Empire

Empire is a post-exploitation command-and-control (C2) framework designed for red team operations. It deploys and manages agents written in PowerShell, Python, C#, Go, and C across Windows, Linux, and macOS, using encrypted communication channels over HTTP, HTTPS, and SMB. The framework executes over 400 built-in modules for reconnaissance, privilege escalation, credential theft, and lateral movement, and provides a modular engine for authoring custom attack modules.

What sets Empire apart is its multi-language agent deployment system, which allows operators to choose implants that suit each target environment, including lightweight Go agents for Windows and cross-platform Python and C agents. Communication is protected by a two-stage key exchange and AES-encrypted packets, and malleable communication profiles let operators alter beacon traffic patterns to mimic specific threat actors. Empire also emphasizes evasion, with features such as reflective memory execution, payload obfuscation using ConfuserEx and Invoke-Obfuscation, PowerShell protection bypasses, and JA3/JARM fingerprint randomization.

The framework exposes a REST API for automation, enabling integration with external tools and scripted workflows. Its plugin system extends functionality with custom event hooks, data filters, and lifecycle triggers. Agents support remote command execution, file transfer, SOCKS proxy tunneling, and task monitoring, while listener and stager management is fully configurable. Empire includes a web GUI and CLI for multi-operator collaboration, with access control via token-based authentication and IP allow/deny lists.

Features

Post-Exploitation Frameworks - Executes over 400 built-in modules for reconnaissance, privilege escalation, credential theft, and lateral movement.

Agent Session Management - Manages agent session lifecycle including check-in history, metadata updates, archiving, and task management.

Agent Task Execution - Maintains continuous communication with the command server, receives tasks, executes commands, and reports results.

C2 Listener Servers - Configures encrypted communication channels with multiple listener types and enables multi-operator collaboration.

C2 Infrastructure Managers - Manages listeners, agents, and encrypted channels for remote command and control.

HTTP C2 Messaging - Empire uses HTTP requests to exchange command-and-control data with the server, with customizable headers and endpoints.

Listener Lifecycle Managers - Empire creates, updates, enables, disables, and deletes listeners, validating options against the chosen listener template.

Listener Setups - Empire creates a listener to handle agent callbacks, supporting HTTP/HTTPS and configurable timing and duration settings.

Software Implant Systems - Deploys and manages implants written in PowerShell, Python, C#, Go, and C across Windows, Linux, and macOS targets.

Arbitrary - Executes shell commands, PowerShell scripts, .NET assemblies, and Beacon Object Files on target systems.

C2 Packet Processing - Manages packet creation, encryption, decryption, and network communication for secure C2 transmission.

Encrypted C2 Protocols - Implements a two-stage key exchange and AES-encrypted packets for secure C2 communication.

Multi-Language Implant Deployments - Deploys agents in PowerShell, Python, C#, Go, and C across Windows, Linux, and macOS.

Remote Command Execution - Sends operating system commands to remote systems and returns output, with optional alias bypass.

Multi-Language Implant Deployments - Deploys agent payloads in multiple languages (PowerShell, Python, C#, Go) on compromised hosts.

Post-Exploitation Module Deployments - Searches, configures, and deploys over 400 built-in modules against one or multiple agents simultaneously.

Agent Communication Protocols - Implements encrypted packet-based communication for agent-to-server tasking and metadata exchange.

Agent-Server File Transfers - Empire downloads saved stagers, agent files, and task results from the server, and uploads arbitrary files for module use.

Secure Communication Channels - Maintains encrypted communication channels over HTTP, HTTPS, and SMB for relaying commands and responses.

Multi-Language Agent Runtimes - Deploys agents in PowerShell, Python, C#, Go, and C for post-exploitation across Windows, Linux, and macOS.

Multi-Language Script Execution - Executes PowerShell, Python, .NET assemblies, and custom object files using a flexible execution system.

Two-Stage Key Exchanges - Establishes encrypted communications between the control server and agents using a two-stage key exchange.

Compromised Host Management - Provides a graphical interface for multi-operator coordination and control of agents on compromised systems over encrypted C2 channels.

Harvested Credential Stores - Creates, reads, updates, and deletes credential entries harvested automatically from agent tasks.

Agent-Server Key Exchanges - Provides a two-stage key exchange to establish encrypted communication between agents and the command server.

Malleable C2 Traffic Profiles - Applies scripted profiles to alter beacon traffic patterns and mimic specific threat actor footprints.

Encrypted Channel Managers - Manages encrypted communication channels over HTTP/HTTPS and SMB with malleable profiles and JA3/JARM randomization.

Multi-Stage Payload Delivery - Produces lightweight stagers that deliver full agent payloads in a multi-stage sequence.

HTTP/HTTPS Data Exchanges - Empire relays data between agents and the server using HTTP and HTTPS GET/POST requests on configurable ports.

Post-Exploitation Toolkits - Executes over 400 built-in modules for reconnaissance, privilege escalation, credential theft, and lateral movement.

Security Payload Generators - Generates shellcode from .NET assemblies and compiles C# payloads for red team operations.

Agent Configurations - Configures agent timing parameters such as delay, jitter, and kill date to control persistence and behavior.

Stageless - Generates ready-to-run agents by combining all execution stages into a single file without additional network fetches.

Post-Exploitation Module Configurators - Configures module parameters, selects language, reviews security notes, and chooses execution mode.

Multi-Operator Coordination - Empire coordinates multiple operators on a shared server with encrypted communication and diverse listener protocols.

Module Classifications - Empire tags each module with tactic, technique, and software identifiers for mapping adversary behavior.

IronPython Scripting Environments - Runs Python scripts within the .NET framework via IronPython, bypassing restrictions on native Python interpreters.

REST APIs - Controls all framework operations programmatically via a RESTful API for external tool integration.

C2 Automation Interfaces - Provides a programmable REST interface to automate agent operations and integrate with external tools.

Security Automation APIs - Integrates with external tools and automates operations via a REST API for security automation.

Remote Task Execution Modules - Sends pre-built scripts to remote systems with configurable arguments and optional version or privilege checks.

Agent Deployments - Deploys lightweight Go-based agents for Windows systems, optimized for performance and portability.

CLI and Web GUI Operation Interfaces - Offers both a command-line interface and a web-based GUI for agent control, module execution, and activity monitoring.

C# Implant Deployments - Ships a .NET-based C# implant for post-exploitation on Windows targets.

Go Implant Deployments - Deploys a lightweight Go-based agent on Windows that uses reflective loading and AES-encrypted HTTP communication.

PowerShell Implant Deployments - Deploys the original PowerShell-based agent for Windows post-exploitation.

Python Implant Deployments - Deploys Python-based agents for post-exploitation on Linux and macOS targets.

Agent File Management - Empire uploads and downloads files to and from the target and lists directory contents in JSON format.

HTTP-Tunneled SOCKS Proxies - Sets up SOCKS proxies on chosen ports to route traffic through remote systems' network connections.

Beacon Object File Executions - Executes compiled Beacon Object Files with architecture-specific binary paths and entry points.

Hot Module Reloaders - Reloads module definitions from source files without restarting the server.

Generation Hooks - Empire hooks into the module generation pipeline to allow custom logic that accesses internal framework capabilities.

Direct Script Imports - Imports and runs PowerShell or Python scripts directly, bypassing the need to create a dedicated module.

PowerShell Module Development - Empire creates PowerShell attack modules by defining required and optional parameters in a YAML template.

Python Module Development - Empire creates a red team operation module in Python, using templated variable substitution to inject user-provided options.

C# Compilers - Compiles C# payloads on demand using an external compiler for deployment.

In-Memory Compilers - Compiles and runs C# code in memory with configurable compiler settings and target framework versions.

Cross-Platform Binary Generation - Cross-compiles standalone C binaries for Windows and Linux for agent deployment.

PowerShell Policy Bypasses - Bypasses detection systems by injecting evasion techniques into PowerShell command-line instructions.

Profile Management - Empire creates, reads, updates, deletes, and reloads C2 communication profiles via a REST API.

Payload Obfuscation - Obfuscates PowerShell and C# payloads using a configurable engine with keyword replacement and AMSI bypasses.

Multi-Technique Obfuscation Engines - Bypasses detection with obfuscation, memory execution, and custom JA3/JARM signatures.

Module Execution Controllers - Views available post-exploitation modules and enables or disables them to control execution.

Reflective Memory Executions - Runs agents and .NET assemblies in memory using reflective loading to evade disk-based detection.

Detection Evasion - Obfuscates payloads with ConfuserEx and Invoke-Obfuscation, executes .NET assemblies in memory, and bypasses JA3/JARM fingerprinting.

Module Definitions - Empire defines module behavior, options, and metadata using YAML configuration files for flexible customization.

C2 Module Management - Enables or disables sets of modules simultaneously via bulk API requests.

Plugin Execution Engines - Lists available plugins and executes them with automatic parameter validation.

System Information Summaries - Gathers operating system details, running processes, user identity, and network configuration from remote machines.

Module Catalogs - Lists all available modules with details and retrieves individual module information by identifier.

Task Status Monitors - Checks task status as they move from creation to completion, with updates on each stage.

Event-Driven Plugin Hooks - Registers custom functions that execute as side effects on framework events like agent check-in or task completion.

Command and Control - Post-exploitation framework with multi-platform agent support.

C2 Frameworks - Post-exploitation and adversary simulation framework.

Command And Control Frameworks - Post-exploitation framework supporting multiple agent types and operating systems.

BC-SECURITYEmpireFork

Features

Star history