Skip to main content

Basic Concepts


Understanding the core components and concepts of PowerShell-Empire is pivotal for effective utilization. This section sheds light on these foundational elements, providing a technical breakdown to equip CTE operators with knowledge to effectively navigate the framework.


Agents​

Agents are the heart of PowerShell-Empire. They represent compromised systems and serve as the primary interface between the operator and the target.

  • Architecture: Agents are primarily PowerShell scripts that, once executed on a target system, establish a communication channel back to the Empire server.
  • Beaconing: Agents regularly "beacon" or check-in with the Empire server to receive tasks and send results. The frequency and method of this beaconing can be configured to evade detection.
  • Tasking: When an operator issues a command to an agent, it's queued as a "task". The agent retrieves this task during its next beacon, executes it, and returns the result.

Listeners​

Listeners wait for incoming connections from agents. They define how agents will communicate back to the Empire server.

  • Types: There are multiple types of listeners in Empire, including HTTP, HTTPS, and more, each with its configuration settings.
  • Staging: Listeners also handle "staging", which is the initial delivery and execution of the agent code on the target system.

Stagers​

Stagers are payloads that deliver agents to target systems. They serve as the initial foothold.

  • Variety: Empire offers a range of stagers like executable binaries, PowerShell scripts, MS Office macros, and more.
  • Obfuscation: To bypass security solutions, stagers can be obfuscated. Empire provides various techniques, from simple base64 encoding to more complex methods, to mask the true nature of the stager.

Modules​

Modules in Empire provide specific functionalities, from reconnaissance to lateral movement to privilege escalation.

  • Types: Modules are categorized based on their purpose. Common categories include:
    • Reconnaissance: Gather information about the compromised system or network.
    • Lateral Movement: Spread to other systems within the network.
    • Privilege Escalation: Elevate privileges on the compromised system.
    • Persistence: Ensure continued access to the compromised system.
    • Collection: Extract valuable data from the target.
    • Credential Access: Attempt to extract credentials from the target.
  • Execution: Once an agent is active on a target, modules can be executed through that agent, allowing the operator to perform a myriad of tasks on the compromised system.