PowerShell Empire: advanced post-operation of Windows systems

PowerShell Empire is a unique post-operational PowerShell agent built on the basis of crypto-secure connections and flexible architecture. Empire provides the ability to run PowerShell agents without the need to use powershell.exe, with the quick launch of post-operational modules that range from keyloggers to Mimikatz, and allows you to successfully avoid network discovery, with all this functionality built into one convenient and flexible framework.

Powershell Empire

Powershell Empire provides a modular post-operation platform using the power of Windows PowerShell automation.



Empire agents are fully operational in RAM and are difficult to detect with security tools, i.e. Antivirus software and intrusion prevention systems due to the fact that they are written in a scripting language and at runtime between the agent and the antivirus software is an interpreter of the scripting language, in contrast to the classic payload compiled into an assembler and executable file. This framework is actively used both for post-exploitation in Windows systems, and when creating phishing / social engineering campaigns.

System installation

Powershell Empire works in a Linux environment and is structurally similar to the Metasploit Framework. Installation is performed by cloning from the git repository:

')

git clone https://github.com/adaptivethreat/Empire.git 

After that, you need to run the installation script to install the necessary python dependencies:

 ./setup/install.sh 

Powershell Empire Features

The framework is constantly being improved; just recently, another global update was released , containing many fixes and additions.



To work with a remote Windows system, it is necessary to deliver to it the so-called. stager, which is an obfuscated run code. After execution stager starts a so-called. agent, through which the interaction with the attacked system.



The stager delivery methods can have different vectors - from phishing attacks, to compromising the system using identified (unpatched) vulnerabilities, etc.



Agents can be represented as follows:

• launcher_bat - the agent is delivered when the bat-file is started;
• launcher_vbs - the agent is delivered when the vbs-script is executed;
• macro - macro code for introduction into office documents;
• dll - launching the agent in the form of “dll hijacking” - introduction into the DLL process.

Stager dll allows you to integrate Empire with the Metasploit framework and other modern tools. With the help of an exploit, it is required to inject a malicious DLL into the attacked process, after which the Empire agent will be loaded into the RAM of the victim’s machine and executed.



The main features that I would like to point out are ready-made tools for interacting with the system attacked by Windows:

• integration with Metasploit Framework;
• privilege escalation;
• collecting information about the attacked system and exfiltration of data;
• fixing in the system;
• audio recording from the integrated microphone;
• saving screenshots;
• extract Windows passwords and hashes;
• and much more.

For ease of use, you can use the third-party PowerShell Empire Web Interface module.