Basic Concepts
Understanding the core components and concepts of PowerShell-Empire is pivotal for effective utilization. This section sheds light on these foundational elements, providing a technical breakdown to equip CTE operators with knowledge to effectively navigate the framework.
Agentsβ
Agents are the heart of PowerShell-Empire. They represent compromised systems and serve as the primary interface between the operator and the target.
- Architecture: Agents are primarily PowerShell scripts that, once executed on a target system, establish a communication channel back to the Empire server.
- Beaconing: Agents regularly "beacon" or check-in with the Empire server to receive tasks and send results. The frequency and method of this beaconing can be configured to evade detection.
- Tasking: When an operator issues a command to an agent, it's queued as a "task". The agent retrieves this task during its next beacon, executes it, and returns the result.
Listenersβ
Listeners wait for incoming connections from agents. They define how agents will communicate back to the Empire server.
- Types: There are multiple types of listeners in Empire, including HTTP, HTTPS, and more, each with its configuration settings.
- Staging: Listeners also handle "staging", which is the initial delivery and execution of the agent code on the target system.
Stagersβ
Stagers are payloads that deliver agents to target systems. They serve as the initial foothold.
- Variety: Empire offers a range of stagers like executable binaries, PowerShell scripts, MS Office macros, and more.
- Obfuscation: To bypass security solutions, stagers can be obfuscated. Empire provides various techniques, from simple base64 encoding to more complex methods, to mask the true nature of the stager.
Modulesβ
Modules in Empire provide specific functionalities, from reconnaissance to lateral movement to privilege escalation.
- Types: Modules are categorized based on their purpose. Common categories include:
- Reconnaissance: Gather information about the compromised system or network.
- Lateral Movement: Spread to other systems within the network.
- Privilege Escalation: Elevate privileges on the compromised system.
- Persistence: Ensure continued access to the compromised system.
- Collection: Extract valuable data from the target.
- Credential Access: Attempt to extract credentials from the target.
- Execution: Once an agent is active on a target, modules can be executed through that agent, allowing the operator to perform a myriad of tasks on the compromised system.