The Empire is a PowerShell framework that provides an ability to run the PowerShell agents without executing powershell.exe, it can be used to deploy post-exploitation modules and to evade detection.
One of the developers of the framework Chris Ross, announced earlier this year that tools were discontinued. He added that “The original objective of the Empire project was to demonstrate the post-exploitation capabilities of PowerShell and bring awareness to PowerShell attacks and we feel that we’ve accomplished that objective and are proud to see the security optics and improvements”
BC security believes that the framework is still required, so they take the source of the framework and made significant changes. One of the most significant changes in the conversion from Python 2.7 to 3.x.
The release includes many new functionalities along with the functionalities with the Dev branch of the original Empire repository. Another notable improvement is the updated evasion capability by revoking the old components. The tool can be downloaded from GitHub.
“We have also updated the AMSI bypasses to reduce their size and change their signature. The Matt Graeber bypass is well known at this point and will cause Defender to flag on it without any obfuscation.”
Another notable feature is the Empire 3.0, includes the updated version of Mimikatz version 2.2.0, which allows attackers to launch an attack against Windows 10 machines.
“The update includes new feature is the addition of Data Protection API (DPAPI) support for Powershell PSCredential and SecureString.”
“We have implemented JA3/S randomization, but not JA3 randomization. The JA3 signature varies based on the listener used already, and unfortunately, to modify the signature typically requires Administrative privileges on the victim computer.”
BC security said that they continue to provide regular updates as new research is published, they have plans to incorporate C# modules into the framework, as well as other attack vectors, implementing function name aliasing and randomization, and adding a multi-user GUI.
Also Read: Free BlueKeep Detection Tool to Test Your Windows Machines for Against RDP Vulnerability
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.
A security researcher identified a vulnerability in TeslaLogger, a third-party software used to collect data…
Threat intelligence feeds provide real-time updates on indicators of compromise (IOCs), such as malicious IPs…
Malware experts all over the world can't do their jobs without YARA. YARA has been…
The cybersecurity company Proofpoint has found a new operation using the SugarGh0st Remote Access Trojan…
The email campaign impersonates the Facebook Ads Team to trick users into clicking a malicious…
"Encrypted DNS Implementation Guidance," a detailed document from the Cybersecurity and Infrastructure Security Agency (CISA),…