Session Passing

It’s good tradecraft to vary your command and control infrastructure. At a minimum, we like to operate a long-haul control server and a post-exploitation control server on different domains and IP addresses. In order to operate effectively with multiple C2 servers, Empire provides the ability to execute ‘foreign’ listeners so the configuration information for one server. You can then use your new foreign listener to spawn or psinject stagers for your secondary server in order to pass sessions amongst your infrastructure components.

One important note- the initial AES key used for staging needs to match between any servers you’re passing sessions between. The easiest way to do this is when you initially set up your Empire control server, enter the same server negotiation password.


To set up a foreign listener, name your new listener, provide the correct Host in your listener configuration, make sure the DefaultProfile matches between the two servers, and then set the Type to foreign. Once you execute, this new listener can be used just like any other.