Overview Of Empire 3.4 Features

Follow me on twitter and join the Telegram channel Telegram

Its been about 2-weeks since we released Empire 3.4, and hopefully, everyone has had a chance to check out all the new features. Our team has put quite a few hours into development and we wanted to give an overview so everyone can leverage Empire’s full capabilities. Here are just a few of the updates that were implemented in 3.4:

  • Added Malleable C2 HTTP Listener – #287 (@johneiser@Cx01N@Hubbl3)
  • Added reflective load ability for files – #309 (@Hubbl3)
  • Added Invoke-Watson – #294 (@Cx01N)
  • Added Invoke-WinPEAS – #293 (@Cx01N)
  • Added Invoke-DomainPasswordSpray – #295 (@Cx01N)

If you haven’t updated to the newest Empire version yet, you can download it from our GitHub or install it directly through Kali using sudo apt install powershell-empire. Just make sure you run apt update before installing to ensure you are getting the most recent copy.

Malleable C2 HTTP Listener

We covered most of the capability of the Malleable Listener in our last blog. However, if you missed it, we recently incorporated a Malleable C2 HTTP Listener, which leverages the same profiles as Cobalt Strike. Malleable C2 is not a new concept, having been employed by Cobalt Strike for several years and is considered one of its most valuable features.

You can launch the Malleable C2 by typing:

uselistener http_malleable

This will bring up the listener where you can load (nearly) any profile that you would normally launch with Cobalt Strike. The parser is not perfect and some profiles will give it issues. We are always looking for contributions and improvements to the project, so please feel free to help us improve it in future updates. If you are looking for some profiles that have already been tested, then check out our repo.

Malleable C2 HTTP Listener setup page

Profiles are loaded through your directory by using :

set Profile apt1.profile

Reflective Loading

One of the new features in 3.4 is the ability to reflectively load .Net assemblies into the agent. This means that Empire agents can now easily be used in conjunction with C# projects like Harmj0y’s GhostPack tools. This is done by using the new reflective load keyword in the agents menu and providing the path to the DLL or exe. Once loaded, the assembly can be accessed by using shell [<assembly>]::method(). Below is a screenshot showing how Rubeus would be used.

Rubeus.exe being reflectively loaded into Empire

In order to use this, there are two important things to keep in mind. First, you should use AMSIBypass2 when working with .NET assemblies because Matt Graeber’s bypass (AMSIBypass) only disables AMSI in the PowerShell runtime but not in the CLR. At the same time, AMSIBypass2 also disables AMSI in the CLR. Second is that the main or entry point method of the assembly should be public. If it is not public, then reflection has to be used to access the method, which is a bit unwieldy.


We incorporated Sherlock into Empire a while back in 3.0, but soon realized that a more modern Windows enumeration module would be needed. So here comes Dr. Watson. Watson is a .NET tool developed by Rasta-mouse for enumerating privilege escalation vulnerabilities on Windows 10 and Server 2016/2019 machines. If you aren’t too familiar with running .NET, you’d need to compile the program before running it. Luckily, we have taken that piece out for you and have wrapped it in a PowerShell script (Invoke-Watson) to save you a bit of a headache.

Invoke-Watson module in Empire
Results from Invoke-Watson

GitHub: https://github.com/rasta-mouse/Watson


WinPEAS or Windows Privilege Escalation Awesome Scripts is a .NET tool based on SeatBelt and is developed by carlospolop. It contains a wide range of privilege escalation enumeration scripts (including Watson) already built into it. The way we see it, you can never have enough privilege escalation options.

Invoke-WinPEAS module in Empire

As always, you can compile it yourself and load it into Empire using the new Reflective Loading ability. Or just run the Invoke-WinPEAS module, which has the C# wrapped in a PowerShell script.

Results from Invoke-WinPEAS

Github: https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS


Invoke-DomainPasswordSpray module in Empire

DomainPasswordSpray is a PowerShell tool written by dafthack to perform a password spray attack against users of a domain. By default, Invoke-DomainPasswordSpray will automatically generate the userlist from the domain. Just a little warning from their GitHub…BE VERY CAREFUL NOT TO LOCKOUT ACCOUNTS!

Results from Invoke-DomainPasswordSpray

GitHub: https://github.com/dafthack/DomainPasswordSpray

Our team will be covering Tactics, Techniques, and Procedures (TTPs) that leverage tools like these in our Advanced Threat Emulation: Red Teams from November 11 – 13. We have only a few seats left so hurry!

Keep up-to-date on our tool development on our Twitter or Discord.

The post Overview Of Empire 3.4 Features appeared first on BC Security.

If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.

Want to Support the Site, Become a Patron!


Original Source