Keep up-to-date on our blog at https://www.bc-security.org/blog
Check out the Empire GUI: Starkiller
Empire 3.1 is a post-exploitation framework that includes a pure-PowerShell 2.0 Windows agent, and compatibility with Python 3.x Linux/OS X agents. It is the merger of the previous PowerShell Empire and Python EmPyre projects. The framework offers cryptologically-secure communications and flexible architecture.
On the PowerShell side, Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability-focused framework. PowerShell Empire premiered at BSidesLV in 2015 and Python EmPyre premiered at HackMiami 2016. BC-Security presented updates to further evade Microsoft Antimalware Scan Interface (AMSI) and JA3/S signatures at DEF CON 27.
Empire relies heavily on the work from several other projects for its underlying functionality. We have tried to call out a few of those people we've interacted with heavily here and have included author/reference link information in the source of each Empire module as appropriate. If we have failed to properly cite existing or prior work, please let us know at Empire@BC-Security.org.
Empire is developed by @harmj0y, @sixdub, @enigma0x3, @rvrsh3ll, @killswitch_gui, @xorrior, and @bcsecurity1. While the main fork for Empire is no longer maintained, this fork is maintained by BC-Security and will continue to receive updates.
In Empire 3.1, we will no longer be actively supporting the Python 2.7 base code. If you wish to continue to leverage Python 2.7 then please use the 3.0.x Releases, since they were built to ensure backward compatibility.
One of the most significant updates in 3.1 is the addition of Multi-User Collaboration to the API. This update adds the ability of users to interact with Empire in an entirely new way. Previously, API users would share a single login and be unable to track individual taskings. This has been completely reworked to allow User Management through the API. This feature is essential for integration with Starkiller.
Next, we have added Function Name Aliasing, which automates the ability to randomize function names inside of Empire. This proof of concept is a huge step forward in evasion since it tests the ability to mask individual functions inside of Empire. Function name aliasing is currently only built for Invoke-Empire and Invoke-Mimikatz currently, but we will be expanding this functionality in the future.
Please see our Releases or Changelog page for detailed release notes.
As of Empire 3.1.0, Empire only officially supports Python 3. If you still need Python 2 support, please use the 3.0.x branch or releases. Also consider using our Prebuilt Docker containers which use Python 3.
Note: Run ./setup/reset.sh
before starting Empire 3.1 for the first time.
You can install the latest version of Empire by running the following:
apt install powershell-empire
To install and run:
git clone https://github.com/BC-SECURITY/Empire.git
cd Empire
sudo ./setup/install.sh
If you want to run Empire using a pre-built docker container:
docker pull bcsecurity/empire:{version}
docker run -it bcsecurity/empire:{version}
# with persistent storage
docker pull bcsecurity/empire:{version}
docker create -v /empire --name data bcsecurity/empire:{version}
docker run -it --volumes-from data bcsecurity/empire:{version}
# if you prefer to be dropped into bash instead of directly into empire
docker run -it --volumes-from data bcsecurity/empire:{version} /bin/bash
All image versions can be found at: https://hub.docker.com/r/bcsecurity/empire/
- The last commit from master will be deployed to the
latest
tag - The last commit from the dev branch will be deployed to the
dev
tag - All github tagged releases will be deployed using their version numbers (v3.0.0, v3.1.0, etc)
Check out the Empire wiki for instructions on getting started with Empire.
- Invoke-SocksProxy
- Python 2.7 launchers calling back to Python 3.x
- DNS over HTTPS launcher
- Header randomization
- Integration with RedELK
Contributions are more than welcome! The more people who contribute to the project the better Empire will be for everyone. Below are a few guidelines for submitting contributions.
- As of Empire 3.1.0, Empire only officially supports Python 3. If you still need Python 2 support, please use the 3.0.x branch or releases.
- Submit pull requests to the dev branch. After testing, changes will be merged to master.
- Depending on what you're working on, base your module on ./lib/modules/powershell_template.py or ./lib/modules/python_template.py. Note that for some modules you may need to massage the output to get it into a nicely displayable text format with Out-String.
- Cite previous work in the 'Comments' module section.
- If your script.ps1 logic is large, may be reused by multiple modules, or is updated often, consider implementing the logic in the appropriate data/module_source/* directory and pulling the script contents into the module on tasking.
- Use approved PowerShell verbs for any functions.
- PowerShell Version 2 compatibility is STRONGLY preferred.
- TEST YOUR MODULE! Be sure to run it from an Empire agent and test Python 3.x functionality before submitting a pull to ensure everything is working correctly.
- For additional guidelines for your PowerShell code itself, check out the PowerSploit style guide.