It’s been almost two weeks since since the release of Empire 1.1, but it’s already time for version 1.2! Here are the recent modifications:
- Components of the agent.ps1’s core shell functionality were streamlined and ported to WMI equivalents. We wanted to avoid using native binaries as much as possible in the case of command line auditing, and took the chance to clean up a bit of the agent core. help agentcmds in an agent menu will show the “opsec-safe” aliases we have implemented, and shell <CMD> will manually execute commands using normal execution.
- Minor UI/misc. tweaks- list [agents/listeners] <modifier> should now be a universal option on all menus, run is now an alias for execute on modules, and credentials collected from collection/prompt will automatically be scraped and thrown into the backend credential model.
- International support! We had several inquires about Empire agents failing to process taskings on non-English/US systems. This was finally identified as some issues with the Epoch sync used for anti-replay and some Unicode issues. We have limited systems to test this on, so if any users have lingering issues along these lines let us know.
- Andrew Bonstrom (@ch33kyf3ll0w) submitted a war stager, useful for Tomcat/JBoss/etc.
- Lots of new modules, now
over 9000over 100!- collection/netripper implements a PowerShell port of Netripper that we built for Empire integration. NetRipper is a tool released by Ionut Popescu at Defcon that, “uses API hooking in order to intercept network traffic and encryption related functions from a low privileged user, being able to capture both plain-text traffic and encrypted traffic before encryption/after decryption“. One warning- the decrypted traffic is logged out to a plaintext file on disk, so make sure you’re aware of this behavior.
- collection/packet_capture uses netsh to start a packet capture on a Windows target without any additional dependencies or tools.
- collection/inveigh implements Kevin Robertson‘s Inveigh.ps1 PowerShell script which performs “LLMNR/NBNS spoofing with challenge/response capture over HTTP/SMB”.
- management/zipfolder allows you to zip up a specified folder without dropping any additional tools to disk, useful for exfiltration testing.
- The credentials/mimikatz/dcsync module allows you to extract the hashes of domain accounts without code execution on a domain controller by abusing the MS-DRSR protocol for AD replication. Empire now also parses this dcsync output, throwing any extracted credentials into the backend credential model for later reuse.
- Also, with the updated Mimikatz .dll in Invoke-Mimikatz, the sids argument has been added to the credentials/mimikatz/golden_ticket module. This allows you to specify external sid histories for Golden Tickets, allowing you to jump up forest trusts. There’s a demo video here showing this through Emipre.
- privesc/bypassuac_wscript implements a PowerShell port of Vozzie’s uacscript .vbs PoC for an interesting bypassuac method on Windows 7. By abusing the behavior of how Windows 7 handles manifests, we can trick a copy of wscript.exe into executing code in a high integrity context.
You can get the v1.2 code here, and as a reminder the Empire documentation is at www.PowerShellEmpire.com. We’re going to chill out on the dev spree to let these changes settle. If/when issues arise, hit us up with issues, pull requests, or in the #psempire channel in Freenode.