Empire 1.1

A few weeks ago, @sixdub and myself released a project called Empire at BSides Las Vegas (slides and video), and the response has been very positive. For those unfamiliar, Empire is a pure PowerShell post-exploitation agent that aims to solve the PowerShell “weaponization problem” and train blue teamers on how to respond to PowerShell based attacks. There’s an overview post here, the code is up on Github, and complete documentation is at www.PowerShellEmpire.com.

With the surge in interest, and @enigma0x3 joining the project, we’ve implemented several changes in the past two weeks since Empire’s release. We wanted to give a quick rundown on the changes in version 1.1.

  1. Jon Cave graciously stepped in within a few days and corrected a crypto mistake of ours, which could have resulted in an attacker deauthing clients from the server. In short, message authentication is important. Several other bugs were squashed as well.
  2. Agents can now be set to die after a certain number of failed checkins (with the DefaultLostLimit option, default of 60 missed checkins). This helps prevent agents from becoming completely orphaned. There are also now options to list and remove “stale” agents that have missed their checkin intervals, with agents> list stale and agents> remove stale, respectively.
  3. Casey Smith submitted an HTA (HyperText Application) stager module for phishing Internet Explorer users. You can access this with listeners> usestager hta.
  4. Several new modules were added:

If anyone has any questions, issues, or pull requests, hit us up on Github or in the #psempire channel in Freenode.

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.