Empire

Empire is an open source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents are written in pure PowerShell for Windows and Python for Linux/macOS. Empire was one of five tools singled out by a joint report on public hacking tools being widely used by adversaries.[1][2][3]

ID: S0363
Associated Software: EmPyre, PowerShell Empire
Type: TOOL
Platforms: Linux, macOS, Windows
Version: 1.1
Created: 11 March 2019
Last Modified: 30 March 2020

Associated Software Descriptions

Name Description
EmPyre [2]
PowerShell Empire [2]

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Access Control

Empire includes various modules to attempt to bypass UAC for escalation of privileges.[2]

Enterprise T1134 Access Token Manipulation

Empire can use PowerSploit's Invoke-TokenManipulation to manipulate access tokens.[2]

.002 Create Process with Token

Empire can use Invoke-RunAs to make tokens.[2]

.005 SID-History Injection

Empire can add a SID-History to a user if on a domain controller.[2]

Enterprise T1087 .002 Account Discovery: Domain Account

Empire can acquire local and domain user account information.[2]

.001 Account Discovery: Local Account

Empire can acquire local and domain user account information.[2]

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Empire can conduct command and control over protocols like HTTP and HTTPS.[2]

Enterprise T1560 Archive Collected Data

Empire can ZIP directories on the target system.[2]

Enterprise T1547 .005 Boot or Logon Autostart Execution: Security Support Provider

Empire can enumerate Security Support Providers (SSPs) as well as utilize PowerSploit's Install-SSP and Invoke-Mimikatz to install malicious SSPs and log authentication events.[2]

.009 Boot or Logon Autostart Execution: Shortcut Modification

Empire can persist by modifying a .LNK file to include a backdoor.[2]

.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Empire can modify the registry run keys HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run for persistence.[2]

Enterprise T1217 Browser Bookmark Discovery

Empire has the ability to gather browser data such as bookmarks and visited sites.[2]

Enterprise T1115 Clipboard Data

Empire can harvest clipboard data on both Windows and macOS systems.[2]

Enterprise T1059 Command and Scripting Interpreter

Empire uses a command-line interface to interact with systems.[2]

.003 Windows Command Shell

Empire has modules for executing scripts.[2]

.001 PowerShell

Empire leverages PowerShell for the majority of its client-side agent tasks. Empire also contains the ability to conduct PowerShell remoting with the Invoke-PSRemoting module.[2][1]

Enterprise T1136 .001 Create Account: Local Account

Empire has a module for creating a local user if permissions allow.[2]

.002 Create Account: Domain Account

Empire has a module for creating a new domain user if permissions allow.[2]

Enterprise T1543 .003 Create or Modify System Process: Windows Service

Empire can utilize built-in modules to modify service binaries and restore them to their original state.[2]

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

Empire can use modules that extract passwords from common web browsers such as Firefox and Chrome.[2]

Enterprise T1482 Domain Trust Discovery

Empire has modules for enumerating domain trusts.[2]

Enterprise T1114 .001 Email Collection: Local Email Collection

Empire has the ability to collect emails on a target system.[2]

Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

Empire can use TLS to encrypt its C2 channel.[2]

Enterprise T1546 .008 Event Triggered Execution: Accessibility Features

Empire can leverage WMI debugging to remotely replace binaries like sethc.exe, Utilman.exe, and Magnify.exe with cmd.exe.[2]

Enterprise T1041 Exfiltration Over C2 Channel

Empire can send data gathered from a target through the command and control channel.[2]

Enterprise T1567 .002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

Empire can use Dropbox for data exfiltration.[2]

.001 Exfiltration Over Web Service: Exfiltration to Code Repository

Empire can use GitHub for data exfiltration.[2]

Enterprise T1068 Exploitation for Privilege Escalation

Empire can exploit vulnerabilities such as MS16-032 and MS16-135.[2]

Enterprise T1210 Exploitation of Remote Services

Empire has a limited number of built-in modules for exploiting remote SMB, JBoss, and Jenkins servers.[2]

Enterprise T1083 File and Directory Discovery

Empire includes various modules for finding files of interest on hosts and network shares.[2]

Enterprise T1484 Group Policy Modification

Empire can use New-GPOImmediateTask to modify a GPO that will install and execute a malicious Scheduled Task/Job.[2]

Enterprise T1574 .001 Hijack Execution Flow: DLL Search Order Hijacking

Empire contains modules that can discover and exploit various DLL hijacking opportunities.[2]

.007 Hijack Execution Flow: Path Interception by PATH Environment Variable

Empire contains modules that can discover and exploit path interception opportunities in the PATH environment variable.[2]

.008 Hijack Execution Flow: Path Interception by Search Order Hijacking

Empire contains modules that can discover and exploit search order hijacking vulnerabilities.[2]

.009 Hijack Execution Flow: Path Interception by Unquoted Path

Empire contains modules that can discover and exploit unquoted path vulnerabilities.[2]

Enterprise T1070 .006 Indicator Removal on Host: Timestomp

Empire can timestomp any files or payloads placed on a target machine to help them blend in.[2]

Enterprise T1105 Ingress Tool Transfer

Empire can upload and download to and from a victim machine.[2]

Enterprise T1056 .001 Input Capture: Keylogging

Empire includes keylogging capabilities for Windows, Linux, and macOS systems.[2]

.004 Input Capture: Credential API Hooking

Empire contains some modules that leverage API hooking to carry out tasks, such as netripper.[2]

Enterprise T1557 .001 Man-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay

Empire can use Inveigh to conduct name service poisoning for credential theft and associated relay attacks.[2][4]

Enterprise T1106 Native API

Empire contains a variety of enumeration modules that have an option to use API calls to carry out tasks.[2]

Enterprise T1046 Network Service Scanning

Empire can perform port scans from an infected host.[2]

Enterprise T1135 Network Share Discovery

Empire can find shared drives on the local system.[2]

Enterprise T1040 Network Sniffing

Empire can be used to conduct packet captures on target hosts.[2]

Enterprise T1027 Obfuscated Files or Information

Empire has the ability to obfuscate commands using Invoke-Obfuscation.[2]

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Empire contains an implementation of Mimikatz to gather credentials from memory.[2]

Enterprise T1057 Process Discovery

Empire can find information about processes running on local and remote systems.[2]

Enterprise T1055 Process Injection

Empire contains multiple modules for injecting into processes, such as Invoke-PSInject.[2]

Enterprise T1021 .003 Remote Services: Distributed Component Object Model

Empire can utilize Invoke-DCOM to leverage remote COM execution for lateral movement.[2]

.004 Remote Services: SSH

Empire contains modules for executing commands over SSH as well as in-memory VNC agent injection.[2]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Empire has modules to interact with the Windows task scheduler.[2]

Enterprise T1113 Screen Capture

Empire is capable of capturing screenshots on Windows and macOS systems.[2]

Enterprise T1518 .001 Software Discovery: Security Software Discovery

Empire can enumerate antivirus software on the target.[2]

Enterprise T1558 .001 Steal or Forge Kerberos Tickets: Golden Ticket

Empire can leverage its implementation of Mimikatz to obtain and use golden tickets.[2]

.003 Steal or Forge Kerberos Tickets: Kerberoasting

Empire uses PowerSploit's Invoke-Kerberoast to request service tickets and return crackable ticket hashes.[2]

.002 Steal or Forge Kerberos Tickets: Silver Ticket

Empire can leverage its implementation of Mimikatz to obtain and use silver tickets.[2]

Enterprise T1082 System Information Discovery

Empire can enumerate host system information like OS, architecture, applied patches, and more.[2]

Enterprise T1016 System Network Configuration Discovery

Empire can acquire network configuration information like DNS servers and network proxies used by a host.[2]

Enterprise T1049 System Network Connections Discovery

Empire can enumerate the current network connections of a host.[2]

Enterprise T1569 .002 System Services: Service Execution

Empire can use PsExec to execute a payload on a remote host.[2]

Enterprise T1127 .001 Trusted Developer Utilities Proxy Execution: MSBuild

Empire can use built-in modules to abuse trusted utilities like MSBuild.exe.[2]

Enterprise T1552 .001 Unsecured Credentials: Credentials In Files

Empire can use various modules to search for files containing passwords.[2]

.004 Unsecured Credentials: Private Keys

Empire can use modules like Invoke-SessionGopher to extract private key and session information.[2]

Enterprise T1550 .002 Use Alternate Authentication Material: Pass the Hash

Empire can perform pass the hash attacks.[2]

Enterprise T1125 Video Capture

Empire can capture webcam data on Windows and macOS systems.[2]

Enterprise T1102 .002 Web Service: Bidirectional Communication

Empire can use Dropbox and GitHub for C2.[2]

Enterprise T1047 Windows Management Instrumentation

Empire can use WMI to deliver a payload to a remote host.[2]

Groups That Use This Software

ID Name References
G0052 CopyKittens

[5]

G0051 FIN10

[6]

G0073 APT19

[1]

G0064 APT33

[7][8]

G0010 Turla

[9]

G0090 WIRTE

[10]

G0091 Silence

[11]

G0101 Frankenstein

[12]

G0102 Wizard Spider

[13]

G0069 MuddyWater

[14]

References