A few weeks ago, @sixdub and myself released a project called Empire at BSides Las Vegas (slides and video), and the response has been very positive. For those unfamiliar, Empire is a pure PowerShell post-exploitation agent that aims to solve the PowerShell “weaponization problem” and train blue teamers on how to respond to PowerShell based attacks. There’s an overview post here, the code is up on Github, and complete documentation is at www.PowerShellEmpire.com.
With the surge in interest, and @enigma0x3 joining the project, we’ve implemented several changes in the past two weeks since Empire’s release. We wanted to give a quick rundown on the changes in version 1.1.
- Jon Cave graciously stepped in within a few days and corrected a crypto mistake of ours, which could have resulted in an attacker deauthing clients from the server. In short, message authentication is important. Several other bugs were squashed as well.
- Agents can now be set to die after a certain number of failed checkins (with the DefaultLostLimit option, default of 60 missed checkins). This helps prevent agents from becoming completely orphaned. There are also now options to list and remove “stale” agents that have missed their checkin intervals, with agents> list stale and agents> remove stale, respectively.
- Casey Smith submitted an HTA (HyperText Application) stager module for phishing Internet Explorer users. You can access this with listeners> usestager hta.
- Several new modules were added:
- management/timestomp (based on @obscuresec‘s Set-MacAttribute code) allows you to modify the created/modified/accessed times of specific files.
- situational_awareness/network/smbscanner (also based on some @obscuresec code, this time Test-SmbPassword) lets you test a local or domain username/password combination across a number of machines.
- persistence/elevated/wmi adapts @mattifestation‘s PowerSploit WMI persistence code to set up persistent WMI subscriptions that can trigger Empire stagers. These can be set to trigger AtStartup or at a particular DailyTime (cleanup options are included as usual). This helps round out Empire’s various persistence mechanisms.
- The trollsploit/process_killer module sets an autokill loop for processes of particular names.
- And finally, we now have PsExec at lateral_movement/invoke_psexec. This utilizes a custom Invoke-PsExec implementation we built to give pentesters their classical lateral spread technique. While we don’t advocate PsExec (our preference is lateral_movement/invoke_wmi), it still occasionally has its place in engagements.