Stagers 101 (Empire) : https://www.powershellempire.com/?page_id=104

Empire implements various stagers in a modular format in ./lib/stagers/*. These include dlls, macros, one-liners, and more, and are described in detail below. To use a stager, from the main, listeners, or agents menu, useusestager <tab> to tab-complete the set of available stagers, and you’ll be taken to the individual stager’s menu. The UI here functions similarly to the post module menu, i.e set/unset/info and generate to generate the particular output code.

$empire\_stager\_menu$

For UserAgent and proxy options, default uses the system defaults, none clears that option from being used in the stager, and anything else is assumed to be a custom setting (note, this last bit isn’t properly implemented for proxy settings yet). From the Listeners menu, you can run the launcher [listener ID/name] alias to generate the stage0 launcher for a particular listener (this is the stagers/launcher module in the background). This command can be run from a command prompt on any machine to kick off the staging process. (NOTE: you will need to right click cmd.exe and choose “run as administrator” before pasting/running this command if you want to use modules that require administrative privileges). Our PowerShell version of BypassUAC module is in the works but not 100% complete yet.

All modules have aListeneroption that’s tab-completable with the currently registered active listeners, and most have anOutFileargument as well. If OutFile isn’t required, setting it to an empty string will cause the stager to be displayed to the screen.

Stager Modules

Below is a description of the currently built Empire stager modules.

Launcher

Thelauncher stager (./lib/stagers/launcher.py) is probably the most used stager module, and generates a one-liner stage0 launcher for an Empire agent. By default, a base64-encoded (-enc_) version of the one-liner in generated, with default proxy/UserAgent settings. These can be changed through its various options. This module is the code behind the *_launcher ** alias from the listeners menu.

Options:

standard Listener and OutFile (not required)
Base64 – if True, generate a base64-encoded (-enc *) version of the launcher, otherwise generate normal PowerShell code
UserAgent – User-agent string to use for the staging request. Can be set to default (uses Empire database default), none (clears any UA), or other text which is set at the UA.
Proxy – Proxy to use for request. Can be set to default (uses system defaults), none (clears any proxy), or custom server.
ProxyCreds – Proxy credentials ([domain]username:password) to use for request. Can be set to default (uses system defaults), none (clears any proxy creds), or custom credentials.

Launcher BAT

Thelauncher_bat stager (./lib/stagers/launcher_bat.py) generates a self-deleting .BAT file that executes a one-liner stage0 launcher for an Empire agent. The base64-encoded (-enc *) version of the one-liner in used, with default proxy/UserAgent settings.

Options:

standard Listener and OutFile (not required)
Delete – if True, the .BAT file deletes itself after execution.
UserAgent – User-agent string to use for the staging request. Can be set to default (uses Empire database default), none (clears any UA), or other text which is set at the UA.
Proxy – Proxy to use for request. Can be set to default (uses system defaults), none (clears any proxy), or custom server.
ProxyCreds – Proxy credentials ([domain]username:password) to use for request. Can be set to default (uses system defaults), none (clears any proxy creds), or custom credentials.

Launcher VBS

Thelauncher_vbs stager (./lib/stagers/launcher_vbs.py) generates a .VBS file that executes a one-liner stage0 launcher for an Empire agent. This can be executed in the background of a system withC:\Windows\System32\WScript.exe /NoLogo /B launcher.vbs.

Options:

standard Listener and OutFile (not required)
UserAgent – User-agent string to use for the staging request. Can be set to default (uses Empire database default), none (clears any UA), or other text which is set at the UA.
Proxy – Proxy to use for request. Can be set to default (uses system defaults), none (clears any proxy), or custom server.
ProxyCreds – Proxy credentials ([domain]username:password) to use for request. Can be set to default (uses system defaults), none (clears any proxy creds), or custom credentials.

Macro

Themacrostager (./lib/stagers/macro.py) generates an office macro that launches an Empire stager. This macro can be embedded into any office document for the purposes of phishing.

Options:

standard Listener and OutFile (not required)
UserAgent – User-agent string to use for the staging request. Can be set to default (uses Empire database default), none (clears any UA), or other text which is set at the UA.
Proxy – Proxy to use for request. Can be set to default (uses system defaults), none (clears any proxy), or custom server.
ProxyCreds – Proxy credentials ([domain]username:password) to use for request. Can be set to default (uses system defaults), none (clears any proxy creds), or custom credentials.

PTH-wmis

Thepth_wmis stager (./lib/stagers/pth_wmis.py) generates a Bash script that executes that executes a one-liner stage0 launcher using pth-wmis on a number of target machines.

Options:

standard Listener and OutFile (required)
Target – comma-separated target list
Username – [domain/]username used to execute the command on remote targets
Password – password used to execute the command on remote targets
UserAgent – User-agent string to use for the staging request. Can be set to default (uses Empire database default), none (clears any UA), or other text which is set at the UA.
Proxy – Proxy to use for request. Can be set to default (uses system defaults), none (clears any proxy), or custom server.
ProxyCreds – Proxy credentials ([domain]username:password) to use for request. Can be set to default (uses system defaults), none (clears any proxy creds), or custom credentials.

DLL

Thedll stager (./lib/stagers/dll.py) generates a reflectively-injectable MSF-compliant .DLL that loads up the .NET runtime into a process and execute a download-cradle to stage an Empire agent. These .DLLs are the key to running Empire in a process that’s not powershell.exe. Using these .DLLs with Metasploit isdescribed here.

Options:

standard Listener and OutFile (required)
Arch – determines the architecture of the .DLL being generated. Values can be x86 or x64

hop.php

Thehop_phpmodule (./lib/stagers/hop_php.py) generates a hop.php redirector for a relevant Empire listener. This module takes a valid existing listener, patches in the necessary resource/header information into the base ./data/misc/hop.php file, and spits everything out to a file. The use of this hop.php file is described here.

Options:

standard Listener and OutFile (required)

Ducky

Theducky module (./lib/stagers/ducky.py) generates aRubber Ducky script that launches an Empire stager.

Options:

standard Listener and OutFile (required)

Using PowerShell Empire with a Trusted Certificate : https://www.blackhillsinfosec.com/using-powershell-empire-with-a-trusted-certificate/

Empire - Stagers

Stagers 101 (Empire) : https://www.powershellempire.com/?page_id=104

Stager Modules

Launcher

Launcher BAT

Launcher VBS

Macro

PTH-wmis

DLL

hop.php

Ducky

results matching ""

No results matching ""