Not Your Grandfather's Empire

Not Your Grandfather’s Empire

I’ve wanted to put this blog together since returning home from DEFCON. Anytime we ran into someone who recognized our swag, they mentioned how much they loved Empire back in the day and didn’t realize it was still being actively maintained. That made me reflect on how far Empire has come and inspired this write-up.

Empire has evolved far beyond its PowerShell roots. What started as a PowerShell-centric tool has grown into a multi-language, modular framework capable of so much more. Let’s dive into some of the newest capabilities that make Empire a force to be reckoned with.

Teamserver: A Major Overhaul

One of the biggest architectural changes we’ve made was the introduction of the teamserver. Previously, Empire ran both the server and client from the same application, which made things cumbersome to maintain.

Now, we’ve implemented a cleaner, more scalable solution. Empire uses a dedicated API to separate the server and client. This not only streamlines the overall architecture but also makes Empire multiplayer.

We also switched to MySQL as the database backend. This means you can now manage hundreds of agents simultaneously without sacrificing stability or speed (yes, we’ve seen hundreds of agents running off a single instance).

Starkiller

We originally built Starkiller because Empire’s API was underused, and we wanted to see what a GUI experience might look like. Some tasks just work better visually and Starkiller delivers.

We still have the command-line client, but it’s relatively unmaintained and will be deprecated in 6.0. That said, Starkiller now includes a terminal view for agent interaction, giving you the best of both worlds: a modern GUI for convenience and a raw terminal for traditionalists who still prefer typing commands.

C# Compatibility

The first major language expansion was C#. We were already running PowerShell, so adding .NET assemblies felt like a natural evolution.

At first, we experimented with Covenant-style models to keep compatibility between tasks. But as Covenant’s development slowed, we pivoted extracting its Roslyn compiler and building our own, giving Empire the flexibility to compile tasks in real-time against the target system.

This eliminated the need for sketchy precompiled binaries (because who really trusts random EXEs from GitHub?).

If you haven’t noticed, we’ve dropped “PowerShell” from the name entirely because Empire is no longer just PowerShell.

How to run a C# module

  1. Go to the Modules tab
  2. Type csharp_ghostpack_rubeus
  3. Click Submit
  4. Open the Tasks tab
  5. View results

C# Agent (Sharpire)

Also known as Sharpire, the C# agent was the first modern implant added to the framework. Originally developed externally and later integrated by us, it marked a major leap forward.

With Sharpire, Empire could now run C# payloads alongside PowerShell tasks, further cementing its place as a true multi-language framework.

How to create a C# Agent

  1. Select the Stagers tab
  2. Type windows_csharp_exe
  3. Set Language to C#
  4. Choose an HTTP listener
  5. Click Submit

Python 3

At one point, our Linux implant was stagnating, it was still using Python 2, which was reaching end-of-life. I took on the challenge of upgrading to Python 3.

Keeping dual compatibility proved too painful (string/byte differences were brutal), so we went all-in on Python 3. Once the agent was upgraded, the modules followed because an agent without modules is useless.

How to create a Python agent

  1. Select the Stagers tab
  2. Type multi_launcher
  3. Change Language to Python
  4. Choose an HTTP listener
  5. Click Submit

IronPython

This is where Empire began to transcend basic TTPs and enter true threat emulation territory. Both Hubble and I come from red-teaming and cyber threat assessment backgrounds in the Air Force, and IronPython allowed us to bridge that gap.

You might’ve read our IronNetInjector blog or our research paper. TL;DR: Turla, a nation-state actor, used IronPython to inject .NET code and evade modern EDRs.

We built a prototype using this method and found it wasn’t far from Empire compatibility. With minimal changes to the Python 3 agent, we added support for BYOI (Bring Your Own Interpreter) agents, à la Byt3bl33d3r’s SilentTrinity.

This means you can now run PowerShell, C#, Python, and IronPython within a single framework.

Even better? These payloads evade nearly every major EDR on the market, partly due to underexposure, but mostly due to how the loader obscures detection.

How to create an IronPython agent

  1. Select the Stagers tab
  2. Type windows_csharp_exe
  3. Change Language to IronPython
  4. Select an HTTP listener
  5. Click Submit

BOFs

Another powerful addition is support for Beacon Object Files (BOFs) small, in-memory C programs used for post-exploitation.

Empire now lets you execute BOFs directly through agents using RunOF. We’ve also bundled a library of ready-to-use BOFs, including TrustedSec’s situational awareness library, nanodump, tgtdelegation, and more.

How to run BOFs

  1. Select an active agent
  2. Type bof_situational_awareness_whoami
  3. Click Submit

Plugins

Plugins have been around since Empire 2.5 but were rarely used. They allow you to scale functionality without touching the core codebase.

Over time, we’ve added event hooks, database tasks, and better developer support. For example, we created a plugin to exploit EternalBlue, initially in Python to load Empire agents remotely, then later integrated with Metasploit’s “Bring Your Own Stager” to streamline operations.

Empire can now spin up a Metasploit instance, generate Donut shellcode, and let Metasploit handle the heavy lifting.

What’s Next?

If you follow @EmpireC2Project, you know we’re constantly updating Empire with new modules and features.

But we’re also building something even bigger.

Empire 6 will introduce our first non-.NET Windows agent, written in Go, inspired by frameworks like Sliver. We chose Go because it’s lightweight, cross-platform, and easy to integrate, expanding Empire’s operational versatility.

We’ve focused hard on stability, ensuring the server and implants can run for weeks or months without issue. Because nothing kills an op faster than an unstable C2.

Empire has transformed from a simple post-exploitation framework into a cutting-edge, multi-language threat emulation platform, capable of bypassing modern defenses and emulating nation-state-level TTPs.

Stay tuned, we’re just getting started.

If you want to learn more about Empire and how to contribute, check out the Empire Wiki. For hands-on training, our Empire Ops I course dives deep into everything we’ve covered here and much more.

Sign Up For Empire Ops Today!

Business Goals

Ready to Transform Your Business?

Partner with our team of experts to unlock your business’s full potential. Schedule your free consultation and discover how we can help you.

Ready to Transform Your Business?
00 +
Years of Experience
Ready to Transform Your Business?