Empire is a pure PowerShell post-exploitation agent and provide features similar to a Metasploit Meterpreter Similar to the Indicators of Compromise (IOC) observed in Metasploit, the Empire C2 have varying IOCs. Let's analyze the empire_shell.pcap file and load it up in Wireshark to view the properties of pcap:
The capture file contains traffic analysis for over three-and-a half hours. Let's look at the traffic conversations:
We can see a clear pattern here, which denotes beaconing, as we can see that the number of packets is quite static, having the value 5 for most of the 2,649 conversations. The systems infected with Empire tend to generate a ton of HTTP requests. Let's filter some of the HTTP requests using HTTP contains GET filter and see what's under the hood:
The attackers can easily modify the preceding...