Persistence

Original purpose of Powershell and its tactical advantages

Powershell Empire project fulfilled its original purpose, that of showing PowerShell's post-exploitation capabilities and raising awareness to advanced actors using PowerShell for malicious operations. One of its major advantages is that it uses encrypted communication with the command and control server and made it difficult to detect its traffic, especially in large networks. While it became a common tool for penetration testers, Empire was also embraced for malicious activities. Researchers saw it used by various threat groups, from nation-state hackers to financially-driven ones. Threat actors also used it with increased frequency in high-profile ransomware incidents.

Questions

• What are the four main components needed to pull off an attack using PS Empire?

Listener, Agent, Modules, Stagers.

• What are some of the APT groups that have been known to use PS Empire and into which step of the Cyber Kill Chain does the use of PS Empire fall?

Hades, FIN7, Trickbot and Dridex. PS Empire falls into the Execution step of the Cyber Kill Chain.

• What is one of the major advantages of PowerShell Empire?

It uses encrypted communication with the command and control server and made it difficult to detect its traffic, especially in large networks.