Home | README.md | Portfolio | ← | →

Reading PowerShell Empire No Longer Maintained

While no longer maintained by its original creator as of writing, PowerShell Empire has been forked many times and was used by nation state actors from 2015-2019. The PowerShell Empire project is now actively maintained by BC Security. As you read this article, take note of its original purpose as well as the tactical advantages offered to its users.

What is one of the major advantages of PowerShell Empire?

• encryption on the activity that goes on in Powershell, making it easier to hide.

What are some of the APT groups that have been known to use PS Empire and into which step of the Cyber Kill Chain does the use of PS Empire fall?

imotet (trickbot) driex botnets hades

What are the four main components needed to pull off an attack using PS Empire?

1. server-side component that listens for incoming connections from agents.
2. use Empire to control an agent planted on the compromised host and forward the attack.
3. Further development removed the necessity of powershell.exe on the infected machine.(modules allow for various actions, such as privilege escalation, lateral movement, persistence establishment, data exfiltration, and reconnaissance.

4.command and control infrastructure set up by the attacker to control compromised systems and exfiltrate data. # Bookmark and Review

Hacking with Empire – PowerShell Post-Exploitation Agent