Staging
Last updated
Was this helpful?
Last updated
Was this helpful?
Empire uses an (EKE) mechanism to securely establish communications between the control server and agents. In previous versions, the key negotiation was handled using RSA, but the modern implementation has been adapted to support multiple agent types, including PowerShell, C#, Python, IronPython, and Go.
Key points in the staging process:
The PowerShell agent uses RSA-based key exchange.
The C#, Python, IronPython, and Go agents use Diffie-Hellman (DH) key exchange.
A pre-shared key (PSK) is used to encrypt the routing packet with RC4.
Stage 1 involves session key negotiation and establishing an encrypted channel.
Stage 2 delivers the full agent to start beaconing.
The agent initiates communication by making a request to the control server at a predefined URI. The staging key (pre-shared key) is sent with the request.
The server returns a stager script (e.g., stager.ps1 for PowerShell). This stager is case-randomized and RC4-encrypted with the pre-shared key.
The agent generates an RSA key pair (PowerShell) or performs a Diffie-Hellman key exchange (Other Agents). The encrypted public key is sent to the server. The server returns the session ID and an AES session key, encrypted for the agent.
The agent decrypts the AES session key and gathers system information. This system information is encrypted and sent to the server. The server responds with the full agent, patched with configuration details (e.g., key, beacon delay, routing info). The agent registers and starts beaconing for tasking. This updated process ensures more secure and flexible key exchanges while maintaining strong encryption across multiple agent types.