What's the point of Empire if all payloads get flagged?



  • I've been reading about how powerful frameworks such as Empire and Metasploit are but I'm confused about something.

    Say I gain access through a custom reverse-shell which I self-coded (so it bypasses AVs). Now, for privilege escalation, I want to have a meterpreter/Empire session.

    How can I do that if the payload generated gets instantly removed by the AV?



  • Powershell Empire passed out of active development in April 2019, in part due to the problem of defenses catching up with it:

    "The original objective of the Empire project was to demonstrate the post-exploitation capabilities of PowerShell and bring awareness to PowerShell attacks used by (at the time) more advanced adversaries," said Chris Ross, one of Empire's lead developers.

    "We feel that we've accomplished that objective and are proud to see the security optics and improvements that have been provided by Microsoft in the past few years; in addition to the increased focus the EDR [Endpoint Detection and Response] community has placed on PowerShell based attacks.

    "With that in mind, the project's time has passed and newer frameworks with better capabilities have been released," Ross added. "So it's time to say farewell to Empire. We will not be updating or maintaining the project any further."

    As a high-profile attack tool, it received significant attention from defenders. Likewise, Metasploit is tracked by many tools and is prone to detection as a result. For these reasons, writing custom code is popular with attackers and Red Teams alike.

    You will need to find more obscure C2 code, or write your own, if you want to evade detection.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2