Tweet
Tool or Project Name: Empire
Short Abstract (What is your tool, what does it do?):
Empire is a Command and Control (C2) framework powered by Python 3 that supports Windows, Linux, and macOS exploitation. It leverages many widely used offensive security tools through PowerShell, Python 3, and C# agents. At the same time, it offers cryptologically-secure communications and flexible modular architecture that links Advanced Persistent Threats (APTs) Tactics, Techniques, and Procedures (TTPs) through the MITRE ATT&CK database.
Empire has evolved significantly since its introduction in 2015 and has become one of the most widely used open-source C2 platforms. Through this time, Empire has advanced from a single user experience to allowing multiple user operations through an API with Empire acting as a teamserver. Currently, 2 different applications are available to connect to the Empire teamserver: Empire Command Line Interface (CLI) and Starkiller.
The Empire CLI is built from the ground up as a replacement to the embedded legacy CLI and gives users a familiar feel of the legacy CLI, but is portable and connects through the Empire API. While Starkiller is a cross-platform UI available in Linux, Windows, and macOS powered by ElectronJS.
The framework's flexibility to easily incorporate new modules allows for a single solution for red team operations with the aim for Empire to provide an easy-to-use platform for emulating APTs. Customization is essential to any successful red team operation, which has driven the expansion of user plugins. These plugins allow any custom program to run side-by-side with the Empire teamserver. In addition, the commonality between other C2 platforms allows profiles and modules to be easily dropped in without the need for additional development. These features allow both red and blue teams to easily emulate and defend against the APT attack vectors.
Short Developer Bio:
Vincent "Vinnybod" Rose is the Lead Tool Developer for Empire and Starkiller. He is a software engineer with expertise in cloud service and has over a decade of software development and networking experience. Recently, his focus has been on building ad-serving technologies, web and ad-tracking applications. Vinnybod has presented at Black Hat has taught courses at DEF CON on Red Teaming and Offensive PowerShell. He currently maintains a cybersecurity blog focused on offensive security at https://www.bc-security.org/blog/.
Anthony "Cx01N" Rose, CISSP, is the Lead Security Researcher at BC Security, where he specializes in adversary tactic emulation planning, Red and Blue Team operations, and embedded systems security. He has presented at numerous security conferences, including Black Hat, DEF CON, and RSA conferences. Cx01N is the author of various offensive security tools, including Empire and Starkiller, which he actively develops and maintains. He is recognized for his work, revealing wide-spread vulnerabilities in Bluetooth devices and is the co-author of a cybersecurity blog at https://www.bc-security.org/blog/.
URL to any additional information:
Blogs about new Empire and Starkiller features:
Empire has been a well-established versatile Command and Control (C2) framework for many years. Our work has allowed better adoption by red teams and shifts the focus of the platform to threat emulation. Threat emulation has been enhanced by leveraging a MITRE ATT&CK framework-based database. Every module is tagged with the MITRE ATT&CK techniques that most closely relate to the objectives of that tool and allows operators to search through the database to find and use tools that meet their specific threat emulation plan. This is combined with the new Empire server/client architecture, which has 2 different applications to connect through Starkiller and Empire Command Line Interface (CLI), allowing for multi-user distributed operations.
Starkiller is a cross-platform UI available in Linux, Windows, and macOS for interacting with the Empire post-exploitation framework. This application allows red teams to share any instance of Empire and support remote, multi-operator engagements for instant collaboration and efficient event tracking. Each user is tracked in a database, which can be queried to evaluate team progression and generate post-engagement reports. Within a few minutes, a red-teamer can set up a listener (call back server) on Empire, get a target (agent) calling back to that server, and send payloads to it. Not only that, but multiple users can be working with those same agents, 3rd party modules, and listeners. There is no need to duplicate effort in establishing independent red team infrastructures when a common interface can now be used with the enhanced Empire API. When viewing an agent in the interface, we can get live updates of tasks queued to it, which users set that task, and the results.
The Empire CLI is built from the ground up as a replacement to the embedded legacy CLI that was packaged with Empire. This adaption allows users to continue to run an interface that gives the look and feel of the legacy CLI, but is portable and connects through the Empire API. While building this, we looked for areas to improve and constructed it using Python Prompt Toolkit, which gives users a streamlined look with drop-down menus, interactive shell, and multiple user support.
While many of these new improvements are still in their early stages, we believe that the new construct for Empire will drive a significant change in how teams use the tool in the future.
Supporting Files, Code, etc:
https://github.com/BC-SECURITY/Empire
https://github.com/BC-SECURITY/Empire-Cli
https://github.com/BC-SECURITY/Starkiller
Target Audience:
Offense
These updates bring Empire into parity with some of the top paid Offense tool kits allowing students to gain exposure to how advanced TTPs and teaming workflows are utilized in offensive engagements.
We picked up the project back in August 2019. We actually were teaching a workshop using Empire and were contacted by Kali if we would be interested in publishing our Python 3 copy around November that year. They were wanting to drop Python 2 support but didn’t want to lose older tools. And we have been pushing updates ever since.
What we have done so far?
We designed an API that supports multiple users at once and collaboration within the c2. Added over 30 new tools within the framework, including socks proxy, Rubeus, and seatbelt. Added a graphical user interface, Starkiller. Threat emulation is a big thing that we are pushing for, so we went through at tagged every tool with a MITRE ATT&CK technique which links back to the source material and descriptions of the attack. We also added a cross-compatibility ability that uses Cobalt Strikes malleable C2 profiles to create malleable listeners in Empire.
Where are we going?
Empire 4.0, which is our current version in development. This is nearly a complete rewrite of the project and almost a new C2. The project now uses a server/client architecture that aligns itself with modern C2s, such as Cobalt Strike, PoshC2, and Silent Trinity.
We added C# implants with on-the-fly compilation using Roslyn Compiler. This ability is something that everyone has been asking about for a while since most advanced frameworks support some flavor of C# implants. We wanted to implement this in a way that allows us to have cross-compatibility with Covenant’s tools but still maintain Empire’s agent capabilities and formatting. What we ended up with is the capability to run C# implants that can compile their modules and use all the PowerShell tools as well. Another advantage of this is that PowerShell agents can compile c# tools on the fly as well.
Visually, we completely redid the CLI to be streamlined and includes new features like dropdown menus, server chatrooms, and suggested values.
We redesigned the plugin functionality within Empire and significantly expanded its capabilities. Plugins are a lesser-known ability which allows user to specially craft tools that can enhance the framework's capabilities. This is similar to how cobalt strike uses aggressor scripts to expand its capabilities.
Short Abstract (What is your tool, what does it do?):
Empire is a Command and Control (C2) framework powered by Python 3 that supports Windows, Linux, and macOS exploitation. It leverages many widely used offensive security tools through PowerShell, Python 3, and C# agents. At the same time, it offers cryptologically-secure communications and flexible modular architecture that links Advanced Persistent Threats (APTs) Tactics, Techniques, and Procedures (TTPs) through the MITRE ATT&CK database.
Empire has evolved significantly since its introduction in 2015 and has become one of the most widely used open-source C2 platforms. Through this time, Empire has advanced from a single user experience to allowing multiple user operations through an API with Empire acting as a teamserver. Currently, 2 different applications are available to connect to the Empire teamserver: Empire Command Line Interface (CLI) and Starkiller.
The Empire CLI is built from the ground up as a replacement to the embedded legacy CLI and gives users a familiar feel of the legacy CLI, but is portable and connects through the Empire API. While Starkiller is a cross-platform UI available in Linux, Windows, and macOS powered by ElectronJS.
The framework's flexibility to easily incorporate new modules allows for a single solution for red team operations with the aim for Empire to provide an easy-to-use platform for emulating APTs. Customization is essential to any successful red team operation, which has driven the expansion of user plugins. These plugins allow any custom program to run side-by-side with the Empire teamserver. In addition, the commonality between other C2 platforms allows profiles and modules to be easily dropped in without the need for additional development. These features allow both red and blue teams to easily emulate and defend against the APT attack vectors.
Short Developer Bio:
Vincent "Vinnybod" Rose is the Lead Tool Developer for Empire and Starkiller. He is a software engineer with expertise in cloud service and has over a decade of software development and networking experience. Recently, his focus has been on building ad-serving technologies, web and ad-tracking applications. Vinnybod has presented at Black Hat has taught courses at DEF CON on Red Teaming and Offensive PowerShell. He currently maintains a cybersecurity blog focused on offensive security at https://www.bc-security.org/blog/.
Anthony "Cx01N" Rose, CISSP, is the Lead Security Researcher at BC Security, where he specializes in adversary tactic emulation planning, Red and Blue Team operations, and embedded systems security. He has presented at numerous security conferences, including Black Hat, DEF CON, and RSA conferences. Cx01N is the author of various offensive security tools, including Empire and Starkiller, which he actively develops and maintains. He is recognized for his work, revealing wide-spread vulnerabilities in Bluetooth devices and is the co-author of a cybersecurity blog at https://www.bc-security.org/blog/.
URL to any additional information:
Blogs about new Empire and Starkiller features:
- https://www.bc-security.org/post/emp...tarkiller-1-6/
- https://www.bc-security.org/post/return-of-the-cli/
- https://www.bc-security.org/post/emp...e-c2-profiles/
- https://www.bc-security.org/post/an-...to-starkiller/
Empire has been a well-established versatile Command and Control (C2) framework for many years. Our work has allowed better adoption by red teams and shifts the focus of the platform to threat emulation. Threat emulation has been enhanced by leveraging a MITRE ATT&CK framework-based database. Every module is tagged with the MITRE ATT&CK techniques that most closely relate to the objectives of that tool and allows operators to search through the database to find and use tools that meet their specific threat emulation plan. This is combined with the new Empire server/client architecture, which has 2 different applications to connect through Starkiller and Empire Command Line Interface (CLI), allowing for multi-user distributed operations.
Starkiller is a cross-platform UI available in Linux, Windows, and macOS for interacting with the Empire post-exploitation framework. This application allows red teams to share any instance of Empire and support remote, multi-operator engagements for instant collaboration and efficient event tracking. Each user is tracked in a database, which can be queried to evaluate team progression and generate post-engagement reports. Within a few minutes, a red-teamer can set up a listener (call back server) on Empire, get a target (agent) calling back to that server, and send payloads to it. Not only that, but multiple users can be working with those same agents, 3rd party modules, and listeners. There is no need to duplicate effort in establishing independent red team infrastructures when a common interface can now be used with the enhanced Empire API. When viewing an agent in the interface, we can get live updates of tasks queued to it, which users set that task, and the results.
The Empire CLI is built from the ground up as a replacement to the embedded legacy CLI that was packaged with Empire. This adaption allows users to continue to run an interface that gives the look and feel of the legacy CLI, but is portable and connects through the Empire API. While building this, we looked for areas to improve and constructed it using Python Prompt Toolkit, which gives users a streamlined look with drop-down menus, interactive shell, and multiple user support.
While many of these new improvements are still in their early stages, we believe that the new construct for Empire will drive a significant change in how teams use the tool in the future.
Supporting Files, Code, etc:
https://github.com/BC-SECURITY/Empire
https://github.com/BC-SECURITY/Empire-Cli
https://github.com/BC-SECURITY/Starkiller
Target Audience:
Offense
These updates bring Empire into parity with some of the top paid Offense tool kits allowing students to gain exposure to how advanced TTPs and teaming workflows are utilized in offensive engagements.
We picked up the project back in August 2019. We actually were teaching a workshop using Empire and were contacted by Kali if we would be interested in publishing our Python 3 copy around November that year. They were wanting to drop Python 2 support but didn’t want to lose older tools. And we have been pushing updates ever since.
What we have done so far?
We designed an API that supports multiple users at once and collaboration within the c2. Added over 30 new tools within the framework, including socks proxy, Rubeus, and seatbelt. Added a graphical user interface, Starkiller. Threat emulation is a big thing that we are pushing for, so we went through at tagged every tool with a MITRE ATT&CK technique which links back to the source material and descriptions of the attack. We also added a cross-compatibility ability that uses Cobalt Strikes malleable C2 profiles to create malleable listeners in Empire.
Where are we going?
Empire 4.0, which is our current version in development. This is nearly a complete rewrite of the project and almost a new C2. The project now uses a server/client architecture that aligns itself with modern C2s, such as Cobalt Strike, PoshC2, and Silent Trinity.
We added C# implants with on-the-fly compilation using Roslyn Compiler. This ability is something that everyone has been asking about for a while since most advanced frameworks support some flavor of C# implants. We wanted to implement this in a way that allows us to have cross-compatibility with Covenant’s tools but still maintain Empire’s agent capabilities and formatting. What we ended up with is the capability to run C# implants that can compile their modules and use all the PowerShell tools as well. Another advantage of this is that PowerShell agents can compile c# tools on the fly as well.
Visually, we completely redid the CLI to be streamlined and includes new features like dropdown menus, server chatrooms, and suggested values.
We redesigned the plugin functionality within Empire and significantly expanded its capabilities. Plugins are a lesser-known ability which allows user to specially craft tools that can enhance the framework's capabilities. This is similar to how cobalt strike uses aggressor scripts to expand its capabilities.