 which I spoke about a few weeks ago. Much of this Empire 1.3 release is centered around updating the framework’s PowerView modules with this new code, and coming up with a process to streamline integration between the two projects. Previously, the source for each PowerView-based module (like situational_awareness/network/userhunter, which utilized Invoke-UserHunter) was broken out into hand-stripped files in the module_source/situational_awareness/network…

Empire 1.2

It’s been almost two weeks since since the release of Empire 1.1, but it’s already time for version 1.2! Here are the recent modifications: Components of the agent.ps1’s core shell functionality were streamlined and ported to WMI equivalents. We wanted to avoid using native binaries as much as possible in the case of command line auditing, and took the chance to clean up a bit of the agent core. help agentcmds in an agent menu will show the “opsec-safe” aliases we have implemented, and shell <CMD> will manually execute commands using normal execution. Minor UI/misc. tweaks- list [agents/listeners] <modifier> should now be a universal option on all…