Lateral Movement Frameworks: PowerShell Empire

PowerShell Empire is an example of a post exploitation or lateral movement tool. It is designed to allow an attacker (or penetration tester) to move around a network after gaining initial access. Other examples of these tools include Cobalt Strike and Metasploit. Empire can also be used to generate malicious documents and executables for social engineering access to networks.

The PowerShell Empire framework (Empire) was designed as a legitimate penetration testing tool in 2015. Empire acts as a framework for continued exploitation once an attacker has gained access to a system.

The tool provides an attacker with the ability to escalate privileges, harvest credentials, exfiltrate information and move laterally across a network. These capabilities make it a powerful exploitation tool. Because it is built on a common, legitimate application (PowerShell) and can operate almost entirely in memory, Empire can be difficult to detect on a network using traditional antivirus tools.

In use

PowerShell Empire has become increasingly popular among hostile state actors and organised criminals. In recent years we have seen it used in cyber incidents globally across a wide range of sectors.

Initial exploitation methods vary between compromises, and actors can configure the Empire Framework uniquely for each scenario and target.

This, in combination with the wide range of skill and intent within the Empire user community, means that ease of detection will vary. Nonetheless, having a greater understanding and awareness of this tool is a step forward in defending against its use by malicious actors.

Capabilities

Empire enables an attacker to carry out a range of actions on a victim’s machine and implements the ability to run PowerShell scripts without needing ‘powershell.exe’ to be present on the system. Its communications are encrypted and its architecture flexible.

Empire uses ‘modules’ to perform more specific, malicious actions. These provide attackers with a customisable range of options to pursue their goals on the victim's systems. These include escalation of privileges, credential harvesting, host enumeration, key-logging and the ability to move laterally across a network.

Empire’s ease of use, flexible configuration and ability to evade detection make it a popular choice for actors of varying abilities.

Examples

During an incident in February 2018, a UK energy sector company was compromised by an unknown actor. This compromise was detected through Empire’s beaconing activity, using the tool's default profile settings. Weak credentials on one of the victim’s administrator accounts are believed to have provided the actor with initial access to the network.

In early 2018, an unknown actor used Winter Olympics themed socially engineered emails and malicious attachments in a spear phishing campaign targeting several South Korean organisations. This attack had an additional layer of sophistication, making use of Invoke-PSImage, a tool that will encode any PowerShell script into an image.

In December 2017, the hostile actor APT19 targeted a multinational law firm with a targeted phishing campaign. APT19 used obfuscated PowerShell macros embedded within Word documents generated by Empire.

Our cyber security authorities are also aware of Empire being used to target academia. In one reported instance, an actor attempted to use Empire to gain persistence using a Windows Management Instrumentation (WMI) event consumer. However, in this instance the Empire agent was unsuccessful in establishing network connections due to the HTTP connections being blocked by a local security appliance.

Detection and protection

Identifying malicious PowerShell activity can be difficult, due to the prevalence of legitimate PowerShell on hosts and its increased use in maintaining a corporate environment.

To identify potentially malicious scripts, PowerShell activity should be comprehensively logged. This should include script block logging and PowerShell transcripts.

Older versions of PowerShell should be removed from environments to ensure that they cannot be used to circumvent additional logging and controls added in more recent versions of PowerShell. The Digital Shadows blogFootnote 9 provides a good summary of PowerShell security practices.

The code integrity features in recent versions of Windows can be used to limit the functionality of PowerShell, preventing or hampering malicious PowerShell in the event of a successful intrusion.

A combination of script code signing, application whitelisting and constrained language mode will prevent or limit the effect of malicious PowerShell in the event of a successful intrusion. These controls will also impact legitimate scripts and it is strongly advised that they be thoroughly tested before deployment.

When organisations profile their PowerShell usage, they often find it is only used legitimately by a small number of technical staff. Establishing the extent of this legitimate activity will make it easier to monitor and investigate suspicious or unexpected PowerShell usage elsewhere on the network.

Date modified: