May 19, 2020

Command and Control with PowerShell Empire - Part 2

In the last post of this series, we discussed the basic principles of command and control (C2) channels and traffic. Hopefully it served as a decent primer for today’s topic – PowerShell Empire. If you missed the last post or need a refresher on command and control basics, you can check out part one here: Command and Control with PowerShell Empire.

It’ll probably also be helpful to have an instance up Empire up and running to follow along and try things out yourself. You can grab it off of GitHub here: https://github.com/EmpireProject/Empire.

PowerShell Empire

Empire is a PowerShell based post exploitation framework that supports various methods of command and control as well as a host of external modules to perform tasks on compromised hosts. There are a lot of these types of frameworks out there. We chose to focus on Empire because it’s open sourced, widely adopted, and we use it ourselves a fair bit. It’s also developed and maintained by an incredibly talented group of people including: @harmjoy, @sixdub, @enigma0x3, @rvrsh3ll, @xorrior etc.

There are four main pieces of Empire that work together to bring you all the functionality the framework has to offer that we’ll be going over:

  • Listeners
  • Launchers/Stagers
  • Agents
  • Modules

The first three work in tandem to establish the command and control channel. Modules are used after the C2 channel has been established to perform post exploitation tasks.

Listeners

A listener is a process that runs on your attacking server which “listens” for incoming connections from compromised hosts. There are a number of listener types, but probably the most popular of them is the HTTP listener. Using an HTTP listeners specifies to Empire that the C2 traffic will be established and managed using the HTTP protocol. Empire has a default profile which defines specifically how the communication will happen. Unfortunately, a lot of defensive tools are going to catch the default Empire HTTP traffic. You can define your own profile for a listener to change the behavior and increase the chances of your C2 traffic going undetected, but that’s a bit out of the scope of this blog post. To start up your Empire HTTP listener you need to do a few things: use the appropriate listener, set mandatory options, and execute.

Most of the default options will already be set, but there are a few especially important options to take note of.

  • Name: The name of the listener, this will be reference in other modules/settings.
  • Host: The IP or hostname of your Empire server. This is probably the most important option and needs to be set appropriately to receive any C2 traffic from your compromised hosts.
  • Port: The port which your Empire server will listen on.
  • Launcher: The command which will establish agents on your compromised hosts and connect to your listener. We’ll cover these shortly, so the default is fine for now.

You can see all the options by typing “info”.

                   

The standard HTTP listener options.
                                                                                                                                                       The standard HTTP listener options.                                

         

After setting all the options we need, you can finally execute the listener with the “execute” command.

Launchers and Stagers

Launchers and stagers, while technically two different parts of the Empire framework, serve the same purpose: downloading and executing the agent on the compromised host.

Empire comes with two different options for launchers: PowerShell and Python. Both types of launchers execute encoded commands which will reach out to the Empire server to download and then launch the agent. Choosing the right launcher depends on your compromised host, and whether it’s likely to have either PowerShell or Python installed. It’s likely PowerShell will be available on most Windows targets, so the PowerShell launcher is usually a safe bet. To use a launcher for a listener you’ve configured, you can run the following from the listeners menu:

launcher powershell http

This will specify to output a PowerShell launcher for the “http” listener and look like this:

                   

The default PowerShell launcher for an HTTP listener.
                                                                                                                                             The default PowerShell launcher for an HTTP listener.                                

         

The launcher starts a PowerShell process and executes a big blob of encoded commands. Stagers are slightly different in that they are dedicated payloads that must be run on the compromised host in order to establish an agent. Otherwise, they are nearly identical. Most of the time a stager is simply a file that will run the same PowerShell/Python launcher via a VBA Macro, .bat file, or other supported method. Since they are so similar in nature to launchers we won’t go into too much detail on them here, but to show a quick example the options for a macro stager look like this:  

                   

A Windows Macro stager options. By default the output file is written to “/tmp/macro”.
                                                                                                                                         A Windows Macro stager options. By default the output file is written to “/tmp/macro”.                                

         

Agents

You now have everything you need to establish an agent on a compromised host! After the agent is established, you’ll have a fully functional command and control channel that you can use to further compromise the network.

                   

Establishing C2 communication with a listener, launcher / stager, and agent.
                                                                Establishing C2 communication with a listener, launcher / stager, and agent.                                

         

Agents are the processes which run on compromised hosts and perform actions on those hosts and the network. It will periodically check in with your Empire server to see if there are any commands available, and if so run them and return the output. You can perform some basic functionality with the vanilla Empire agent including: running shell commands, injecting shellcode, and gather metadata about your agent and compromised host. To see all the built-in agent commands, you can simply type “help”.

                   

A subset of the Empire agent commands.
A subset of the Empire agent commands.                                

         

Up Next…

Now that you have a basic understanding of C2 principles and the PowerShell Empire pieces required to establish a C2 channel, you can start to fully leverage Empire for post-exploitation tasks. Network enumeration/situational awareness, privilege escalation, credential gathering, and lateral movement are all accomplished via Empire modules. In the next post we’ll cover a number of these modules in detail and explain how to use them to further compromise a network.

UP NEXT

How Accenture Keeps Cyber Security Teams Trained on the Latest Threats

read NOW