©2019 Security Unleashed | New Delhi

  • Animesh Gupta

Hacking with Empire – PowerShell Post-Exploitation Agent

Empire is a pure PowerShell post-exploitation agent” built on cryptologically-secure communications and a flexible architecture.

Empire – PowerShell Post-Exploitation Agent

Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability-focused framework.”


Listener: listener is a process which listens for a connection from the machine we are attacking. This helps Empire send the loot back to the attacker’s computer.

Stager: A stager is a snippet of code that allows our malicious code to be run via the agent on the compromised host.

Agent: An agent is a program that maintains a connection between your computer and the compromised host.

Module: These are what execute our malicious commands, which can harvest credentials and escalate our privileges as mentioned above.


  1. Creating a listener.

  2. Starting a listener.

  3. Launching a PowerShell code using launcher.

  4. Executing code on victim’s machine.

  5. Interacting with agent.

  6. Executing various modules.

  7. Bypassing UAC to get admin access.

Installing Empire Powershell to Kali Linux:

git clone https://github.com/EmpireProject/Empire.git

Now move into the installed directory and run install.sh file.

Wait for it to complete installation. This might take a few seconds. It will prompt you for a password, enter anything.

In my case, my password was empire123

Once the installation is done, move back a directory and run empire using ./empire

Help command opens up all the essential options required initially.

As our methodology states, we will be creating a listener for our local machine first


It will say that “no listeners are currently active” but don’t worry, we are into the listener interface now.

Now we use command :

uselistener http

Creates a listener on the local port 80. If port 80 is already busy by a service like apache, please make sure you stop that service.

Note: Whenever you double click on tab, all the available options will appear, just like in all of Linux.

Hence, uselistener <tab><tab> shows me all the listeners and so on like that


Execute command will execute the listener.

To view all active listeners , the command is listeners.

Next you need to generate a powershell script with the help of launcher by typing "launcher powershell http"

All we have to do now is copy this powershell code into victim’s command prompt using social engineering. Let’s assume we have access of victim’s command prompt and we copied our code into his cmd.

Go back to Empire Terminal and you will see that , a new active agent will be initialized.

To see all available agents, type "agents" which lists all out all agents with details like Name of the Agent (Randomly Generated Name),Internal IP, Machine Name,Username and Process etc.

Next you can rename this agent by typing, "rename <old agent name> <new agent name>" as shown below:

Lets try to interact with agent by typing "interact admin" and type info to view more information about target OS.

Now the high_integrity value of this agent is 0 which means you cannot run all administrative commands.

To elevate all privileges , you need to run one more module "bypassauc http" which will bypass all the restrictions.

Now go back and type list to view all agents again and we observe that an agent is created with some random name.

Repeat same step to rename newly created agent to have ease and to interact with this new agent.

Now type "info: command to view all necessary information and we observer "high_integrity" becomes 1 that means you are now a Super Admin.

Credential Harvesting

Type "creds" to retrieve all clear text passwords against your target.But it seems that it is empty.

Now we run "mimikatz" to extract all the credentials in a clear text format.

Mimikatz is a well known tool to extract plain text password,hash ,pin code and kerberos tickets from memory.

Now enter "creds" again to view all dumped credentials.

At this stage post exploitation is done , but you can do so many things with Empire.

Type "help" for more options.