Skip to content

S0363 Empire

Empire is an open source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents are written in pure PowerShell for Windows and Python for Linux/macOS. Empire was one of five tools singled out by a joint report on public hacking tools being widely used by adversaries.312

Item Value
ID S0363
Associated Names EmPyre, PowerShell Empire
Version 1.6
Created 11 March 2019
Last Modified 22 March 2023
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
EmPyre 1
PowerShell Empire 1

Techniques Used

Domain ID Name Use
enterprise T1548 Abuse Elevation Control Mechanism -
enterprise T1548.002 Bypass User Account Control Empire includes various modules to attempt to bypass UAC for escalation of privileges.1
enterprise T1134 Access Token Manipulation Empire can use PowerSploit‘s Invoke-TokenManipulation to manipulate access tokens.1
enterprise T1134.002 Create Process with Token Empire can use Invoke-RunAs to make tokens.1
enterprise T1134.005 SID-History Injection Empire can add a SID-History to a user if on a domain controller.1
enterprise T1087 Account Discovery -
enterprise T1087.001 Local Account Empire can acquire local and domain user account information.1
enterprise T1087.002 Domain Account Empire can acquire local and domain user account information.15
enterprise T1557 Adversary-in-the-Middle -
enterprise T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay Empire can use Inveigh to conduct name service poisoning for credential theft and associated relay attacks.16
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Empire can conduct command and control over protocols like HTTP and HTTPS.1
enterprise T1560 Archive Collected Data Empire can ZIP directories on the target system.1
enterprise T1119 Automated Collection Empire can automatically gather the username, domain name, machine name, and other information from a compromised system.4
enterprise T1020 Automated Exfiltration Empire has the ability to automatically send collected data back to the threat actors’ C2.4
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Empire can modify the registry run keys HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run for persistence.1
enterprise T1547.005 Security Support Provider Empire can enumerate Security Support Providers (SSPs) as well as utilize PowerSploit‘s Install-SSP and Invoke-Mimikatz to install malicious SSPs and log authentication events.1
enterprise T1547.009 Shortcut Modification Empire can persist by modifying a .LNK file to include a backdoor.1
enterprise T1217 Browser Information Discovery Empire has the ability to gather browser data such as bookmarks and visited sites.1
enterprise T1115 Clipboard Data Empire can harvest clipboard data on both Windows and macOS systems.1
enterprise T1059 Command and Scripting Interpreter Empire uses a command-line interface to interact with systems.1
enterprise T1059.001 PowerShell Empire leverages PowerShell for the majority of its client-side agent tasks. Empire also contains the ability to conduct PowerShell remoting with the Invoke-PSRemoting module.13
enterprise T1059.003 Windows Command Shell Empire has modules for executing scripts.1
enterprise T1136 Create Account -
enterprise T1136.001 Local Account Empire has a module for creating a local user if permissions allow.1
enterprise T1136.002 Domain Account Empire has a module for creating a new domain user if permissions allow.1
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service Empire can utilize built-in modules to modify service binaries and restore them to their original state.1
enterprise T1555 Credentials from Password Stores -
enterprise T1555.003 Credentials from Web Browsers Empire can use modules that extract passwords from common web browsers such as Firefox and Chrome.1
enterprise T1484 Domain Policy Modification -
enterprise T1484.001 Group Policy Modification Empire can use New-GPOImmediateTask to modify a GPO that will install and execute a malicious Scheduled Task/Job.1
enterprise T1482 Domain Trust Discovery Empire has modules for enumerating domain trusts.1
enterprise T1114 Email Collection -
enterprise T1114.001 Local Email Collection Empire has the ability to collect emails on a target system.1
enterprise T1573 Encrypted Channel -
enterprise T1573.002 Asymmetric Cryptography Empire can use TLS to encrypt its C2 channel.1
enterprise T1546 Event Triggered Execution -
enterprise T1546.008 Accessibility Features Empire can leverage WMI debugging to remotely replace binaries like sethc.exe, Utilman.exe, and Magnify.exe with cmd.exe.1
enterprise T1041 Exfiltration Over C2 Channel Empire can send data gathered from a target through the command and control channel.14
enterprise T1567 Exfiltration Over Web Service -
enterprise T1567.001 Exfiltration to Code Repository Empire can use GitHub for data exfiltration.1
enterprise T1567.002 Exfiltration to Cloud Storage Empire can use Dropbox for data exfiltration.1
enterprise T1068 Exploitation for Privilege Escalation Empire can exploit vulnerabilities such as MS16-032 and MS16-135.1
enterprise T1210 Exploitation of Remote Services Empire has a limited number of built-in modules for exploiting remote SMB, JBoss, and Jenkins servers.1
enterprise T1083 File and Directory Discovery Empire includes various modules for finding files of interest on hosts and network shares.1
enterprise T1615 Group Policy Discovery Empire includes various modules for enumerating Group Policy.1
enterprise T1574 Hijack Execution Flow -
enterprise T1574.001 DLL Search Order Hijacking Empire contains modules that can discover and exploit various DLL hijacking opportunities.1
enterprise T1574.004 Dylib Hijacking Empire has a dylib hijacker module that generates a malicious dylib given the path to a legitimate dylib of a vulnerable application.1
enterprise T1574.007 Path Interception by PATH Environment Variable Empire contains modules that can discover and exploit path interception opportunities in the PATH environment variable.1
enterprise T1574.008 Path Interception by Search Order Hijacking Empire contains modules that can discover and exploit search order hijacking vulnerabilities.1
enterprise T1574.009 Path Interception by Unquoted Path Empire contains modules that can discover and exploit unquoted path vulnerabilities.1
enterprise T1070 Indicator Removal -
enterprise T1070.006 Timestomp Empire can timestomp any files or payloads placed on a target machine to help them blend in.1
enterprise T1105 Ingress Tool Transfer Empire can upload and download to and from a victim machine.1
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging Empire includes keylogging capabilities for Windows, Linux, and macOS systems.1
enterprise T1056.004 Credential API Hooking Empire contains some modules that leverage API hooking to carry out tasks, such as netripper.1
enterprise T1106 Native API Empire contains a variety of enumeration modules that have an option to use API calls to carry out tasks.1
enterprise T1046 Network Service Discovery Empire can perform port scans from an infected host.1
enterprise T1135 Network Share Discovery Empire can find shared drives on the local system.1
enterprise T1040 Network Sniffing Empire can be used to conduct packet captures on target hosts.1
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.010 Command Obfuscation Empire has the ability to obfuscate commands using Invoke-Obfuscation.1
enterprise T1003 OS Credential Dumping -
enterprise T1003.001 LSASS Memory Empire contains an implementation of Mimikatz to gather credentials from memory.1
enterprise T1057 Process Discovery Empire can find information about processes running on local and remote systems.14
enterprise T1055 Process Injection Empire contains multiple modules for injecting into processes, such as Invoke-PSInject.1
enterprise T1021 Remote Services -
enterprise T1021.003 Distributed Component Object Model Empire can utilize Invoke-DCOM to leverage remote COM execution for lateral movement.1
enterprise T1021.004 SSH Empire contains modules for executing commands over SSH as well as in-memory VNC agent injection.1
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task Empire has modules to interact with the Windows task scheduler.1
enterprise T1113 Screen Capture Empire is capable of capturing screenshots on Windows and macOS systems.1
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery Empire can enumerate antivirus software on the target.1
enterprise T1558 Steal or Forge Kerberos Tickets -
enterprise T1558.001 Golden Ticket Empire can leverage its implementation of Mimikatz to obtain and use golden tickets.1
enterprise T1558.002 Silver Ticket Empire can leverage its implementation of Mimikatz to obtain and use silver tickets.1
enterprise T1558.003 Kerberoasting Empire uses PowerSploit‘s Invoke-Kerberoast to request service tickets and return crackable ticket hashes.1
enterprise T1082 System Information Discovery Empire can enumerate host system information like OS, architecture, domain name, applied patches, and more.14
enterprise T1016 System Network Configuration Discovery Empire can acquire network configuration information like DNS servers, public IP, and network proxies used by a host.14
enterprise T1049 System Network Connections Discovery Empire can enumerate the current network connections of a host.1
enterprise T1033 System Owner/User Discovery Empire can enumerate the username on targeted hosts.4
enterprise T1569 System Services -
enterprise T1569.002 Service Execution Empire can use PsExec to execute a payload on a remote host.1
enterprise T1127 Trusted Developer Utilities Proxy Execution -
enterprise T1127.001 MSBuild Empire can use built-in modules to abuse trusted utilities like MSBuild.exe.1
enterprise T1552 Unsecured Credentials -
enterprise T1552.001 Credentials In Files Empire can use various modules to search for files containing passwords.1
enterprise T1552.004 Private Keys Empire can use modules like Invoke-SessionGopher to extract private key and session information.1
enterprise T1550 Use Alternate Authentication Material -
enterprise T1550.002 Pass the Hash Empire can perform pass the hash attacks.1
enterprise T1125 Video Capture Empire can capture webcam data on Windows and macOS systems.1
enterprise T1102 Web Service -
enterprise T1102.002 Bidirectional Communication Empire can use Dropbox and GitHub for C2.1
enterprise T1047 Windows Management Instrumentation Empire can use WMI to deliver a payload to a remote host.1

Groups That Use This Software

ID Name References
G0073 APT19 3
G0140 LazyScripter 7
G0102 Wizard Spider 8910
G0096 APT41 11
G0069 MuddyWater 12
G0091 Silence 13
G0010 Turla 1415
G0051 FIN10 16
G0090 WIRTE 17
G1001 HEXANE 5
G0052 CopyKittens 18
G0065 Leviathan 19
G0064 APT33 2021
G0119 Indrik Spider 22


  1. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016. 

  2. Stepanic, D. (2018, September 2). attck_empire: Generate ATT&CK Navigator layer file from PowerShell Empire agent logs. Retrieved March 11, 2019. 

  3. The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019. 

  4. Adamitis, D. et al. (2019, June 4). It’s alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020. 

  5. SecureWorks 2019, August 27 LYCEUM Takes Center Stage in Middle East Campaign Retrieved. 2019/11/19  

  6. Robertson, K. (2015, April 2). Inveigh: Windows PowerShell ADIDNS/LLMNR/mDNS/NBNS spoofer/man-in-the-middle tool. Retrieved March 11, 2019. 

  7. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021. 

  8. John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020. 

  9. DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020. 

  10. Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020. 

  11. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020. 

  12. Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020. 

  13. Group-IB. (2019, August). Silence 2.0: Going Global. Retrieved May 5, 2020. 

  14. ESET. (2018, August). Turla Outlook Backdoor: Analysis of an unusual Turla backdoor. Retrieved March 11, 2019. 

  15. Faou, M. (2020, December 2). Turla Crutch: Keeping the “back door” open. Retrieved December 4, 2020. 

  16. FireEye iSIGHT Intelligence. (2017, June 16). FIN10: Anatomy of a Cyber Extortion Operation. Retrieved June 25, 2017. 

  17. S2 Grupo. (2019, April 2). WIRTE Group attacking the Middle East. Retrieved May 24, 2019. 

  18. ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017. 

  19. CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department. Retrieved August 12, 2021. 

  20. Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019. 

  21. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019. 

  22. Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021.