Server

The Server configuration is managed via empire/server/config.yaml.

Once launched, Empire checks for user write permissions on paths specified in config.yaml. If the current user does not have write permissions on these paths, ~/.empire will be set as fallback parent directory and the configuration file will be updated as well. If empire-priv.key and empire-chain.pem are not found in ~/.local/share/empire directory, self-signed certs will be generated.

• suppress-self-cert-warning - Suppress the http warnings when launching an Empire instance that uses a self-signed cert.

• api - Configure the RESTful API.

ip - The IP address to bind the API and Starkiller to. port - The port to bind the API and Starkiller to. secure - Enable HTTPS for the API and Starkiller. Browsers will not work with self-signed certs. Uses .key and .pem file from empire/server/data

api:
  ip: 0.0.0.0
  port: 1337
  secure: false

• database - Configure Empire's database. Empire utilizes MySQL by default for high performance database operations. It can be configured to use sqlite for more lightweight implementations if required For more info on the database, see the Database section.

MySQL supports customizing the default url, username, password, and database name. By default these are set to

database:
  use: mysql
  mysql:
    url: localhost:3306
    username: empire_user
    password: empire_password
    database_name: empire

If using SQLite the database location is customizable with the default setting:

database:
  use: sqlite
  sqlite:
    location: empire/server/data/empire.db

The defaults block defines the properties that are initially loaded into the database when it is first created. These include the staging key, default user and password and obfuscation settings.

database:
  defaults:
    # staging key will first look at OS environment variables, then here.
    # If empty, will be prompted (like Empire <3.7).
    staging-key: RANDOM
    username: empireadmin
    password: password123
    # The default configuration for global obfuscation.
    obfuscation:
      - language: powershell
        enabled: false
        command: "Token\\All\\1"
        module: "invoke-obfuscation"
        preobfuscatable: true
      - language: csharp
        enabled: false
        command: ""
        module: "confuser"
        preobfuscatable: false
    ip_allow_list: []
    ip_deny_list: []
    keyword_obfuscation:
      - Invoke-Empire
      - Invoke-Mimikatz

• empire_compiler - Configure the Empire Compiler module. This block manages settings for the Empire Compiler, which is responsible for handling C# compilation tasks.

archive: The URL to the Empire Compiler archive. The {{platform}} variable will be replaced with the current platform/architecture. (e.g. linux-amd64, linux-arm64)

empire_compiler:
  archive: https://github.com/BC-SECURITY/Empire-Compiler/releases/download/v0.3.2/EmpireCompiler-{{platform}}-v0.3.2.tgz

• plugins - Config related to plugins auto_start - boolean, whether the plugin should start automatically. If this is not set, Empire will defer to the plugin's own configuration. auto_execute - run an execute command on the plugin at startup. If this is not set, Empire will defer to the plugin's own configuration.

plugins:
  # Auto-execute plugin with defined settings
  basic_reporting:
    auto_start: true
    auto_execute:
      enabled: true
      options:
        report: all

• plugin_marketplace - This points the server to where Empire should look for additionl available plugins to install. This defaults to the BC Security plugin marketplace but can point to a private marketplace as well. name - the display name for the marketplace in Empire git_url - git project to pull plugins from

plugin_marketplace:
  registries:
    - name: BC-SECURITY
      git_url: git@github.com:BC-SECURITY/Empire-Plugin-Registry-Sponsors.git
      ref: main
      file: registry.yaml

• directories - Control where Empire should read and write specific data.

directories:
  downloads: downloads

• logging - See Logging for more information on logging configuration.

• submodules - Control if submodules wil be auto updated on startup.

submodules:
  auto_update: true