The Empire is a PowerShell framework that provides an ability to run the PowerShell agents without executing powershell.exe, it can be used to deploy post-exploitation modules and to evade detection.
One of the developers of the framework Chris Ross, announced earlier this year that tools were discontinued. He added that “The original objective of the Empire project was to demonstrate the post-exploitation capabilities of PowerShell and bring awareness to PowerShell attacks and we feel that we’ve accomplished that objective and are proud to see the security optics and improvements”
New Empire 3.0
BC security believes that the framework is still required, so they take the source of the framework and made significant changes. One of the most significant changes in the conversion from Python 2.7 to 3.x.
The release includes many new functionalities along with the functionalities with the Dev branch of the original Empire repository. Another notable improvement is the updated evasion capability by revoking the old components. The tool can be downloaded from GitHub.
“We have also updated the AMSI bypasses to reduce their size and change their signature. The Matt Graeber bypass is well known at this point and will cause Defender to flag on it without any obfuscation.”
Another notable feature is the Empire 3.0, includes the updated version of Mimikatz version 2.2.0, which allows attackers to launch an attack against Windows 10 machines.
“The update includes new feature is the addition of Data Protection API (DPAPI) support for Powershell PSCredential and SecureString.”
“We have implemented JA3/S randomization, but not JA3 randomization. The JA3 signature varies based on the listener used already, and unfortunately, to modify the signature typically requires Administrative privileges on the victim computer.”
BC security said that they continue to provide regular updates as new research is published, they have plans to incorporate C# modules into the framework, as well as other attack vectors, implementing function name aliasing and randomization, and adding a multi-user GUI.