This presentation was given at DerbyCon 6 on 9/23/2016. It covers the fusion of the PowerShell Empire and Python EmPyre projects, as well as new Empire 2.0 transports.

1. A Year in the
_______ .___ ___. .______ __ .______ _______
| ____|| / | | _ | | | _ | ____|
| |__ | / | | |_) | | | | |_) | | |__
| __| | |/| | | ___/ | | | / | __|
| |____ | | | | | | | | | | ----.| |____
|_______||__| |__| | _| |__| | _| `._____||_______|

2. First Things First
✣ Empire would not be possible without the
help and phenomenal work from:
PowerSploit by @mattifestation, @obscuresec
and @JosephBialek
Posh-SecMod by @Carlos_Perez
UnmanagedPowerShell by @tifkin_
Mimikatz by @gentilkiwi and Vincent LE
TOUX
✣ Everyone who contributed modules, bugs,
fixes, and time! You all rock!

3. Co-founder of Empire/EmPyre | PowerTools |
Veil-Framework
PowerSploit/BloodHound developer
Microsoft PowerShell MVP
@harmj0y

4. Red teamer and Empire developer
UAC bypasser extraordinaire
Offensive PowerShell advocate
@enigma0x3

5. tl;dr
✣ Empire overview
✣ Empire 2.0
Motivations
New features
EmPyre integration
‘Modular’ listeners
✣ Demos

6. 1.
Empire Overview
Release and the Year Since

7. ✣ A full-featured PowerShell
post-exploitation agent
Released at BSides LV ‘15
✣ Core agent built in PowerShell
Module structure implements various
post-exploitation actions
✣ Controller built in Python
Backend sqlite database
UI focus
Teh Empire

8. ✣ Started as a thought exercise!
✣ Wanted to:
bring together all the existing offensive
PowerShell tech
build a flexible platform that’s easily
customizable in the field
train defenders on how to stop and
respond to PowerShell “attacks”
y u Build PowerShell
Botnet :(

9. y u Build PowerShell
Botnet :(

10. (the guy who invented PowerShell)

11. ✣ Nearly 400 commits
✣ 25+ contributors
✣ 150+ GitHub issues (most closed : )
✣ 100+ PRs
✣ Tons of new modules!
A Year of Development

12. #WatchDogs2

13. SkyWalker!
@zeroSteiner

14. A Meterpreter
Replacement?

15. Controller Client
2. return key negotiation stager.ps1 w/ shared AES staging
key
3. gen priv/pub keys, post ENCstaging(PUB) to /<stage1>
5. decrypt, post ENCsession(nonce+1 | sysinfo) to /<stage2>
6. return ENCsession(agent.ps1). Agent starts beaconing.
1. GET /<stage0>
4. return ENCpub(nonce+ AES session key)
Empire Staging/Crypto

16. Empire Process
Injection
*.exe
Invoke-PSInjector
ReflectivePick
.NET Assembly
Download Cradle

17. Still Just a Toy Language?

18. New Features Since
Release
✣ From 90 modules to 180!
Inveigh/Tater!
regsrv32!
MS16-032!
More TrollSploit!
KeeThief!
Lots of UAC bypasses!
Tons more!
✣ A RESTful API interface
✣ Autoruns, lost limits, and more.

19. Python EmPyre
✣ A Python Empire variant built for a
customer’s heavy OS X environment
Python 2.6/2.7 compatible agent
Works on Linux too!
✣ Controller/architecture HEAVILY
adopted from Empire
✣ Released publicly at HackMiami
Presented on at BSides LV ‘16

20. Empire Drawbacks
✣ We’ve never built a RAT before
Mistakes were made ¯_(ツ)_/¯
✣ Only comms methods were HTTP[S]
Modules were expandable, transports
weren’t
✣ Separate projects for Empire/EmPyre
Name/project confusion
Separate codebases ==

21. Empire 2.0

22. Motivations
Empire/EmPyre
Integration
Wanted one single
controller for our
Python Linux/OS
X agents and
PowerShell agents.
Modularize C2
Expandable
listeners that you
can drag/drop into
the framework for
additional
transports.
Code Rot
Fix our past
mistakes and build
a foundation for
the future viability
of the project.

23. Laying the
Foundation
✣ For future transports, agents may
need to be able figure out where to
route packets for other agents
✣ All Empire comms are not wrapped in
‘routing’ packets encrypted w/ the
staging key
✣ All individual agent comms still use
the negotiated agent key

24. New Routing/Metadata Packet:
+---------+-------------------+--------------------------+
| RC4 IV | RC4s(RoutingData) | AESc(client packet data) |
+---------+-------------------+--------------------------+
| 4 | 16 | RC4 length |
+---------+-------------------+--------------------------+
RC4s(RoutingData):
+-----------+------+------+-------+--------+
| SessionID | Lang | Meta | Extra | Length |
+-----------+------+------+-------+--------+
| 8 | 1 | 1 | 2 | 4 |
+-----------+------+------+-------+--------+
RC4s = RC4 w/ the shared
staging key
HMACs = SHA1 HMAC w/
shared staging
AESc = AES w/ client's
session key
HMACc = first 10 bytes of a
SHA256 HMAC using the
client's session key

25. AESc(client data)
+--------+-----------------+-------+
| AES IV | Enc Packet Data | HMACc |
+--------+-----------------+-------+
| 16 | % 16 bytes | 10 |
+--------+-----------------+-------+
Client data decrypted:
+------+--------+--------------------+----------+---------+-----------+
| Type | Length | total # of packets | packet # | task ID | task data |
+------+--------+--------------------+--------------------+-----------+
| 2 | 4 | 2 | 2 | 2 | <Length> |
+------+--------+--------------------+----------+---------+-----------+
RC4s = RC4 w/ the shared staging key
HMACs = SHA1 HMAC w/ shared staging
AESc = AES w/ client's session key
HMACc = first 10 bytes of a SHA256 HMAC
using the client's session key

26. Newz
✣ The HTTP listener has been redone
with Flask
✣ Epoch-syncing removed
✣ PowerShell:
Staging now uses HMAC and nonces
RC4 implemented for first stage
PowerShell obfuscation
@mattifestation’s AMSI bypass added to
the PowerShell stager

27. Newz
✣ Orphaned agent renegotiation
If agent shares a server staging key, but
isn’t in the cache, it will restage
✣ external/* modules
For things that don’t rely on an agent
external/generate_agent will generate a
“fully-staged” agent

28. New Modules:
Improved Kerberoast

29. New Modules:
BloodHound

30. New Modules:
eventvwr UAC Bypass

31. 3.
EmPyre Integration
PowerShell + Python Living
Together in Harm0ny ♫

33. EmPyre Integration
✣ EmPyre and Empire are now one code
base!
https://github.com/AdaptiveThreat/Empire
The EmPyre repo will be deprecated
Python/PowerShell agents can
communicate on the same listener/port!
✣ We also now have a 5 person “full-time”
dev team:
@harmj0y, @enigma0x3, @424f424f,
@xorrior, @tifkin_

35. Language-Aware Menus

36. interact AGENT
Drops you into the
language-appropri
ate agent menu
with the same
options you’re
used to for either
project.
Interface Integration
stagers/*
Now broken out
into OS-applicable
folders
(Windows/OS
X/Linux).
usemodule [tab]
Executed from an
agent, only
tab-completes
language-appropri
ate modules.

37. 4.
Modular C2
i lik turtles transports

38. Listener
Modularization
✣ Previously, listeners were hard
integrated into the code base, adding
transports was extremely difficult
✣ Now listeners are encapsulated in
self-contained modules
Allows you to drag/drop modules into the
framework!

39. Listener Modules
✣ At least two functions are required for a
listener module:
generate_comms() - generates the
communication functions patched for the
given listener
start() - starts the server component of the
listener
✣ Agents are responsible for language
support

40. Listener Modules
✣ If you want staging supported:
generate_launcher() - generates
PowerShell/Python launcher code
generate_stager() - generates the
key-negotiation code
generate_agent() - generates the complete
patched agent code

41. listeners/http
✣ The original HTTP[S] listener
But now redone with flask!
“Routing packet” is base64’ed and stuffed
into a new cookie value
✣ Generates Python and PowerShell
launchers, staging, and agent code
✣ You can easily modify the cookie
used/transforms on the data itself to
change up indicators!

42. listeners/http_com
✣ Utilizes Internet Explorer COM
objects to communicate instead of
Net.WebClient
Proxy-aware/etc.!
✣ Slightly different communication
structure (data is base64’ed, etc.)
Example of modifying basic C2 indicators

43. listeners/http_foreign
✣ Simplified “foreign” Empire listeners
✣ Allows you to easily pass sessions
between control servers, given the
staging keys are the same

44. listeners/http_hop
✣ Completely redone “hop” listener
Simpler (with new packet structure) and
should be more stable
✣ Uses a .php redirector to tunnel
comms through a third site
✣ We’re looking for more
lanugage-based redirectors!
.ASP/.JSP/etc.

45. listeners/meterpreter
✣ The only thing present is the
generate_launcher() method
This generates Invoke-ShellCode code
applicable for the given Meterpreter
listener specification
✣ Allows you to easily spawn
Meterpreter/Cobalt Strike sessions
from Empire!

46. ✣ The new structure allows you to
communicate (and possibly stage)
through well-known third party
websites
✣ Let your imagination run with it…
* don’t break any terms of service, we’re not
lawyers
Third Party Listeners

48. Listener Hot-Swapping
✣ The management/switch_listener
module allows you to generate the
comms for a listener, and
dynamically update a running agent
with new comms!
✣ You can switch from HTTP ->
Dropbox -> IE_COM -> Dropbox,
even en masse!

49. Future Listeners
✣ In the next few months:
SMB - just need to work out some of the
routing components
DNS - @enigma0x3 is working as we speak
✣ Ideas?

50. Demos!

51. Code Release!

52. Any questions?
https://github.com/AdaptiveThreat/Empire
http://theempire.io/
@harmj0y, @enigma0x3, @sixdub
@xorrior, @424f424f, @tifkin_