Empire

Empire is an open source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents are written in pure PowerShell for Windows and Python for Linux/macOS. Empire was one of five tools singled out by a joint report on public hacking tools being widely used by adversaries.[1][2][3]

ID: S0363
Associated Software: EmPyre, PowerShell Empire

Type: TOOL
Platforms: Linux, macOS, Windows

Version: 1.0

Associated Software Descriptions

NameDescription
EmPyre[2]
PowerShell Empire[2]

Techniques Used

DomainIDNameUse
EnterpriseT1134Access Token ManipulationEmpire can use Invoke-RunAs to make tokens as well as PowerSploit's Invoke-TokenManipulation to manipulate access tokens.[2]
EnterpriseT1015Accessibility FeaturesEmpire can leverage WMI debugging to remotely replace binaries like sethc.exe, Utilman.exe, and Magnify.exe with cmd.exe.[2]
EnterpriseT1087Account DiscoveryEmpire can acquire local and domain user account information.[2]
EnterpriseT1217Browser Bookmark DiscoveryEmpire has the ability to gather browser data such as bookmarks and visited sites.[2]
EnterpriseT1088Bypass User Account ControlEmpire includes various modules to attempt to bypass UAC for escalation of privileges.[2]
EnterpriseT1115Clipboard DataEmpire can harvest clipboard data on both Windows and macOS systems.[2]
EnterpriseT1059Command-Line InterfaceEmpire uses a command-line interface to interact with systems.[2]
EnterpriseT1043Commonly Used PortEmpire can conduct command and control over commonly used ports like 80 and 443.[2]
EnterpriseT1136Create AccountEmpire has a module for creating a new domain user or local user if permissions allow.[2]
EnterpriseT1003Credential DumpingEmpire contains an implementation of Mimikatz to gather credentials from memory.[2]
EnterpriseT1081Credentials in FilesEmpire can use various modules to search for files containing passwords, including those associated with web browsers such as Firefox and Chrome.[2]
EnterpriseT1002Data CompressedEmpire can ZIP directories on the target system.[2]
EnterpriseT1175Distributed Component Object ModelEmpire can utilize Invoke-DCOM to leverage remote COM execution for lateral movement.[2]
EnterpriseT1038DLL Search Order HijackingEmpire contains modules that can discover and exploit various DLL hijacking opportunities.[2]
EnterpriseT1482Domain Trust DiscoveryEmpire has modules for enumerating domain trusts.[2]
EnterpriseT1114Email CollectionEmpire has the ability to collect emails on a target system.[2]
EnterpriseT1106Execution through APIEmpire contains a variety of enumeration modules that have an option to use API calls to carry out tasks.[2]
EnterpriseT1048Exfiltration Over Alternative ProtocolEmpire can use Dropbox and GitHub for data exfiltration.[2]
EnterpriseT1041Exfiltration Over Command and Control ChannelEmpire can send data gathered from a target through the command and control channel.[2]
EnterpriseT1068Exploitation for Privilege EscalationEmpire can exploit vulnerabilities such as MS16-032 and MS16-135.[2]
EnterpriseT1210Exploitation of Remote ServicesEmpire has a limited number of built-in modules for exploiting remote SMB, JBoss, and Jenkins servers.[2]
EnterpriseT1083File and Directory DiscoveryEmpire includes various modules for finding files of interest on hosts and network shares.[2]
EnterpriseT1484Group Policy ModificationEmpire can use New-GPOImmediateTask to modify a GPO that will install and execute a malicious Scheduled Task.[2]
EnterpriseT1179HookingEmpire contains some modules that leverage API hooking to carry out tasks, such as netripper.[2]
EnterpriseT1056Input CaptureEmpire includes keylogging capabilities for Windows, Linux, and macOS systems.[2]
EnterpriseT1208KerberoastingEmpire uses PowerSploit's Invoke-Kerberoast to request service tickets and return crackable ticket hashes.[2]
EnterpriseT1171LLMNR/NBT-NS Poisoning and RelayEmpire can use Inveigh to conduct name service poisoning for credential theft and associated relay attacks.[2][4]
EnterpriseT1031Modify Existing ServiceEmpire can utilize built-in modules to modify service binaries and restore them to their original state.[2]
EnterpriseT1046Network Service ScanningEmpire can perform port scans from an infected host.[2]
EnterpriseT1135Network Share DiscoveryEmpire can find shared drives on the local system.[2]
EnterpriseT1040Network SniffingEmpire can be used to conduct packet captures on target hosts.[2]
EnterpriseT1027Obfuscated Files or InformationEmpire has the ability to obfuscate commands using Invoke-Obfuscation.[2]
EnterpriseT1075Pass the HashEmpire can perform pass the hash attacks.[2]
EnterpriseT1097Pass the TicketEmpire can leverage its implementation of Mimikatz to obtain and use Silver and Golden Tickets.[2]
EnterpriseT1034Path InterceptionEmpire contains modules that can discover and exploit various path interception opportunities.[2]
EnterpriseT1086PowerShellEmpire leverages PowerShell for the majority of its client-side agent tasks. Empire also contains the ability to conduct PowerShell remoting with the Invoke-PSRemoting module.[2][1]
EnterpriseT1145Private KeysEmpire can use modules like Invoke-SessionGopher to extract private key and session information.[2]
EnterpriseT1057Process DiscoveryEmpire can find information about processes running on local and remote systems.[2]
EnterpriseT1055Process InjectionEmpire contains multiple modules for injecting into processes, such as Invoke-PSInject.[2]
EnterpriseT1060Registry Run Keys / Startup FolderEmpire can modify the registry run keys HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run for persistence.[2]
EnterpriseT1105Remote File CopyEmpire can upload and download to and from a victim machine.[2]
EnterpriseT1021Remote ServicesEmpire contains modules for executing commands over SSH as well as in-memory VNC agent injection.[2]
EnterpriseT1053Scheduled TaskEmpire has modules to interact with the Windows task scheduler.[2]
EnterpriseT1113Screen CaptureEmpire is capable of capturing screenshots on Windows and macOS systems.[2]
EnterpriseT1064ScriptingEmpire has modules for executing scripts.[2]
EnterpriseT1063Security Software DiscoveryEmpire can enumerate antivirus software on the target.[2]
EnterpriseT1101Security Support ProviderEmpire can enumerate Security Support Providers (SSPs) as well as utilize PowerSploit's Install-SSP and Invoke-Mimikatz to install malicious SSPs and log authentication events.[2]
EnterpriseT1035Service ExecutionEmpire can use PsExec to execute a payload on a remote host.[2]
EnterpriseT1023Shortcut ModificationEmpire can persist by modifying a .LNK file to include a backdoor.[2]
EnterpriseT1178SID-History InjectionEmpire can add a SID-History to a user if on a domain controller.[2]
EnterpriseT1071Standard Application Layer ProtocolEmpire can conduct command and control over protocols like HTTP and HTTPS.[2]
EnterpriseT1032Standard Cryptographic ProtocolEmpire can use TLS to encrypt its C2 channel.[2]
EnterpriseT1082System Information DiscoveryEmpire can enumerate host system information like OS, architecture, applied patches, and more.[2]
EnterpriseT1016System Network Configuration DiscoveryEmpire can acquire network configuration information like DNS servers and network proxies used by a host.[2]
EnterpriseT1049System Network Connections DiscoveryEmpire can enumerate the current network connections of a host.[2]
EnterpriseT1099TimestompEmpire can timestomp any files or payloads placed on a target machine to help them blend in.[2]
EnterpriseT1127Trusted Developer UtilitiesEmpire can use built-in modules to abuse trusted utilities like MSBuild.exe.[2]
EnterpriseT1125Video CaptureEmpire can capture webcam data on Windows and macOS systems.[2]
EnterpriseT1102Web ServiceEmpire can use Dropbox and GitHub for C2.[2]
EnterpriseT1047Windows Management InstrumentationEmpire can use WMI to deliver a payload to a remote host. [2]

Groups

Groups that use this software:

APT19
APT33
CopyKittens
FIN10
Turla

References