Development stops on PowerShell Empire framework after project reaches its goal

Everybody knows that PowerShell can be used for malware now. No need for Empire to exist.
Written by Catalin Cimpanu, Contributor
Empire framework logo

Development of the PowerShell Empire framework, a well-known penetration-testing tool, has stopped this week after its creators said the project reached its initial goal.

Started by several respected members of the infosec community, the project was set off the ground in 2015 after multiple nation-state hacking groups began using Microsoft's PowerShell scripting language as part of their normal malware arsenals and mode of operations.

At the time, nation-state hacking groups were using PowerShell to create fileless malware that runs in a computer's memory, without leaving any traces on disk, and using PowerShell scripts as a post-exploitation vector for moving through networks and inside workstations without triggering any security alerts.

Because PowerShell is installed by default on all Windows 7 and later versions, at the time, the app was trusted by all security products, many of which did not detect Powershell-based attacks.

To address this problem, Empire's authors modeled the project to work similarly to most malware architectures -- meaning a PowerShell agent that runs on an "infected" computers and a server-side command-and-control system for controlling the agent.

A favorite among pen-testers and hackers alike

The project gained a following in the infosec community, where security researchers, penetration testers, and system administrators would often deploy the Empire framework on networks to see if current defenses and security software would be able to detect any attacks or post-exploitation activity.

Across time, the Empire framework gained the ability to run PowerShell scripts without needing the powershell.exe, addedd modules for deploying various other hacking tools or additional capabilities, and even a Python component for running on Mac and Linux systems.

The tool gained a massive following and respect in the infosec community because it wasn't just another bland penetration testing utility, but one that was closely modeled to mimick the tactics of actual adversaries.

"PowerShell Empire is a unique attack framework in that its capabilities and behaviors closely resemble those used by current nation state advanced persistent threat actors," a 2018 SANS white paper on Empire said.

"That is to say that Empire is effective at evading security solutions, operating in a covert manner, and enabling attackers' total control over compromised systems.

"Of particular note is Empire's command and control traffic," the white paper continues. "Empire C2 traffic is asynchronous, encrypted, and designed to blend in with normal network activity. These characteristics in particular make it exceptionally difficult for defenders to identify PowerShell Empire C2 traffic in the enterprise. As such, it is likely that Empire will only increase in popularity amongst attackers, particularly as the framework continues to evolve and mature."

And this, unfortunately, came true. While Empire played a crucial role in raising attention to the growing use of PowerShell among system administrators, it was also adopted by bad guys.

Hacking groups like APT10, FIN7, APT29, and others, also implemented it into their arsenal.

Empire's use among cybercriminals has grown so much in the past few years that in lae 2018, the UK's National Cyber Security Center included Empire on its shortlist of the five most dangerous publicly available hacking tools -- together with JBiFrost, Mimikatz, China Chopper, and HTran.

Microsoft and AV industry reacted

However, as time went by, and as more and more hacking groups started shifting operations towards (ab)using PowerShell, the cybersecurity industry reacted by developing modern tools that do a better job at detecting PowerShell threats, including those developed on the Empire framework itself.

"The original objective of the Empire project was to demonstrate the post-exploitation capabilities of PowerShell and bring awareness to PowerShell attacks used by (at the time) more advanced adversaries," said Chris Ross, one of Empire's lead developers.

"We feel that we've accomplished that objective and are proud to see the security optics and improvements that have been provided by Microsoft in the past few years; in addition to the increased focus the EDR [Endpoint Detection and Response] community has placed on PowerShell based attacks.

"With that in mind, the project's time has passed and newer frameworks with better capabilities have been released," Ross added. "So it's time to say farewell to Empire. We will not be updating or maintaining the project any further."

However, Empire was not the only one of its kind. In the past years, similar PowerShell-based penetration testing tools have emerged, such as Apfell, Covenant, Silver, and Faction.

The world's most famous and dangerous APT (state-developed) malware

Related malware and cybercrime coverage:

Editorial standards