Empire Red Teaming Tool Updated With Enhanced Agents and API Support

Cybersecurity

The BC-SECURITY team has announced a significant update to its core offensive security framework, Empire. This update introduces enhanced agent capabilities and comprehensive API support, aiming to streamline post-exploitation operations and adversary emulation for Red Teams and penetration testers globally.

Enhanced Features and Capabilities

The latest version of Empire features a server/client architecture designed for multiplayer support, allowing distributed teams to work seamlessly across complex engagements. The framework ensures fully encrypted communications and supports various listener types, such as HTTP/S, Malleable HTTP, OneDrive, Dropbox, and PHP listeners. This variety offers operators flexible command-and-control options suitable for diverse network environments.

The update adds to Empire’s extensive arsenal, now supporting over 400 tools across PowerShell, C#, and Python modules. Key integrations include tools like Mimikatz for credential extraction, Seatbelt for host reconnaissance, Rubeus for Kerberos manipulation, and Certify for Active Directory Certificate Services exploitation.

The framework includes Donut integration for advanced shellcode generation, and its modular plugin interface allows for customization of server features based on specific operational needs. Security evasion capabilities have been enhanced with integrated obfuscation using ConfuserEx 2 and Invoke-Obfuscation, as well as JA3/S and JARM evasion techniques to bypass advanced network monitoring solutions.

Empire supports in-memory .NET assembly execution and customizable bypasses to ensure minimal forensic footprints during engagements. Its diverse agent support includes PowerShell, Python 3, C#, IronPython 3, and Go implementations, ensuring cross-platform compatibility for persistent access across various environments, from Windows domain controllers to Linux-based cloud infrastructure.

The MITRE ATT&CK integration provides a structured mapping of tactics and techniques, enabling alignment of testing methodologies with established threat modeling frameworks. The integrated Roslyn compiler, adapted from the Covenant project, facilitates dynamic code compilation and execution without external dependencies.

Installation and Deployment

Empire supports installation across Docker, Kali Linux, ParrotOS, Ubuntu 20.04/22.04, and Debian 10/11/12 distributions. The quickstart process involves recursive cloning to ensure all submodules are initialized:

git clone --recursive https://github.com/BC-SECURITY/Empire.git

cd Empire

For stable operation, teams should check out the latest tagged release:

./setup/checkout-latest-tag.sh

./ps-empire install -y

# Launch the Empire server
./ps-empire server

# Access help documentation
./ps-empire server -h

Organizations using the sponsors version benefit from enhanced Starkiller integration, requiring SSH credentials for GitHub access to private repositories. The Starkiller web application provides a graphical interface, communicating with Empire via its REST API. As of version 5.0, Starkiller is available as a packaged git submodule, simplifying setup requirements.

The GUI integration allows for mixed environments where Starkiller and traditional Empire clients can operate simultaneously, offering flexibility for teams with varying technical expertise levels.

Empire provides comprehensive documentation through the Empire Wiki, and active community support is available via the official Discord channel. The project’s contribution guidelines encourage community development, with detailed instructions on the GitHub repository. Installation documentation, advanced configuration options, and operational guidance are accessible through the BC-SECURITY GitBook.