S0363 Empire
Empire is an open source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents are written in pure PowerShell for Windows and Python for Linux/macOS. Empire was one of five tools singled out by a joint report on public hacking tools being widely used by adversaries.312
| Item | Value |
|---|---|
| ID | S0363 |
| Associated Names | EmPyre, PowerShell Empire |
| Type | TOOL |
| Version | 1.6 |
| Created | 11 March 2019 |
| Last Modified | 22 March 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| EmPyre | 1 |
| PowerShell Empire | 1 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1548 | Abuse Elevation Control Mechanism | - |
| enterprise | T1548.002 | Bypass User Account Control | Empire includes various modules to attempt to bypass UAC for escalation of privileges.1 |
| enterprise | T1134 | Access Token Manipulation | Empire can use PowerSploit‘s Invoke-TokenManipulation to manipulate access tokens.1 |
| enterprise | T1134.002 | Create Process with Token | Empire can use Invoke-RunAs to make tokens.1 |
| enterprise | T1134.005 | SID-History Injection | Empire can add a SID-History to a user if on a domain controller.1 |
| enterprise | T1087 | Account Discovery | - |
| enterprise | T1087.001 | Local Account | Empire can acquire local and domain user account information.1 |
| enterprise | T1087.002 | Domain Account | Empire can acquire local and domain user account information.15 |
| enterprise | T1557 | Adversary-in-the-Middle | - |
| enterprise | T1557.001 | LLMNR/NBT-NS Poisoning and SMB Relay | Empire can use Inveigh to conduct name service poisoning for credential theft and associated relay attacks.16 |
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Empire can conduct command and control over protocols like HTTP and HTTPS.1 |
| enterprise | T1560 | Archive Collected Data | Empire can ZIP directories on the target system.1 |
| enterprise | T1119 | Automated Collection | Empire can automatically gather the username, domain name, machine name, and other information from a compromised system.4 |
| enterprise | T1020 | Automated Exfiltration | Empire has the ability to automatically send collected data back to the threat actors’ C2.4 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | Empire can modify the registry run keys HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run for persistence.1 |
| enterprise | T1547.005 | Security Support Provider | Empire can enumerate Security Support Providers (SSPs) as well as utilize PowerSploit‘s Install-SSP and Invoke-Mimikatz to install malicious SSPs and log authentication events.1 |
| enterprise | T1547.009 | Shortcut Modification | Empire can persist by modifying a .LNK file to include a backdoor.1 |
| enterprise | T1217 | Browser Information Discovery | Empire has the ability to gather browser data such as bookmarks and visited sites.1 |
| enterprise | T1115 | Clipboard Data | Empire can harvest clipboard data on both Windows and macOS systems.1 |
| enterprise | T1059 | Command and Scripting Interpreter | Empire uses a command-line interface to interact with systems.1 |
| enterprise | T1059.001 | PowerShell | Empire leverages PowerShell for the majority of its client-side agent tasks. Empire also contains the ability to conduct PowerShell remoting with the Invoke-PSRemoting module.13 |
| enterprise | T1059.003 | Windows Command Shell | Empire has modules for executing scripts.1 |
| enterprise | T1136 | Create Account | - |
| enterprise | T1136.001 | Local Account | Empire has a module for creating a local user if permissions allow.1 |
| enterprise | T1136.002 | Domain Account | Empire has a module for creating a new domain user if permissions allow.1 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.003 | Windows Service | Empire can utilize built-in modules to modify service binaries and restore them to their original state.1 |
| enterprise | T1555 | Credentials from Password Stores | - |
| enterprise | T1555.003 | Credentials from Web Browsers | Empire can use modules that extract passwords from common web browsers such as Firefox and Chrome.1 |
| enterprise | T1484 | Domain Policy Modification | - |
| enterprise | T1484.001 | Group Policy Modification | Empire can use New-GPOImmediateTask to modify a GPO that will install and execute a malicious Scheduled Task/Job.1 |
| enterprise | T1482 | Domain Trust Discovery | Empire has modules for enumerating domain trusts.1 |
| enterprise | T1114 | Email Collection | - |
| enterprise | T1114.001 | Local Email Collection | Empire has the ability to collect emails on a target system.1 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.002 | Asymmetric Cryptography | Empire can use TLS to encrypt its C2 channel.1 |
| enterprise | T1546 | Event Triggered Execution | - |
| enterprise | T1546.008 | Accessibility Features | Empire can leverage WMI debugging to remotely replace binaries like sethc.exe, Utilman.exe, and Magnify.exe with cmd.exe.1 |
| enterprise | T1041 | Exfiltration Over C2 Channel | Empire can send data gathered from a target through the command and control channel.14 |
| enterprise | T1567 | Exfiltration Over Web Service | - |
| enterprise | T1567.001 | Exfiltration to Code Repository | Empire can use GitHub for data exfiltration.1 |
| enterprise | T1567.002 | Exfiltration to Cloud Storage | Empire can use Dropbox for data exfiltration.1 |
| enterprise | T1068 | Exploitation for Privilege Escalation | Empire can exploit vulnerabilities such as MS16-032 and MS16-135.1 |
| enterprise | T1210 | Exploitation of Remote Services | Empire has a limited number of built-in modules for exploiting remote SMB, JBoss, and Jenkins servers.1 |
| enterprise | T1083 | File and Directory Discovery | Empire includes various modules for finding files of interest on hosts and network shares.1 |
| enterprise | T1615 | Group Policy Discovery | Empire includes various modules for enumerating Group Policy.1 |
| enterprise | T1574 | Hijack Execution Flow | - |
| enterprise | T1574.001 | DLL Search Order Hijacking | Empire contains modules that can discover and exploit various DLL hijacking opportunities.1 |
| enterprise | T1574.004 | Dylib Hijacking | Empire has a dylib hijacker module that generates a malicious dylib given the path to a legitimate dylib of a vulnerable application.1 |
| enterprise | T1574.007 | Path Interception by PATH Environment Variable | Empire contains modules that can discover and exploit path interception opportunities in the PATH environment variable.1 |
| enterprise | T1574.008 | Path Interception by Search Order Hijacking | Empire contains modules that can discover and exploit search order hijacking vulnerabilities.1 |
| enterprise | T1574.009 | Path Interception by Unquoted Path | Empire contains modules that can discover and exploit unquoted path vulnerabilities.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.006 | Timestomp | Empire can timestomp any files or payloads placed on a target machine to help them blend in.1 |
| enterprise | T1105 | Ingress Tool Transfer | Empire can upload and download to and from a victim machine.1 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | Empire includes keylogging capabilities for Windows, Linux, and macOS systems.1 |
| enterprise | T1056.004 | Credential API Hooking | Empire contains some modules that leverage API hooking to carry out tasks, such as netripper.1 |
| enterprise | T1106 | Native API | Empire contains a variety of enumeration modules that have an option to use API calls to carry out tasks.1 |
| enterprise | T1046 | Network Service Discovery | Empire can perform port scans from an infected host.1 |
| enterprise | T1135 | Network Share Discovery | Empire can find shared drives on the local system.1 |
| enterprise | T1040 | Network Sniffing | Empire can be used to conduct packet captures on target hosts.1 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.010 | Command Obfuscation | Empire has the ability to obfuscate commands using Invoke-Obfuscation.1 |
| enterprise | T1003 | OS Credential Dumping | - |
| enterprise | T1003.001 | LSASS Memory | Empire contains an implementation of Mimikatz to gather credentials from memory.1 |
| enterprise | T1057 | Process Discovery | Empire can find information about processes running on local and remote systems.14 |
| enterprise | T1055 | Process Injection | Empire contains multiple modules for injecting into processes, such as Invoke-PSInject.1 |
| enterprise | T1021 | Remote Services | - |
| enterprise | T1021.003 | Distributed Component Object Model | Empire can utilize Invoke-DCOM to leverage remote COM execution for lateral movement.1 |
| enterprise | T1021.004 | SSH | Empire contains modules for executing commands over SSH as well as in-memory VNC agent injection.1 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | Empire has modules to interact with the Windows task scheduler.1 |
| enterprise | T1113 | Screen Capture | Empire is capable of capturing screenshots on Windows and macOS systems.1 |
| enterprise | T1518 | Software Discovery | - |
| enterprise | T1518.001 | Security Software Discovery | Empire can enumerate antivirus software on the target.1 |
| enterprise | T1558 | Steal or Forge Kerberos Tickets | - |
| enterprise | T1558.001 | Golden Ticket | Empire can leverage its implementation of Mimikatz to obtain and use golden tickets.1 |
| enterprise | T1558.002 | Silver Ticket | Empire can leverage its implementation of Mimikatz to obtain and use silver tickets.1 |
| enterprise | T1558.003 | Kerberoasting | Empire uses PowerSploit‘s Invoke-Kerberoast to request service tickets and return crackable ticket hashes.1 |
| enterprise | T1082 | System Information Discovery | Empire can enumerate host system information like OS, architecture, domain name, applied patches, and more.14 |
| enterprise | T1016 | System Network Configuration Discovery | Empire can acquire network configuration information like DNS servers, public IP, and network proxies used by a host.14 |
| enterprise | T1049 | System Network Connections Discovery | Empire can enumerate the current network connections of a host.1 |
| enterprise | T1033 | System Owner/User Discovery | Empire can enumerate the username on targeted hosts.4 |
| enterprise | T1569 | System Services | - |
| enterprise | T1569.002 | Service Execution | Empire can use PsExec to execute a payload on a remote host.1 |
| enterprise | T1127 | Trusted Developer Utilities Proxy Execution | - |
| enterprise | T1127.001 | MSBuild | Empire can use built-in modules to abuse trusted utilities like MSBuild.exe.1 |
| enterprise | T1552 | Unsecured Credentials | - |
| enterprise | T1552.001 | Credentials In Files | Empire can use various modules to search for files containing passwords.1 |
| enterprise | T1552.004 | Private Keys | Empire can use modules like Invoke-SessionGopher to extract private key and session information.1 |
| enterprise | T1550 | Use Alternate Authentication Material | - |
| enterprise | T1550.002 | Pass the Hash | Empire can perform pass the hash attacks.1 |
| enterprise | T1125 | Video Capture | Empire can capture webcam data on Windows and macOS systems.1 |
| enterprise | T1102 | Web Service | - |
| enterprise | T1102.002 | Bidirectional Communication | Empire can use Dropbox and GitHub for C2.1 |
| enterprise | T1047 | Windows Management Instrumentation | Empire can use WMI to deliver a payload to a remote host.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0073 | APT19 | 3 |
| G0140 | LazyScripter | 7 |
| G0102 | Wizard Spider | 8910 |
| G0096 | APT41 | 11 |
| G0069 | MuddyWater | 12 |
| G0091 | Silence | 13 |
| G0010 | Turla | 1415 |
| G0051 | FIN10 | 16 |
| G0090 | WIRTE | 17 |
| G1001 | HEXANE | 5 |
| G0052 | CopyKittens | 18 |
| G0065 | Leviathan | 19 |
| G0064 | APT33 | 2021 |
| G0119 | Indrik Spider | 22 |
References
-
Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Stepanic, D. (2018, September 2). attck_empire: Generate ATT&CK Navigator layer file from PowerShell Empire agent logs. Retrieved March 11, 2019. ↩
-
The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019. ↩↩↩
-
Adamitis, D. et al. (2019, June 4). It’s alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020. ↩↩↩↩↩↩↩
-
SecureWorks 2019, August 27 LYCEUM Takes Center Stage in Middle East Campaign Retrieved. 2019/11/19 ↩↩
-
Robertson, K. (2015, April 2). Inveigh: Windows PowerShell ADIDNS/LLMNR/mDNS/NBNS spoofer/man-in-the-middle tool. Retrieved March 11, 2019. ↩
-
Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021. ↩
-
John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020. ↩
-
DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020. ↩
-
Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020. ↩
-
Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020. ↩
-
Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020. ↩
-
Group-IB. (2019, August). Silence 2.0: Going Global. Retrieved May 5, 2020. ↩
-
ESET. (2018, August). Turla Outlook Backdoor: Analysis of an unusual Turla backdoor. Retrieved March 11, 2019. ↩
-
Faou, M. (2020, December 2). Turla Crutch: Keeping the “back door” open. Retrieved December 4, 2020. ↩
-
FireEye iSIGHT Intelligence. (2017, June 16). FIN10: Anatomy of a Cyber Extortion Operation. Retrieved June 25, 2017. ↩
-
S2 Grupo. (2019, April 2). WIRTE Group attacking the Middle East. Retrieved May 24, 2019. ↩
-
ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017. ↩
-
CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department. Retrieved August 12, 2021. ↩
-
Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019. ↩
-
Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019. ↩
-
Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021. ↩