{"description": "Enterprise techniques used by Empire, ATT&CK software S0363 (v1.8)", "name": "Empire (S0363)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1548", "showSubtechniques": true}, {"techniqueID": "T1548.002", "comment": "[Empire](https://attack.mitre.org/software/S0363) includes various modules to attempt to bypass UAC for escalation of privileges.(Citation: Github PowerShell Empire)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1134", "comment": "[Empire](https://attack.mitre.org/software/S0363) can use [PowerSploit](https://attack.mitre.org/software/S0194)'s Invoke-TokenManipulation to manipulate access tokens.(Citation: Github PowerShell Empire)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1134.002", "comment": "[Empire](https://attack.mitre.org/software/S0363) can use Invoke-RunAs to make tokens.(Citation: Github PowerShell Empire)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1134.005", "comment": "[Empire](https://attack.mitre.org/software/S0363) can add a SID-History to a user if on a domain controller.(Citation: Github PowerShell Empire)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1087", "showSubtechniques": true}, {"techniqueID": "T1087.001", "comment": "[Empire](https://attack.mitre.org/software/S0363) can acquire local and domain user account information.(Citation: Github PowerShell Empire)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1087.002", "comment": "[Empire](https://attack.mitre.org/software/S0363) can acquire local and domain user account information.(Citation: Github PowerShell Empire)(Citation: SecureWorks August 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1557", "showSubtechniques": true}, {"techniqueID": "T1557.001", "comment": "[Empire](https://attack.mitre.org/software/S0363) can use Inveigh to conduct name service poisoning for credential theft and associated relay attacks.(Citation: Github PowerShell Empire)(Citation: GitHub Inveigh)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Empire](https://attack.mitre.org/software/S0363) can conduct command and control over protocols like HTTP and HTTPS.(Citation: Github PowerShell Empire)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1560", "comment": "[Empire](https://attack.mitre.org/software/S0363) can ZIP directories on the target system.(Citation: Github PowerShell Empire)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1119", "comment": "[Empire](https://attack.mitre.org/software/S0363) can automatically gather the username, domain name, machine name, and other information from a compromised system.(Citation: Talos Frankenstein June 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1020", "comment": "[Empire](https://attack.mitre.org/software/S0363) has the ability to automatically send collected data back to the threat actors' C2.(Citation: Talos Frankenstein June 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[Empire](https://attack.mitre.org/software/S0363) can modify the registry run keys HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run and HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run for persistence.(Citation: Github PowerShell Empire)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547.005", "comment": "[Empire](https://attack.mitre.org/software/S0363) can enumerate Security Support Providers (SSPs) as well as utilize [PowerSploit](https://attack.mitre.org/software/S0194)'s Install-SSP and Invoke-Mimikatz to install malicious SSPs and log authentication events.(Citation: Github PowerShell Empire)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547.009", "comment": "[Empire](https://attack.mitre.org/software/S0363) can persist by modifying a .LNK file to include a backdoor.(Citation: Github PowerShell Empire)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1217", "comment": "[Empire](https://attack.mitre.org/software/S0363) has the ability to gather browser data such as bookmarks and visited sites.(Citation: Github PowerShell Empire)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1115", "comment": "[Empire](https://attack.mitre.org/software/S0363) can harvest clipboard data on both Windows and macOS systems.(Citation: Github PowerShell Empire)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "comment": "[Empire](https://attack.mitre.org/software/S0363) uses a command-line interface to interact with systems.(Citation: Github PowerShell Empire)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[Empire](https://attack.mitre.org/software/S0363) leverages PowerShell for the majority of its client-side agent tasks. [Empire](https://attack.mitre.org/software/S0363) also contains the ability to conduct PowerShell remoting with the Invoke-PSRemoting module.(Citation: Github PowerShell Empire)(Citation: NCSC Joint Report Public Tools)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[Empire](https://attack.mitre.org/software/S0363) has modules for executing scripts.(Citation: Github PowerShell Empire)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1136", "showSubtechniques": true}, {"techniqueID": "T1136.001", "comment": "[Empire](https://attack.mitre.org/software/S0363) has a module for creating a local user if permissions allow.(Citation: Github PowerShell Empire)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1136.002", "comment": "[Empire](https://attack.mitre.org/software/S0363) has a module for creating a new domain user if permissions allow.(Citation: Github PowerShell Empire)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543", "showSubtechniques": true}, {"techniqueID": "T1543.003", "comment": "[Empire](https://attack.mitre.org/software/S0363) can utilize built-in modules to modify service binaries and restore them to their original state.(Citation: Github PowerShell Empire)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1555", "showSubtechniques": true}, {"techniqueID": "T1555.003", "comment": "[Empire](https://attack.mitre.org/software/S0363) can use modules that extract passwords from common web browsers such as Firefox and Chrome.(Citation: Github PowerShell Empire)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1484", "showSubtechniques": true}, {"techniqueID": "T1484.001", "comment": "[Empire](https://attack.mitre.org/software/S0363) can use New-GPOImmediateTask to modify a GPO that will install and execute a malicious [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053).(Citation: Github PowerShell Empire)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1482", "comment": "[Empire](https://attack.mitre.org/software/S0363) has modules for enumerating domain trusts.(Citation: Github PowerShell Empire)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1114", "showSubtechniques": true}, {"techniqueID": "T1114.001", "comment": "[Empire](https://attack.mitre.org/software/S0363) has the ability to collect emails on a target system.(Citation: Github PowerShell Empire)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.002", "comment": "[Empire](https://attack.mitre.org/software/S0363) can use TLS to encrypt its C2 channel.(Citation: Github PowerShell Empire)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1546", "showSubtechniques": true}, {"techniqueID": "T1546.008", "comment": "[Empire](https://attack.mitre.org/software/S0363) can leverage WMI debugging to remotely replace binaries like sethc.exe, Utilman.exe, and Magnify.exe with cmd.exe.(Citation: Github PowerShell Empire)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[Empire](https://attack.mitre.org/software/S0363) can send data gathered from a target through the command and control channel.(Citation: Github PowerShell Empire)(Citation: Talos Frankenstein June 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1567", "showSubtechniques": true}, {"techniqueID": "T1567.001", "comment": "[Empire](https://attack.mitre.org/software/S0363) can use GitHub for data exfiltration.(Citation: Github PowerShell Empire)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1567.002", "comment": "[Empire](https://attack.mitre.org/software/S0363) can use Dropbox for data exfiltration.(Citation: Github PowerShell Empire)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1068", "comment": "[Empire](https://attack.mitre.org/software/S0363) can exploit vulnerabilities such as MS16-032 and MS16-135.(Citation: Github PowerShell Empire)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1210", "comment": "[Empire](https://attack.mitre.org/software/S0363) has a limited number of built-in modules for exploiting remote SMB, JBoss, and Jenkins servers.(Citation: Github PowerShell Empire)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[Empire](https://attack.mitre.org/software/S0363) includes various modules for finding files of interest on hosts and network shares.(Citation: Github PowerShell Empire)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1615", "comment": "[Empire](https://attack.mitre.org/software/S0363) includes various modules for enumerating Group Policy.(Citation: Github PowerShell Empire)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1574", "showSubtechniques": true}, {"techniqueID": "T1574.001", "comment": "[Empire](https://attack.mitre.org/software/S0363) contains modules that can discover and exploit various DLL hijacking opportunities.(Citation: Github PowerShell Empire)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1574.004", "comment": "[Empire](https://attack.mitre.org/software/S0363) has a dylib hijacker module that generates a malicious dylib given the path to a legitimate dylib of a vulnerable application.(Citation: Github PowerShell Empire)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1574.007", "comment": "[Empire](https://attack.mitre.org/software/S0363) contains modules that can discover and exploit path interception opportunities in the PATH environment variable.(Citation: Github PowerShell Empire)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1574.008", "comment": "[Empire](https://attack.mitre.org/software/S0363) contains modules that can discover and exploit search order hijacking vulnerabilities.(Citation: Github PowerShell Empire)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1574.009", "comment": "[Empire](https://attack.mitre.org/software/S0363) contains modules that can discover and exploit unquoted path vulnerabilities.(Citation: Github PowerShell Empire)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.006", "comment": "[Empire](https://attack.mitre.org/software/S0363) can timestomp any files or payloads placed on a target machine to help them blend in.(Citation: Github PowerShell Empire)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[Empire](https://attack.mitre.org/software/S0363) can upload and download to and from a victim machine.(Citation: Github PowerShell Empire)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[Empire](https://attack.mitre.org/software/S0363) includes keylogging capabilities for Windows, Linux, and macOS systems.(Citation: Github PowerShell Empire)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1056.004", "comment": "[Empire](https://attack.mitre.org/software/S0363) contains some modules that leverage API hooking to carry out tasks, such as netripper.(Citation: Github PowerShell Empire)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1106", "comment": "[Empire](https://attack.mitre.org/software/S0363) contains a variety of enumeration modules that have an option to use API calls to carry out tasks.(Citation: Github PowerShell Empire)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1046", "comment": "[Empire](https://attack.mitre.org/software/S0363) can perform port scans from an infected host.(Citation: Github PowerShell Empire)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1135", "comment": "[Empire](https://attack.mitre.org/software/S0363) can find shared drives on the local system.(Citation: Github PowerShell Empire)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1040", "comment": "[Empire](https://attack.mitre.org/software/S0363) can be used to conduct packet captures on target hosts.(Citation: Github PowerShell Empire)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.010", "comment": "[Empire](https://attack.mitre.org/software/S0363) has the ability to obfuscate commands using Invoke-Obfuscation.(Citation: Github PowerShell Empire)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003", "showSubtechniques": true}, {"techniqueID": "T1003.001", "comment": "[Empire](https://attack.mitre.org/software/S0363) contains an implementation of [Mimikatz](https://attack.mitre.org/software/S0002) to gather credentials from memory.(Citation: Github PowerShell Empire)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[Empire](https://attack.mitre.org/software/S0363) can find information about processes running on local and remote systems.(Citation: Github PowerShell Empire)(Citation: Talos Frankenstein June 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "comment": "[Empire](https://attack.mitre.org/software/S0363) contains multiple modules for injecting into processes, such as Invoke-PSInject.(Citation: Github PowerShell Empire)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1021", "showSubtechniques": true}, {"techniqueID": "T1021.003", "comment": "[Empire](https://attack.mitre.org/software/S0363) can utilize Invoke-DCOM to leverage remote COM execution for lateral movement.(Citation: Github PowerShell Empire)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1021.004", "comment": "[Empire](https://attack.mitre.org/software/S0363) contains modules for executing commands over SSH as well as in-memory VNC agent injection.(Citation: Github PowerShell Empire)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[Empire](https://attack.mitre.org/software/S0363) has modules to interact with the Windows task scheduler.(Citation: Github PowerShell Empire)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1113", "comment": "[Empire](https://attack.mitre.org/software/S0363) is capable of capturing screenshots on Windows and macOS systems.(Citation: Github PowerShell Empire)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1518", "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[Empire](https://attack.mitre.org/software/S0363) can enumerate antivirus software on the target.(Citation: Github PowerShell Empire)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1558", "showSubtechniques": true}, {"techniqueID": "T1558.001", "comment": "[Empire](https://attack.mitre.org/software/S0363) can leverage its implementation of [Mimikatz](https://attack.mitre.org/software/S0002) to obtain and use golden tickets.(Citation: Github PowerShell Empire)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1558.002", "comment": "[Empire](https://attack.mitre.org/software/S0363) can leverage its implementation of [Mimikatz](https://attack.mitre.org/software/S0002) to obtain and use silver tickets.(Citation: Github PowerShell Empire)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1558.003", "comment": "[Empire](https://attack.mitre.org/software/S0363) uses [PowerSploit](https://attack.mitre.org/software/S0194)'s Invoke-Kerberoast to request service tickets and return crackable ticket hashes.(Citation: Github PowerShell Empire)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[Empire](https://attack.mitre.org/software/S0363) can enumerate host system information like OS, architecture, domain name, applied patches, and more.(Citation: Github PowerShell Empire)(Citation: Talos Frankenstein June 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[Empire](https://attack.mitre.org/software/S0363) can acquire network configuration information like DNS servers, public IP, and network proxies used by a host.(Citation: Github PowerShell Empire)(Citation: Talos Frankenstein June 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1049", "comment": "[Empire](https://attack.mitre.org/software/S0363) can enumerate the current network connections of a host.(Citation: Github PowerShell Empire)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[Empire](https://attack.mitre.org/software/S0363) can enumerate the username on targeted hosts.(Citation: Talos Frankenstein June 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1569", "showSubtechniques": true}, {"techniqueID": "T1569.002", "comment": "[Empire](https://attack.mitre.org/software/S0363) can use [PsExec](https://attack.mitre.org/software/S0029) to execute a payload on a remote host.(Citation: Github PowerShell Empire)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1127", "showSubtechniques": true}, {"techniqueID": "T1127.001", "comment": "[Empire](https://attack.mitre.org/software/S0363) can use built-in modules to abuse trusted utilities like MSBuild.exe.(Citation: Github PowerShell Empire)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1552", "showSubtechniques": true}, {"techniqueID": "T1552.001", "comment": "[Empire](https://attack.mitre.org/software/S0363) can use various modules to search for files containing passwords.(Citation: Github PowerShell Empire)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1552.004", "comment": "[Empire](https://attack.mitre.org/software/S0363) can use modules like Invoke-SessionGopher to extract private key and session information.(Citation: Github PowerShell Empire)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1550", "showSubtechniques": true}, {"techniqueID": "T1550.002", "comment": "[Empire](https://attack.mitre.org/software/S0363) can perform pass the hash attacks.(Citation: Github PowerShell Empire)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1125", "comment": "[Empire](https://attack.mitre.org/software/S0363) can capture webcam data on Windows and macOS systems.(Citation: Github PowerShell Empire)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1102", "showSubtechniques": true}, {"techniqueID": "T1102.002", "comment": "[Empire](https://attack.mitre.org/software/S0363) can use Dropbox and GitHub for C2.(Citation: Github PowerShell Empire)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1047", "comment": "[Empire](https://attack.mitre.org/software/S0363) can use WMI to deliver a payload to a remote host.(Citation: Github PowerShell Empire) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Empire", "color": "#66b1ff"}]}