It’s been another two months since the last major Empire point release, and development has continued to move along steadily. Empire has a TON of new modules from 10 different authors and a smattering of additional bug fixes/feature adds. We want to give a big thanks and shout out to all the contributors who are helping to expand Empire with new capabilities!
- situational_awareness/network/powerview/find_managed_security_groups integrates @ukstufus‘s pull to identify Active Directory groups which have the ‘managedBy’ attribute set. In some cases this can help to uncover misconfiguration in AD that may allow for elevation. There’s more information on this module in the pull comments.
- Also by @ukstufus, the exfiltration/egresscheck module will generate traffic on a provided range of ports, which can be useful to identify direct egress channels. More information here.
- situational_awareness/host/findtrusteddocuments by @jamcut will enumerate trusted documents and trusted document locations on a host. These make great locations to trojanize with macros for a means of persistence.
- Also in host situational awareness, @mh4x0f and Jan Egil Ring submitted situational_awareness/host/antivirusproduct which will give some more information on host AV solutions.
- Kevin Robertson was kind enough to update collection/inveigh module with an updated Inveigh code base that now plays very nicely with Empire. He also submitted lateral_movement/inveigh_relay, which can perform SMB relay for the purpose of lateral spread!
- @monoxgas submitted credentials/mimikatz/dcsync_hashdump, based on the work of @gentilkiwi, Vincent Le Toux, and @JosephBialek. This allows you to use a modified version of Invoke-Mimikatz to perform DCSync hashdumping of an entire domain!
- privesc/ask by Jack64 will use Start-Process with “-Verb RunAs” to prompt a user for credentials for the purposes of UAC bypassing.
- rvrsh3ll has been busy with three new modules:
- @xorrior has also been busy:
- management/mailraider/* contains the Empire implementation of Chris’ EmailRaider project, which allows for internal phishing through Microsoft Outlook. Chris has some more information on this project here.
- collection/ChromeDump and collection/FoxDump are two new modules to extract saved Chrome and Firefox password sets, respectively. One note: FoxDump currently needs to be run from a 32-bit PowerShell process. As a temporary workaround, management/spawn now has a SysWow64 option to spawn a 32-bit Empire agent on 64-bit systems.
- situational_awareness/network/powerview/* got some additional updates:
- get_forest returns information about a given forest, including the root domain and SID
- get_cached_rdpconnection uses remote registry functionality to query all entries for the “Windows Remote Desktop Connection Client” on the local (or a remote) machine
- set_ad_object allows for the manipulation of Active Directory object permissions
- Three additional management/* modules have also been added:
- downgrade_account will set reversible encryption on a given domain account and then force the password to be set on next user login. I wrote about this approach here and Sean Metcalf wrote about an alternative approach here.
- spawnas allows you to spawn an Empire agent with different user credentials
- invoke_script allows you to easily execute an arbitrary PowerShell.ps1 script. This can be useful for mass-tasking or when taking advantage of Empire’s new autorun functionality (described in the next section).
- Empire’s Mimikatz functionality has been expanded with credentials/mimikatz/cache and credentials/mimikatz/sam, to extract MSCache(v2) hashes and SAM hashes respectively. Thanks again to @gentilkiwi for the Mimikatz goodness!
- PowerUp’s exe-restore logic was broken out into privesc/powerup/service_exe_restore
- Two new persistence methods were added:
- persistence/misc/add_netuser allows you to create/add a domain user or a local user to the current (or remote) machine, if permissions allow.
- persistence/userland/backdoor_lnk was inspired in part by @nikhil_mitt‘s post here. This module allows you to backdoor an existing .lnk file in a way that preserves the original icon and launches the original target binary, but also triggers an Empire stager stored in a specified registry location. There’s also a CleanUp argument which restores a .lnk to its original execution path.
- And finally, we have a new TrollSploit addition, rick_ascii. This triggers a simple download cradle for Lee Holmes‘ awesome ASCII rick roll:
- Autoruns! Empire now has the ability to specify a module to automatically run whenever a new agent checks in. In a module menu, set your desired options, then set Agent autorun and execute, and the specified module/options will run as the first tasking for new agents. To clear an autorun module, from the (Empire: agents) > menu just type clear autorun.
- The persistence/debugger/* modules were rolled into a single module at persistence/misc/debugger. The TargetBinary option allows you to set which accessibility binary you’d like to abuse.
- Running ./empire –debug now writes out the last PowerShell logic tasked to an agent to ./LastTask.ps1. This can be quite useful for debugging and building modules.
- All PowerUp modules now dynamically built from a single source file, similar to the PowerView update in 1.3.
- The ./setup/install.sh logic was updated by @MikeDawg to support additional platforms.
- ./setup/setup_database.py was updated by @mubix to allow for randomization of the staging password.
- Numerous bug fixes (as usual : ) We’ve also reinstated our dev branch. New pulls should submit to dev, which we will merge to master after vetting. There are now also a few notes in README.md under ‘Contribution Rules’ for those who want to contribute modules.
Thanks again to everyone who’s contributed to Empire in the short four and a half months since its release! The public participation has been humbling, and we’re happy to hear at Empire is being used successfully on engagements. Remember that there is now an Empire cheat sheet included in the set at https://github.com/harmj0y/cheatsheets/, and we’ll catch you in the new year!