LogoLogo
EmpireStarkillerBlogDiscord
  • Empire
  • Quickstart
    • Installation
    • Server
  • Starkiller
    • Introduction
    • Agent Tasks
  • Listeners
    • Dropbox
    • OneDrive
    • HTTP
    • Malleable C2
  • Stagers
    • multi_generate_agent
  • Plugins
    • Development
      • Imports
      • Lifecycle Hooks
      • Execution
      • Hooks and Filters
      • Plugin Tasks
      • Notifications
      • Database Usage
      • Settings
      • Migration
  • Modules
    • Autorun Modules
    • Module Development
      • PowerShell Modules
      • Python Modules
      • C# Modules
      • BOF Modules
  • Agents
    • Python
      • Main Agent Class
      • Stage Class
      • Packet Handler Class
      • Extended Packet Handler Class
    • Go
      • Main Agent Class
      • Packet Handler Class
      • Main.go Template
    • Staging
  • RESTful API
  • Settings
    • Logging
    • Bypasses
    • IP Filtering
Powered by GitBook
On this page
  • Defining the script
  • Advanced
  • Custom Generate
  • String Formatting

Was this helpful?

  1. Modules
  2. Module Development

PowerShell Modules

PreviousModule DevelopmentNextPython Modules

Last updated 1 year ago

Was this helpful?

The will help guide through the fields needed for writing a simple module. Of course, not every module will fit the simplest case. There are advanced options that we will discuss below.

The property options is a list of the options that can be set for the module at execution time. All modules must contain an option called Agent. Additional options go in the options list after the Agent argument. If the argument is required for execution, set required: true, and if a default value is warranted, set value. The has an example of this.

When Empire boots up, it loads all module yamls found in the modules directory. If there are any missing fields or misconfigurations, the module won't load and a warning will print to the console.

Defining the script

script: For most scripts, simply pasting the script into the yaml is good enough.

script: |
  Function Invoke-Template {

  }

script_path: For longer scripts, or scripts that are shared between multiple modules, it is recommended to put the text file into the empire/server/data/module_source directory and reference it like so:

script_path: 'empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1'

The above example comes from the

script_end: In most cases the script_end will simply be a call to to the powershell function with a mustache template variable called $PARAMS. {{ PARAMS }} is where Empire will insert the formatted options.

script_end: Invoke-Function {{ PARAMS }}

There are functions that require the script_end to be customized a bit further. For example: the one found in

script_end: Invoke-Kerberoast {{ PARAMS }} | fl | {{ OUTPUT_FUNCTION }} | %{$_ + "`n"};"`nInvoke-Kerberoast completed!

Advanced

Custom Generate

custom_generate: For complex modules that require custom code that accesses Empire logic, such as lateral movement modules dynamically generating a listener launcher, a custom "generate" function can be used. To tell Empire to utilize the custom generate function, set advanced.custom_generate: true

advanced:
  custom_generate: true

The python file should share the same name as the yaml file. For example Invoke-Assembly.yaml and Invoke-Assembly.py The generate function is a static function that gets passed 5 parameters:

  • main_menu: The main_menu object that gives the module access to listeners, stagers, and just about everything else it might need

  • module: The module, loaded from the yaml. In case we need to check properties like opsec_safe, background, etc.

  • params: The execution parameters. At this point, Empire has already validated the parameters provided are the correct parameters for this module, and that the required parameters are there.

  • obfuscate: Whether to obfuscate the code

  • obfuscation_command: The command to use to obfuscate the code

It returns the generated code to be run by the agent as a string.

The generate function should treat these parameters as read only, to not cause side effects.

class Module(object):
    @staticmethod
    def generate(
        main_menu: MainMenu,
        module: EmpireModule,
        params: dict,
        obfuscate: bool = False,
        obfuscation_command: str = "",
    ):

Examples of modules that use this custom generate function:

Error Handling

If an error occurs during the execution of the generate function and it goes unchecked, the client will receive a 500 error.

There are two Exceptions that can be raised by the generate function: ModuleValidationException: This exception should be raised if the module fails validation. This will return a 400 error to the client with the error message. ModuleExecutionException: This exception should be raised if the module fails execution. This will return a 500 error to the client with the error message.

raise ModuleValidationException("Error Message")
raise ModuleExecutionException("Error Message")

Deprecated

Previously, it was recommended that the generate function return a tuple of the script and the error. handle_error_message was provided as a helper function to handle this tuple.

This is no longer recommended, but is still supported. Please migrate away from the tuple return type to raising exceptions. The tuple return type will be removed in a future major release.

Functions

get_module_source is used pull the script from the yaml file defined in script_path. Once the script has been loaded, it will determine if obfuscation is enabled and obfuscate it.

finialize_module will combine the script and script_end into a single script and then will apply obfuscation, if it is enabled.

Decorators

@auto_get_source is a decorator that will automatically call get_module_source and pass the script to the decorated function. To use this decorator, the function must have a script kwarg and the script_path must be set in the yaml config.

@staticmethod
@auto_get_source
def generate(
    main_menu: MainMenu,
    module: EmpireModule,
    params: dict,
    obfuscate: bool = False,
    obfuscation_command: str = "",
    script: str = "",
):
    # do stuff
    ...

# The above is the equivalent of:
@staticmethod
def generate(
    main_menu: MainMenu,
    module: EmpireModule,
    params: dict,
    obfuscate: bool = False,
    obfuscation_command: str = "",
):
    # read in the common module source code
    script, err = main_menu.modulesv2.get_module_source(
        module_name=module.script_path,
        obfuscate=obfuscate,
        obfuscate_command=obfuscation_command,
    )

    if err:
        return handle_error_message(err)

    # do stuff
    ...

@auto_finalize is a decorator that will automatically call finalize_module on the returned script from the decorated function.

To use this decorator, the function must not utilize the deprecated tuple return type or the handle_error_message function. First migrate the function to raise exceptions before using this decorator.

@staticmethod
@auto_finalize
def generate(
    main_menu: MainMenu,
    module: EmpireModule,
    params: dict,
    obfuscate: bool = False,
    obfuscation_command: str = "",
):
    # Do stuff

    return script, script_end

# The above is the equivalent of:
@staticmethod
def generate(
    main_menu: MainMenu,
    module: EmpireModule,
    params: dict,
    obfuscate: bool = False,
    obfuscation_command: str = "",
):
    # Do stuff

    script, script_end = main_menu.modulesv2.finalize_module(
        script=script,
        script_end=script_end,
        obfuscate=obfuscate,
        obfuscate_command=obfuscation_command,
    )

    return script

String Formatting

option_format_string: This tells Empire how to format all of the options before injecting them into the script_end. In most cases, the default option format string will be fine: -{{ KEY }} "{{ VALUE }}".

option_format_string_boolean: This tells Empire how to format boolean parameters when True. In most cases, the default format string will be fine: -{{ KEY }}.

options:
  - name: Agent
    description: Agent to run module on.
    required: true
    value: ''
  - name: Command
    description: Use available Rubeus commands as a one-liner.
    required: false
    value: ''
script_path: 'empire/server/data/module_source/credentials/Invoke-Rubeus.ps1'
script_end: "Invoke-Rubeus -Command \"{{ PARAMS }}\""
advanced:
  option_format_string: "{{ VALUE }}"
  option_format_string_boolean: ""
  - name: Username
    name_in_code: u
    description: Username to use, if you want to use alternate credentials to run. Must
      use with -p and -d flags, Misc)
    required: false
    value: ''
  - name: Password
    name_in_code: p
    description: Plaintext password to use, if you want to use alternate credentials
      to run. Must use with -u and -d flags
    required: false
    value: ''

suggested_values: A list of suggested values can be provided for an option. These values will be available in the CLI and Starkiller as autocomplete values.

strict: If true, the option validator will check that the value chosen matches a value from the suggested values list.

type: If a type is defined, the API will automatically validate the option value against the type. The following types are supported:

  • bool

  • int

  • float

  • str

  • file

A 'file' option type should be an integer that corresponds to the download id of a file already on the empire server. The API will automatically validate that the file exists. If a custom_generate function is used, the whole database object for the file will be passed to the function.

Note: Starkiller will automatically give file options with a dropdown or upload. File options have not yet been implemented in the client. It is recommended to use Starkiller.

OUTPUT_FUNCTION: Some PowerShell modules have an option named OutputFunction that converts the output to json, xml, etc. The OutputFunction option can be inserted anywher in the script and script_end by using {{ OUTPUT_FUNCTION }}.

  • If a module uses a custom_generate function, it needs to perform this substitution on its own.

is an example of a module that overwrites the option_format_string, since it only has one parameter Command and deviates from the default:

name_in_code: There may be times when you want the display name for an option in Starkiller/CLI to be different from how it looks in the module's code. For this, you can use name_in_code such as in the

An example of this in a yaml can be seen in .

powershell_template.yaml
prompt module
logonpasswords module.
Invoke-Kerberoast
bypassuac_eventvwr
invoke_assembly
seatbelt
Rubeus
sharpsecdump module
sherlock