Empire

Empire is an open source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents are written in pure PowerShell for Windows and Python for Linux/macOS. Empire was one of five tools singled out by a joint report on public hacking tools being widely used by adversaries.[1][2][3]

ID: S0363
Associated Software: EmPyre, PowerShell Empire
Type: TOOL
Platforms: Linux, macOS, Windows
Version: 1.0

Associated Software Descriptions

Name Description
EmPyre [2]
PowerShell Empire [2]

Techniques Used

Domain ID Name Use
Enterprise T1134 Access Token Manipulation

Empire can use Invoke-RunAs to make tokens as well as PowerSploit's Invoke-TokenManipulation to manipulate access tokens.[2]

Enterprise T1015 Accessibility Features

Empire can leverage WMI debugging to remotely replace binaries like sethc.exe, Utilman.exe, and Magnify.exe with cmd.exe.[2]

Enterprise T1087 Account Discovery

Empire can acquire local and domain user account information.[2]

Enterprise T1217 Browser Bookmark Discovery

Empire has the ability to gather browser data such as bookmarks and visited sites.[2]

Enterprise T1088 Bypass User Account Control

Empire includes various modules to attempt to bypass UAC for escalation of privileges.[2]

Enterprise T1115 Clipboard Data

Empire can harvest clipboard data on both Windows and macOS systems.[2]

Enterprise T1059 Command-Line Interface

Empire uses a command-line interface to interact with systems.[2]

Enterprise T1043 Commonly Used Port

Empire can conduct command and control over commonly used ports like 80 and 443.[2]

Enterprise T1175 Component Object Model and Distributed COM

Empire can utilize Invoke-DCOM to leverage remote COM execution for lateral movement.[2]

Enterprise T1136 Create Account

Empire has a module for creating a new domain user or local user if permissions allow.[2]

Enterprise T1003 Credential Dumping

Empire contains an implementation of Mimikatz to gather credentials from memory.[2]

Enterprise T1503 Credentials from Web Browsers

Empire can use modules that extract passwords from common web browsers such as Firefox and Chrome.[2]

Enterprise T1081 Credentials in Files

Empire can use various modules to search for files containing passwords.[2]

Enterprise T1002 Data Compressed

Empire can ZIP directories on the target system.[2]

Enterprise T1038 DLL Search Order Hijacking

Empire contains modules that can discover and exploit various DLL hijacking opportunities.[2]

Enterprise T1482 Domain Trust Discovery

Empire has modules for enumerating domain trusts.[2]

Enterprise T1114 Email Collection

Empire has the ability to collect emails on a target system.[2]

Enterprise T1106 Execution through API

Empire contains a variety of enumeration modules that have an option to use API calls to carry out tasks.[2]

Enterprise T1048 Exfiltration Over Alternative Protocol

Empire can use Dropbox and GitHub for data exfiltration.[2]

Enterprise T1041 Exfiltration Over Command and Control Channel

Empire can send data gathered from a target through the command and control channel.[2]

Enterprise T1068 Exploitation for Privilege Escalation

Empire can exploit vulnerabilities such as MS16-032 and MS16-135.[2]

Enterprise T1210 Exploitation of Remote Services

Empire has a limited number of built-in modules for exploiting remote SMB, JBoss, and Jenkins servers.[2]

Enterprise T1083 File and Directory Discovery

Empire includes various modules for finding files of interest on hosts and network shares.[2]

Enterprise T1484 Group Policy Modification

Empire can use New-GPOImmediateTask to modify a GPO that will install and execute a malicious Scheduled Task.[2]

Enterprise T1179 Hooking

Empire contains some modules that leverage API hooking to carry out tasks, such as netripper.[2]

Enterprise T1056 Input Capture

Empire includes keylogging capabilities for Windows, Linux, and macOS systems.[2]

Enterprise T1208 Kerberoasting

Empire uses PowerSploit's Invoke-Kerberoast to request service tickets and return crackable ticket hashes.[2]

Enterprise T1171 LLMNR/NBT-NS Poisoning and Relay

Empire can use Inveigh to conduct name service poisoning for credential theft and associated relay attacks.[2][4]

Enterprise T1031 Modify Existing Service

Empire can utilize built-in modules to modify service binaries and restore them to their original state.[2]

Enterprise T1046 Network Service Scanning

Empire can perform port scans from an infected host.[2]

Enterprise T1135 Network Share Discovery

Empire can find shared drives on the local system.[2]

Enterprise T1040 Network Sniffing

Empire can be used to conduct packet captures on target hosts.[2]

Enterprise T1027 Obfuscated Files or Information

Empire has the ability to obfuscate commands using Invoke-Obfuscation.[2]

Enterprise T1075 Pass the Hash

Empire can perform pass the hash attacks.[2]

Enterprise T1097 Pass the Ticket

Empire can leverage its implementation of Mimikatz to obtain and use Silver and Golden Tickets.[2]

Enterprise T1034 Path Interception

Empire contains modules that can discover and exploit various path interception opportunities.[2]

Enterprise T1086 PowerShell

Empire leverages PowerShell for the majority of its client-side agent tasks. Empire also contains the ability to conduct PowerShell remoting with the Invoke-PSRemoting module.[2][1]

Enterprise T1145 Private Keys

Empire can use modules like Invoke-SessionGopher to extract private key and session information.[2]

Enterprise T1057 Process Discovery

Empire can find information about processes running on local and remote systems.[2]

Enterprise T1055 Process Injection

Empire contains multiple modules for injecting into processes, such as Invoke-PSInject.[2]

Enterprise T1060 Registry Run Keys / Startup Folder

Empire can modify the registry run keys HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run for persistence.[2]

Enterprise T1105 Remote File Copy

Empire can upload and download to and from a victim machine.[2]

Enterprise T1021 Remote Services

Empire contains modules for executing commands over SSH as well as in-memory VNC agent injection.[2]

Enterprise T1053 Scheduled Task

Empire has modules to interact with the Windows task scheduler.[2]

Enterprise T1113 Screen Capture

Empire is capable of capturing screenshots on Windows and macOS systems.[2]

Enterprise T1064 Scripting

Empire has modules for executing scripts.[2]

Enterprise T1063 Security Software Discovery

Empire can enumerate antivirus software on the target.[2]

Enterprise T1101 Security Support Provider

Empire can enumerate Security Support Providers (SSPs) as well as utilize PowerSploit's Install-SSP and Invoke-Mimikatz to install malicious SSPs and log authentication events.[2]

Enterprise T1035 Service Execution

Empire can use PsExec to execute a payload on a remote host.[2]

Enterprise T1023 Shortcut Modification

Empire can persist by modifying a .LNK file to include a backdoor.[2]

Enterprise T1178 SID-History Injection

Empire can add a SID-History to a user if on a domain controller.[2]

Enterprise T1071 Standard Application Layer Protocol

Empire can conduct command and control over protocols like HTTP and HTTPS.[2]

Enterprise T1032 Standard Cryptographic Protocol

Empire can use TLS to encrypt its C2 channel.[2]

Enterprise T1082 System Information Discovery

Empire can enumerate host system information like OS, architecture, applied patches, and more.[2]

Enterprise T1016 System Network Configuration Discovery

Empire can acquire network configuration information like DNS servers and network proxies used by a host.[2]

Enterprise T1049 System Network Connections Discovery

Empire can enumerate the current network connections of a host.[2]

Enterprise T1099 Timestomp

Empire can timestomp any files or payloads placed on a target machine to help them blend in.[2]

Enterprise T1127 Trusted Developer Utilities

Empire can use built-in modules to abuse trusted utilities like MSBuild.exe.[2]

Enterprise T1125 Video Capture

Empire can capture webcam data on Windows and macOS systems.[2]

Enterprise T1102 Web Service

Empire can use Dropbox and GitHub for C2.[2]

Enterprise T1047 Windows Management Instrumentation

Empire can use WMI to deliver a payload to a remote host. [2]

Groups That Use This Software

ID Name References
G0052 CopyKittens [5]
G0051 FIN10 [6]
G0073 APT19 [1]
G0064 APT33 [7] [8]
G0010 Turla [9]
G0090 WIRTE [10]

References