PowerShell Empire - Salem73616C656D/reading-notes GitHub Wiki
Key Takeaways
Lightweight and Modular
Empire was released in 2015 at the BSides Las Vegas security conference to show how PowerShell could be used beyond the infection stage of an attack.
Its open-source nature and modular architecture allowed it to grow and fulfill the needs of offensive security teams, who saw in it an opportunity to test defenses by imitating attacks from real threat actors.
One of its major advantages is that it uses encrypted communication with the command and control server and made it difficult to detect its traffic, especially in large networks.
An adversary can use Empire to control an agent planted on the compromised host and forward the attack. Further development removed the necessity of powershell.exe on the infected machine.
Over time, numerous exploit modules were added to the framework for various hacking needs, and a Python agent for Linux and macOS systems.
Malicious Use
While it became a common tool for penetration testers, Empire was also embraced for malicious activities. Researchers saw it used by various threat groups, from nation-state hackers to financially-driven ones.
APT group Hades used Empire in its Olympic Destroyer campaign during the 2018 edition of the Winter Olympics in South Korea.
At the end of 2018, the FIN7 cybercrime group also started to rely on the Empire framework, not just on the Cobalt Strike threat emulation software.
Threat actors also used it with increased frequency in high-profile ransomware incidents. Security researcher Vitali Kremez points to Trickbot and Dridex botnets that use Empire for network exploitation and lateral movement to delivered Ryuk and BitPaymer file-encrypting malware. One example is the Trickbot-Ryuk partnership, which relied on the Empire toolkit to distribute the payload across the victim's network.