Empire, Meterpreter, and Offensive Half-life

A little over a week ago an interesting conversation started on security.stackexchange.com where someone asked about “Metasploit Meterpreter alternatives“. In the ensuing discussion two projects I co-founded and worked on heavily (Veil-Evasion and Empire) were mentioned, so I wanted to throw my .02 into the conversation.

Empire was not designed as, not is intended to be, a ‘Meterpreter replacement’. The project’s goal was to weaponize the wealth of existing PowerShell tech out there to show that a pure-PowerShell based agent was possible, and to serve as a teaching tool for network defenders to demonstrate the capability of these types of attack toolsets. We use a variety of agents on engagements (especially Cobalt Strike’s Beacon) as all environments differ and some things that work in certain networks will fail in others. We like to have options, i.e. offense in depth.

I also want to echo some of what OJ stated in the thread (who, for those who are unaware, is one of the core Meterpreter devs). Open source offensive tech has the disadvantage of being public, and will gradually start to reduce its effective life span the longer it remains in the open and defenders learn to write defenses for it. While Empire may currently work in a number of Windows environments, this curve will inevitably catch up to it as well, as some other people in the thread hinted.

One of our secondary goals with Empire was to provide an adaptable platform that allows for rapid development and modification of the agent in the field. By nature, this is going to be easier for most people with a smaller project like Empire and a scripting language like PowerShell, as opposed to a C/C++ based agent. For example (in regards to the ‘weak network-based C2’ mentioned) Empire’s staging URIs, user agent, and tasking URIs are easily changeable in the backend empire.db database. Use “sqlitebrowser ./data/empire.db” to modify any of these defaults, or modify the values in ./setup/setup_database.py.

That said, as time marches on and PowerShell based defenses become more prevalent, these advantages may be negated and C agents (with modification of the source as OJ mentioned) may become the best option in most environments. Regardless, hopefully Empire does prove useful for people, and we intend on continuing active core and module development for the foreseeable future.

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.