Empire is heavily focused on post-exploitation. This section demonstrates use of a few of the most commonly used modules. All collection modules are located under “collection” and can be viewed by typing “usemodule collection” and then pressing tab for a complete list.


Empire’s screenshot module will grab a single screenshot of the compromised system. This module requires no additional configuration other than the agent the module should run on:


After executing the module, Empire will save the screenshot in the Agent folder within your Empire directory for your viewing.


In addition to grabbing screenshots, Empire also allows for the collection of keystrokes. Like the screenshot module, the keylogger module requires nothing more than the agent to execute on:


Once executed, Empire will display the keystrokes back to you every time it checks in:


When a module runs continuously in the background (like keyloggers or clipboard theft), a started job ID will be returned. If you type jobs in an agent menu, the currently active background jobs will be returned. To kill a job, use jobs kill JOB_ID.

Clipboard Theft

Finally, we have the Clipboard Monitor module. This module allows you to snatch any contents stored on the Windows clipboard. This module allows you to set a collection limit and an interval time. For most situations, the defaults are enough:


After running this module, Empire will spit out the contents of the clipboard. It will check the clipboard for new contents based on the value set in the PollInterval argument. Every time Empire checks in, it will display the contents: