PowerShell Empire Container Task
Overview
The PowerShell Empire container task is built with BC Security's fork of PowerShell Empire.
The source code for the PowerShell Empire container task is available here: https://github.com/havocsh/havoc-attack-containers/tree/main/powershell_empire
The container image for the PowerShell Empire container task is available here: https://gallery.ecr.aws/havoc_sh/powershell_empire
Launching a PowerShell Empire Container Task
To launch a PowerShell Empire container task as an ECS task within the AWS account of your ./havoc deployment, use the task_startup
or run_task
command:
task_startup --task_name=<task_name> --task_type=powershell_empire --task_host_name=<task_host_name> --task_domain_name=<task_domain_name> --portgroups=<portgroup1,portgroup2,...> --end_time=<time_string>
run_task --task_name=<task_name> --task_type=powershell_empire --task_host_name=<task_host_name> --task_domain_name=<task_domain_name> --portgroups=<portgroup1,portgroup2,...> --end_time=<time_string>
To launch a PowerShell Empire container task as a remote container task on any system that can run Docker containers, use the docker run
command:
sudo docker run -d \
--name=<container-name> \
--network host \
--cap-add SYS_ADMIN \
-e "LOCAL_IP=$(hostname -I)" \
-e "CAMPAIGN_ID=<campaign-id>" \
-e "USER_ID=<campaign-user-id>" \
-e "TASK_NAME=<task-name>" \
-e "TASK_CONTEXT=<task-context>" \
-e "REMOTE_TASK=true" \
-e "API_KEY=<api-key>" \
-e "SECRET=<secret>" \
-e "API_DOMAIN_NAME=<api-domain-name>" \
-e "API_REGION=<api-region>" \
public.ecr.aws/havoc_sh/powershell_empire:latest \
/usr/bin/supervisord -c /etc/supervisor/conf.d/supervisord.conf
Refer to the Usage Through CLI Console and Usage Through SDK pages for more details about the run_task
and docker run
commands.
Available Commands
These commands are available to be passed as the instruct_command
in the instruct_task
method call. The sub-bullets under the commands are the arguments for the command that should be passed in the instruct_args
parameter. See the Usage Through CLI Console and Usage Through SDK pages for more details on how to use instruct_args
.
get_listeners
- returns all current Empire listeners or an individual listener specified byName
.Name
- the name of listener to return. This parameter is optional.
get_listener_options
- returns the listener options for the given listener type.listener_type
- the listener type to return options for.
create_listener
- creates a listener with the specified parameters.listener_type
- the listener type to create.Name
- a unique name to assign to the listener.- any additional options enumerated from
get_listener_options
.
kill_listener
- kills the listener with the given name.Name
- the name of the listener to kill.
kill_all_listeners
- kills all listeners.get_stagers
- returns all current Empire stagers and options or an individual stager specified byStagerName
.StagerName
- the name of the stager to return. This parameter is optional.
create_stager
- returns the Empire stager specified by parameters.Listener
- the name of the listener for the stager to connect to.StagerName
- a unique name to associate with the stager.- any additional options enumerated from
get_stagers
.
get_agents
- returns all current Empire agents or an individual agent specified byName
.Name
- the name of the agent to return.
get_stale_agents
- returns all 'stale' Empire agents (past checkin window).remove_agent
- removes the agent specified byName
(doesn't kill first).Name
- the name of the agent to remove.
remove_stale_agents
- removes all 'stale' Empire agents (past checkin window).agent_shell_command
- tasks the agent specified byName
to run the given shell command.Name
- the name of the agent to task with a command.command
- the shell command to task the agent with.
get_shell_command_results
- retrieves results of shell commands executed by the given agent specified in theName
parameter.Name
- the name of the agent to retrieve shell command results from.
clear_queued_shell_commands
- clears the queued commands for the agent specified byName
.Name
- the name of the agent to clear commands on.
rename_agent
- renames the agent specified byName
.Name
- the current name of the agent to be renamed.Newname
- the new name to give to the agent to be renamed.
kill_agent
- tasks the agent specified byName
to exit.Name
- the name of the agent to kill.
kill_all_agents
- tasks all agents to exit.get_modules
- returns all current Empire modules or an individual module specified byName
.Name
- the module name to return. This parameter is optional.
search_modules
- Searches all module fields for the given term.term
- the term to search for.
execute_module
- tasks an agent to execute a module.Agent
- the name of the agent to execute the module on.Name
- the name of the module to task the agent with.
get_stored_credentials
- returns all credentials currently stored in an Empire server.get_logged_events
- returns all logged events or all events of a specific type as specified byevent_type
.event_type
- the event type to return events for.
cert_gen
- generate a self-signed certificate that can be used with an http listener.subj
- the SSL certificate subject to apply to the certificate. The subject value must follow the format expected by openssl's -subj parameter. Specify eithersubj
ordomain
but not both.domain
- the domain to use when requesting a Let's Encrypt certificate (note that the domain must be registered with your ./HAVOC campaign through the create_domain command). Specify eitherdomain
orsubj
but not both.test_cert
- indicate whether or not to request a test certificate from Let's Encrypt (True|False).Note that PowerShell Empire does not have an "https" listener type. If you use any of the "http" listener types and set the host parameter to "https://<listener.host>:<port>" and designate the "CertPath" as "/opt/Empire/empire/server/data/" (the directory that contains the certificate generated by this command), PowerShell Empire will automatically know to use https for any sessions associated with that listener.
echo
- get an arbitrary response from the container task (can be used to check if the container is responsive to commands).sync_from_workspace
- download all files from the Campaign's workspace to the local workspace directory on the container task.Note that this will overwrite any existing files with the same name in the container task's local workspace.
sync_to_workspace
- upload all files from the container task's local workspace directory to the Campaign's workspace.Note that this will overwrite any existing files with the same name in the Campaign's workspace.
download_from_workspace
- download a specific file from the Campaign's workspace to the container task's local workspace directory.file_name
- the name of the file to be downloaded.Note that this will overwrite any existing file with the same name in the container task's local workspace.
upload_to_workspace
- upload a specific file from the container task's local workspace directory to the Campaign's workspace.file_name
- the name of the file to be uploaded.Note that this will overwrite any existing file with the same name in the Campaign's workspace.
ls
- list files of the container task's local shared directory.del
- delete a file from the container task's local shared directory.file_name
- the name of the file to be deleted.
terminate
- instruct the container task to shutdown.
Updated about 1 year ago