Return of the CLI

The new Empire CLI is out and includes some big changes to the user experience. We rebuilt the CLI to interact with the Empire team server through the API. These changes may seem small, but it now allows multi-user access to the server through the CLI and gives users a CLI option for remote operations. This does not replace Starkiller, but is another option for operators to use. 

The Empire CLI includes a familiar menu structure to the original CLI, but we have built it on top of python-prompt-toolkit. This gives users access to drop-down menus, autocomplete, and the elimination of agent responses overwriting your prompt (obviously a huge win). If you have used byt3bl33d3r’s SILENTTRINITY, this will feel familiar to you. We added numerous new menu options, such as Admin, Plugins, Shell, and Chat.

Installation

Installation is relatively simple, you’ll want to download the Empire server from the releases page or follow the directions below.

Empire

git clone https://github.com/BC-SECURITY/Empire.git
cd Empire
sudo ./setup/install.sh
sudo poetry install
sudo poetry run python empire --rest -n

Empire-CLI

git clone https://github.com/BC-SECURITY/Empire-Cli.git
cd Empire-Cli
sudo poetry install
sudo poetry run python main.py

Shortcuts

Have you ever wanted to call modules directly from the agent menu with pre-set settings? Now you can! A list of pre-set shortcuts are already outlined in the config.yaml, which gives everyone access to the basic functions that were in the old Empire CLI. But, you can now add your own shortcuts tailored to the needs of your operation.

shortcuts:
  powershell:
    sherlock:
      module: powershell/privesc/sherlock

This first example is the simplest example. It adds a sherlock command to the Interact menu for PowerShell agents. It does not pass any specific parameters.

shortcuts:
  powershell:
    keylog:
      module: powershell/collection/keylogger
      params:
        - name: Sleep
          value: 1

This next one is slightly more complex in that we are telling the shortcut to set the Sleep parameter to 1. Note that if there are any other parameters for this module that we don’t define, it will use whatever the default value is.

shortcuts:
  powershell:
    bypassuac:
      module: powershell/privesc/bypassuac_eventvwr
      params:
        - name: Listener
          dynamic: true

This third one gets a bit more complex. Instead of providing a value to the parameter, it is marked as dynamic. This tells the CLI that it expects the user to send the parameters as part of their command. In other words, the user needs to type bypassuac http1 in order for this to execute. The parameters are passed in the order they are defined in config.yaml. There are some convenient autocompletes if the field is named Listener or Agent.

Login

You will now need to login to the CLI when you boot up the Empire-Cli. Pre-configured servers are stored in the config.yaml file.

Admin Menu

The admin menu is an administrative menu which gives the team server admin the options to manage users and server options. The admin menu can be accessed by typing admin into the console. Once on this page, the admin can add/remove users from the team server and can modify the types of obfuscation the agents will use.

Regular users will not be able to modify settings, but will have access to accessing the notes features. Notes allow users to record information within their session and have it stored on the server. They can access their notes from any session once they are sent to the server.

Note Taking

The admin menu also includes a new feature: notes. Users can take notes within their session and have them stored on the server. We hope to continue to expand this feature, so feedback is greatly appreciated.

Plugins

Plugins are a hidden gem inside of Empire. They allow anyone to create standalone modules that Empire will ingest and use (assuming the template is followed). They are used to extend Empire and load custom scripts. This allows anyone to easily build or add community projects to build additional Empire functionality. Plugins can be accessed from the Empire CLI as long as the plugin follows the template example. A list of Empire Plugins is located here.

The Plugins menu displays all of the currently loaded plugins available to the user. You will then need to call useplugin to be able to access the functionality of a plugin.

Interactive Shell

This is one of the most exciting features that we added to the Empire CLI. Inside of any agent (PowerShell or Python), an operator can drop into an interactive shell that displays their current working directory. 

To run the Interactive Shell, just type shell inside of any agent.

This shell captures all commands sent to the session and gives the look and feel of a real shell session on the target machine. To exit the shell session, just type exit and you will return to the agent.

Chat Window

Alright, now what everyone is excited most about, team server chat. We tried out the chat option as a POC and thought this was awesome, why not build it as a plugin? After spending some time with it (and Vince fixing the code), we realized that this is something that should just be in the server by default.

The chat menu interacts with the chat server in Empire. This allows users to drop in and out of the chatroom by typing chat. The 20 most recent messages will be displayed when you log in to the room. When you are ready to return to your previous task, type back and you return to your previous menu. You can expect this to be expanded upon and integrated with Starkiller in the future.

We also added chat server integration into Starkiller for sponsors this week. If you are interested in sponsoring our tool development or just really enjoy our work, you can check out our GitHub.

Wrap-up

The old Empire CLI has not been removed just yet, but over the next few months, as we reach feature parity, we will deprecate it and move this new CLI into the main repository. With all the new changes, we are pushing out a FREE webinar to cover all the new Empire features. Register here!

We look forward to your feedback and issues in this pre-release state. Please open issues on GitHub at https://github.com/BC-SECURITY/Empire-Cli/issues.

The post Return of the CLI appeared first on BC Security.