Using Core Impact with PowerShell Empire

This video discusses the integration between Core Impact and PowerShell Empire and how you can use these two tools together.

 

 

Core Impact Workspace Set Up for PowerShell Empire

Core Impact and PowerShell Empire can be used together to further penetrate a organization’s network. To start, you’ll need to set up a Core Impact workspace with a target environment and an agent on the vagrant box at .40. This is an active non-persistent agent.

Image
Core Impact Workstation PowerShell Empire Set Up

 

PowerShell Empire Server Set Up

You’ll also need a server up and running Powershell Empire. To begin the set up, you’ll need to start up a listener.

Image
PowerShell Empire Server Set Up

 

PowerShell Agents

Now you’ll need to go to the agents menu to see if there are any active agents in Powershell. In this example they are not, so you’ll use Core Impact since you do have an agent over there.

Image
PowerShell Agent Screen

 

Go to “modules” in Core Impact and search for “Empire” to see all the models for Powershell Empire. First you’ll want to deploy a Powershell Empire Agent. Simply select the "Deploy PowerShell Empire Agent" module and drop it onto your agent(0).

Image
Core Impact PowerShell Empire Module Screen

 

It will then prompt you for address information and credentials. The address needs to point to your Powershell Empire box, so you’ll want to enter the appropriate credentials. Make sure the “Listener” is the listener you recently set up.

Image
Core Impact PowerShell Empire Credentials Screen

 

Check Progress

You can now leverage Core Impact by checking the module log to track progress. You can also use the terminal to see if the agent is active. If done correctly, from you just installed a Powershell Empire agent on a box that you already had a Core Impact agent installed on.

Image
Core Impact and PowerShell Empire Progress Logs

 

Agent Interaction

The next step is to interact with the agent in Powershell Empire. In this example we are running mimikatz.

Image
PowerShell Agent Interaction Screen

 

Credential Harvesting

You can now take a look at what credentials you have discovered. We will use the information to conduct a jump using the usernames and passwords discovered. 

Image
Core Impact PowerShell Empire Harvesting Credentials Screen

 

Lateral Movement

You can conduct a jump using the usernames and passwords you recently discovered. Using Powershell Empire you’ll want to utilize the “usemodule lateral movement” command from the agent.

Image
PowerShell Empire Lateral Movement Screen

 

Now you’ll have additional agents in Powershell Empire and you can use the “Install Agent Using Powershell Empire Agent” module in Core Impact using the Powershell Empire agent you just found. Core Impact will contact the Powershell Empire agent that we just moved to and deployed.

Image
Core Impact Install PowerShell Agent Screen
Image
Core Impact New PowerShell Empire Agent Installed