PowerShell Empire: A Comprehensive Guide

PowerShell Empire is a notorious Command and Control (C2) framework

hackers use in real-world cyber attacks. It has been used to target large
companies through phishing emails, public-facing IT system exploits, and
watering-hole attacks. It is also one of the most used open-source C2
frameworks by penetration testers and red teamers.

This guide will teach you how to use PowerShell Empire to perform privilege
escalation, install persistence mechanisms, and dump credentials. Along the
way, you will discover why this C2 framework is so popular in the security
community, its main components, and how to use them.

So put on your hacker hat, and let’s get started emulating adversaries in this
comprehensive guide to the PowerShell Empire framework!

What Is PowerShell Empire?

PowerShell Empire is an open-source post-exploitation framework

that penetration testers and red teams use to perform adversary
emulation. It is designed to aid users in performing the post-exploitation
phase of an attack, where they must maintain control over compromised
systems, perform lateral movement, elevate privileges, and exfiltrate data.

The framework focuses on targeting Windows environments using

the PowerShell scripting language to automate attacks and execute
malicious commands. PowerShell Empire has three main components:

 Empire Server - This is written in Python and comprises modules that

add different functionality.
  Empire Client - This comes built-in with PowerShell Empire and lets
you access the Empire Server remotely.

 GUI Client - This provides a graphical interface for accessing the

Empire Server that is called Starkiller.

To use PowerShell Empire, you execute a Stager on a target system.

This Stager is a small piece of code that communicates to the Empire Server
and generates an Agent, providing you remote access to the target system.
The Empire Client (or GUI Client) lets you connect to the Empire Server and
interact with this Agent through built-in commands or more complex
Empire Modules. You will see how to do this later.

You can run the Empire Server and Empire Client on the same machine as a
local process or run the Empire Server on a separate machine. In this guide,
both components are run on the same machine for simplicity.

What Are the Benefits of Using PowerShell Empire?

The use of agents, servers, and clients to control compromised systems is

often called a Command and Control (C2) framework. A hacker will use a C2
framework in the real world to perform cyber attacks.

PowerShell Empire is one of many C2 frameworks available. There are other

open-source ones like Slither and commercial ones like Cobalt Strike.
These are used in security to emulate adversaries during a penetration test
or red team engagement so defenders can better protect against them.

You can find a detailed breakdown and comparison of all the popular C2
frameworks in the C2 Matrix Project. This project aims to point you to the
best C2 framework to suit your testing needs.

Penetration testers and red teamers will often use a C2 framework over a
penetration testing framework, such as Metasploit, for several reasons:

 C2 frameworks are designed specifically for post-exploitation and come

with inbuilt tooling and lateral movement techniques that allow you to
do this.

 C2 frameworks are good at evading network detection. They have

inbuilt features that allow you to evade traditional security solutions
and remain undetected in a target network.
  C2 frameworks are heavily customizable. Many frameworks allow you
to create new agents, tune C2 profiles, and add new functionality that
can be used to mimic real-world threats.

 C2 frameworks often have reporting features that allow you to

document security weaknesses you found, the actions you performed,
and the impact of your attack.

 C2 frameworks are designed to securely handle and exfiltrate client

data using encryption.

This is not to say pentesting frameworks like Metasploit have no place.

Metasploit is an incredibly versatile tool that is excellent for performing
reconnaissance and exploitation against target systems. You can learn how
to use it in How to Use Metasploit in Kali Linux: A Step-By-Step
Tutorial.

Advantages of PowerShell Empire:

Strong integration with PowerShell allows it to automate post-exploitation

activities using Powershell scripts that are executed in memory, making it
harder to detect.

It is designed for the post-exploitation phase of an attack and has inbuil

tooling for privilege escalation, lateral movement, and data exfiltration

It has a modular architecture allowing you to extend the framework to suit

your needs.

It is backed by an active community that provides ongoing updates and new

features.

Disadvantage of PowerShell Empire:

It is Windows-centric and has limited functionality outside Windows

environments.

Modern security solutions that gather PowerShell logs (or block it entirely)
severely impact PowerShell Empire’s capabilities.

The framework has a learning curve for new users who need to understand
PowerShell scripting and how the framework functions.

Installation
Now you know what PowerShell Empire is and what it is used for, let’s see
how to use it. To start with PowerShell Empire, you first need to install it on
your machine. You can do this on Kali Linux by running:

sudo apt update && sudo apt upgrade

sudo apt install powershell-empire

Next, run the command sudo powershell-empire server to start the

PowerShell Empire Server.

In a new terminal window, run sudo powershell-empire client to connect to

the server using the Empire Client.
Listeners

PowerShell Empire Stagers connect to the Empire Server. They then create
an Agent which you interact with and use to control compromised systems.
To allow Stagers to connect to the server, you need to create a Listener for
them to connect back to. These Listeners will “listen” for a connection from
an Empire Stager and generate an Agent when a Stager connects.

To set up a Listener in PowerShell Empire, run the

command uselistener followed by the name of the Listener you want to use.
To get a list of all the possible Listeners you can use, run the
command uselistener and tab through the available options.
To use the http Listener, type uselistener http.

This will create a Listener on port number 80 of the Empire Server (your local
PC) and show you the all the options options being used. You can customize
this Listener by adjusting these options. For example, to change the name of
the Listener, run set Name MyListener and to change the network port
the Listener is listening on set Port 80. To save these options and start
the Listener, run the execute command.
You can then re-inspect the Listener’s options by running the
command options.

Execute the command back to return from the Listener’s interface. You can
then view all active Listeners on the Empire Server with the
command listeners.
Stagers

Now that your Listener is up and running, you need to create a Stager.
A Stager is a piece of code that executes a payload on the target machine,
which connects back to your Listener. This payload contains the functionality
needed to generate an Agent that lets you remotely control the
compromised system while initiating the Encrypted Key Exchange
protocol to protect the C2 communication.

PowerShell Empire includes several different types of Stagers:

 Malicious scripts (.bat, .hta, .vbs, etc.)

 Dynamic Link Libraries (DLLs)

 Executables (.exe)

 Shellcode

 Microsoft Office macros

 Cross-platform stagers for Linux and macOS

To create a Stager, run the command usestager followed by the name of

the Stager you want to create. To get a list of all the possible Stagers you
can use, run the command usestager and tab through the available options.
To use the windows_launcher_bat Stager, run the command usestager
windows_launcher_bat. This is a self-deleting Stager that uses a batch file to
inject shellcode into a running process and deletes the batch file once
complete - a good option for hiding your actions.
You can change the configuration of this Stager. To see what you can change,
run the command options, then use the set command followed by the option
you want to change. For example, to attach the Stager to the Listener you
previously created, run the command set Listener MyListener. Next,
obfuscate the PowerShell launcher code to evade network detection by
setting Obfuscate True. Finally, type execute to save the settings and
generate the Stager.
Agents

Your Listener and Stager are now created. The final step is to execute
the Stager you created on the target system. This will generate a
new Agent once it connects back to the Empire Server, which allows you to
control the target machine remotely.

First, transfer the Stager you created to the target machine. PowerShell
Empire will tell you where this Stager was written to when you ran
the execute command.
When you have transferred this Stager to your target machine, run it.
Back in PowerShell Empire, type agents to see a list of active Agents.

Here you see a new Agent has been created after your Stager connected
back. However, it has a complicated name (H97R1ZN8). To change
the Agent name, run the command rename H97R1ZN8 MyAgent and interact
with the Agent by running interact MyAgent.
Modules

To perform actions against the target machine, you need to use PowerShell
Empire’s Modules. Each Module performs a specific function, such as
collecting browser data, dumping passwords, exploiting local vulnerabilities,
establishing persistence, performing reconnaissance, and moving laterally.

PowerShell Empire has over 400 modules for you to use, written in
PowerShell, Python, and C#. Let’s take a look at some popular ones.

Privilege Escalation

This time, execute the Stager you created as Administrator to get

an Agent running with elevated privileges. Elevated Agents will have
an * next to them in PowerShell Empire when listed.

Now use the powershell_privesc_getsystem module by running the

command usemodule powershell_privesc_getsystem.
This module lets you elevate admin privileges to SYSTEM privileges, which
lets you dump credentials, steal Kerberos tokens, and perform lateral
movement. You need to set the Agent you want to execute this module
through using the command set Agent 7B3ZS8Y9. Then, type execute to run
the module. You must use the Agent’s ID to set it, not its name.

To see if the module was successful, type interact 7B3SZS8Y9

To learn more about privilege escalation, read How to Use Windows
Privilege Escalation: Elevate Your Skills.

Persistence

You can use an elevated PowerShell Empire Agent to install a persistence

mechanism that lets you maintain control of a target system after reboots or
disconnections. To do this, you can use
the powershell_persistence_elevated_schtasks module.
Now set the Agent to execute the module through with the command set
Agent 7B3ZS8Y6 and the Lisenter you want the persistence mechanism to
connect back to with set Listener MyListener. This should be a Listener you
have set up on your PowerShell Empire Server. Finally, run
the execute command.
This module creates a scheduled task on the target machine that runs daily
at 09:00 and is named “Updater.” To see if the module was successful, try
interacting with the Agent again.

Here you can see the module ran successfully. You can adjust the name of
the scheduled task, what time it is executed, and where it is hidden on the
system by editing the Module’s configuration options. This lets you better
obfuscate your persistence mechanism and evade network detection.

Dumping Credentials

Another post-exploitation activity an elevated Agent lets you do is dump

credentials. You can use these credentials to impersonate other users, access
sensitive files, and pivot around the target environment.

To dump credentials in PowerShell Empire, you can use

the powershell_credentials_invoke_ntlmextract module.
The only option to set for this module is the Agent with set Agent
9WPM8CGY, then type execute.

This module extracts the NTLM hashes of local user accounts stored in the
target system’s registry. You can crack these extracted password hashes to
reveal the plaintext passwords with a password cracking tools like Hydra, or
use them to perform lateral movement through the pass-the-hash attack.

To learn how to do these, read How to Use Hydra to Crack Passwords:

The Complete Guide and Pass the Hash Attacks: How to Make
Network Compromise Easy.

To see if the module was successful, try interacting with the Agent again.

The module was successful and shows the NTLM hashes of several users. You
can also see several Empire Agents that have disconnected and stopped
connecting back to the Listener. Disconnected Agents are shown in red.

You can dump other credentials, such as Kerberos tickets, access tokens,
browser data, and more, using PowerShell Empire Modules. Here are a few of
the other Modules you can take advantage of.
Module
Module Description Example Module
Category

Perform reconnaissance and csharp/SharpSploit.Enumeration/

Enumeration
information gathering. GetDomainUser

Used for situation awareness of a powershell/situational_awareness/h

Situation
target. hostrecon

Active Enumerate Active Directory python/situational_awareness/netw

Directory environments. active_directory/get_computers

Privilege Perform or scan for privilege

powershell/privesc/bypassuac
Escalation escalation.

Steal or impersonate credentials powershell/credentials/mimikatz/

Credentials
(e.g., hashes, tokens, tickets) extract_tickets

Persistence Maintain access to a system. powershell/persistence/userland/re

Lateral Execute commands or move to a powershell/lateral_movement/

Movement remote system. invoke_psexec

Code Execute custom code on a target powershell/code_execution/

execution system. invoke_dllinjection

Collect data from a system (e.g.,

Collection browser data, key loggers, powershell/collection/keylogger
screenshots, etc.).

Used to manage/administer the

Management powershell/management/restart
system.

Used to exploit a known local

Exploit vulnerability (e.g., ZeroLogon, powershell/privesc/zerologon
PrintNightmare, EternalBlue, etc.)
Conclusion

PowerShell Empire is a sophisticated post-exploitation framework that excels

at performing post-exploitation activities in Windows environments. You can
use it as a C2 framework during penetration tests, red team engagements,
and purple teaming exercises to dump credentials, install persistence,
and perform lateral movement.

You have learned about the three components that make up the PowerShell
Empire framework; the Empire Server, the Empire Client, and the Starkiller
GUI tool. You then saw how to use the framework by starting a Listener,
creating and executing a Stager, and performing post-exploitation activities
on a target machine through an Agent and PowerShell Empire’s Modules.