Agents

Agents 101

You should see a status message when an agent checks in (i.e. [+] Initial agent CGUBKC1R3YLHZM4V from 192.168.52.168 now active). Jump to the Agents menu with agents. Basic information on active agents should be displayed. Various commands can be executed on specific agent IDs or all from the agent menu, i.e. kill all. To interact with an agent, use interact AGENT_NAME. Agent names should be tab-completable for all commands.

In an Agent menu, info will display more detailed agent information, and help will display all agent commands. If a typed command isn’t resolved, Empire will try to interpret it as a shell command (like ps). You can also cd directories and upload/download files.

empire_agent_info

For each registered agent, a ./downloads/AGENT_NAME/ folder is created (this folder is renamed with an agent rename). An ./agent.log is created here with timestamped commands/results for agent communication. Downloads/module outputs are also broken out into relevant folders here. At any point in an agent menu, use the rename command to rename your agent. The associated ./downloads/ folder will be renamed as well.

Agents will by default only call back for a certain number of missed checkins before exiting automatically. This value is configurable per listener. When you’re finished with an agent, use exit from the Agent menu or kill NAME/all from the Agents menu. You’ll get a red notification when the agent exits, and the agent will be removed from the interactive list after.

Agent Tasking

Inside of the agent menu, type help for all available commands. You can execute a given module with usemodule and shell commands with shell X. Commands not resolved default to being interpreted as shell commands. Commands can be queued, and will be delivered en-masse to the agent once it checks in.

empire_agent_help

Other useful commands:

  • clear – clear an agent of tasking
  • download PATH – download a given file in 512k increments per checkin
  • ps– list all processes, or list processes with a particular name (i.e. ps explorer)
  • killdate– list the current agent killdate, or set a particular killdate
  • kill – kill a particular process ID
  • sleep interval [delay] – set the agent to sleep for the particular interval, with the given 0.0-1.0 jitter.
  • workinghours/workinghours 09:00-17:00 – list the current agent workinghours, or set working hours (24hour format)
  • lostlimit – Set the limit on the number of missed checkins before the agent will die. A lostlimit of 0 means that the agent will never die and checkin forever even though it lost contact.