S0363: Empire
Empire is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents are written in pure PowerShell for Windows and Python for Linux/macOS. Empire was one of five tools singled out by a joint report on public hacking tools being widely used by adversaries.[1][2][3]
Analyst context for executives and security teams
Empire matters because it is a publicly available, cross-platform post-exploitation framework that can turn ordinary scripting environments into a remote administration capability after initial access. For leaders, the key issue is not the tool name alone; it is whether Windows PowerShell and Linux/macOS Python activity, remote access paths, credential access attempts, and outbound data movement are governed and observable well enough to support rapid containment.
Executive priority
Treat Empire as a control-validation use case for post-compromise readiness. ATT&CK links it to many intrusion sets and to behaviors including LSASS credential access, network discovery, DCOM and SSH lateral movement, command obfuscation, and automated exfiltration. Executives should ask whether SOC, IR, identity, endpoint, and network teams can prove visibility across Windows, Linux, and macOS, especially for privileged credentials, remote administration, and egress activity. This is also useful audit evidence: it tests whether logging, least privilege, administrative protocol control, and incident response playbooks work against a well-known public tool rather than a rare custom implant.
Technical view
Empire is listed as an open-source remote administration and post-exploitation framework, written primarily in Python, with PowerShell agents for Windows and Python agents for Linux/macOS. ATT&CK provides no official detection text for this software, so defenders should build coverage from the related behaviors: PowerShell and Python execution, command obfuscation, LSASS memory access, system network configuration discovery, DCOM and SSH lateral movement, and automated exfiltration. Detection engineering should focus on behavior chains rather than static tool signatures, because public tools can be modified and command content may be obfuscated.
Likely telemetry
- Endpoint process creation with command line and parent-child process context for PowerShell, Python, shells, and remote administration utilities
- PowerShell script block, module, transcript, and operational logs where enabled
- Python interpreter execution and script/module loading evidence on Linux, macOS, and Windows where collected
- EDR or OS telemetry for suspicious access to LSASS process memory on Windows
- Authentication and session logs for DCOM-related Windows remote activity and SSH logins on Linux/macOS
Detection direction
- Validate behavior-based analytics for PowerShell and Python post-exploitation activity instead of relying only on known Empire indicators or repository-derived signatures.
- Correlate scripting execution with follow-on discovery, credential access, lateral movement, and outbound transfer events; individual administrative commands may be benign in isolation.
- Tune for false positives from legitimate systems administration, DevOps, and remote support activity by incorporating user role, host criticality, execution parent, frequency, destination, and time-of-day context.
- Confirm visibility on all listed platforms: Windows, Linux, and macOS. A Windows-only PowerShell strategy will miss Python-based activity on Linux/macOS.
- Because ATT&CK does not provide official detection guidance for this object, document local assumptions, log sources, and tested coverage gaps during purple-team or detection validation exercises.
Mitigation priorities
- Start with least privilege and administrative access governance so post-exploitation frameworks cannot easily expand from one host to broad enterprise control.
- Harden and monitor scripting environments, especially PowerShell on Windows and Python usage on Linux/macOS, without assuming those interpreters are malicious by default.
- Protect credentials by reducing unnecessary administrative logons, limiting credential exposure, and validating controls around LSASS access on Windows.
- Restrict and monitor remote administration paths such as DCOM and SSH, including where they are allowed, who can use them, and whether activity is logged centrally.
- Strengthen egress controls and monitoring so automated exfiltration-like behavior is visible and can be contained quickly.
Analyst notes and limits
Empire’s materiality comes from its public availability, cross-platform design, and ATT&CK relationships to many groups and a campaign, not from any claim of current activity in a specific environment. The relationship set is broad and includes espionage, financially motivated, ransomware-associated, and targeted campaign contexts, so defenders should use it as a prioritization signal for common post-exploitation behaviors rather than as attribution evidence.
The supplied ATT&CK object has no official detection text and no tactics listed directly on the tool. The assessment therefore relies on the official description, platforms, external references, and related techniques/groups/campaigns. Local telemetry, asset roles, identity architecture, and approved administrative practices are required to determine actual exposure or detection coverage.
Empire
Empire is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents are written in pure PowerShell for Windows and Python for Linux/macOS. Empire was one of five tools singled out by a joint report on public hacking tools being widely used by adversaries.[1][2][3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1125 | Video Capture | |
| Enterprise | T1021.003 | Distributed Component Object Model Sub-technique | |
| Enterprise | T1557.001 | Name Resolution Poisoning and SMB Relay Sub-technique | |
| Enterprise | T1016 | System Network Configuration Discovery | |
| Enterprise | T1059.001 | PowerShell Sub-technique | |
| Enterprise | T1482 | Domain Trust Discovery | |
| Enterprise | T1056.001 | Keylogging Sub-technique | |
| Enterprise | T1027.010 | Command Obfuscation Sub-technique | |
| Enterprise | T1136.001 | Local Account Sub-technique | |
| Enterprise | T1113 | Screen Capture | |
| Enterprise | T1046 | Network Service Discovery | |
| Enterprise | T1552.001 | Credentials In Files Sub-technique | |
| Enterprise | T1560 | Archive Collected Data | |
| Enterprise | T1484.001 | Group Policy Modification Sub-technique | Empire can use |
| Enterprise | T1041 | Exfiltration Over C2 Channel | |
| Enterprise | T1082 | System Information Discovery | |
| Enterprise | T1115 | Clipboard Data | |
| Enterprise | T1068 | Exploitation for Privilege Escalation | |
| Enterprise | T1020 | Automated Exfiltration | Empire has the ability to automatically send collected data back to the threat actors' C2.CitationTalos Frankenstein June 2019 |
| Enterprise | T1546.008 | Accessibility Features Sub-technique | |
| Enterprise | T1119 | Automated Collection | Empire can automatically gather the username, domain name, machine name, and other information from a compromised system.CitationTalos Frankenstein June 2019 |
| Enterprise | T1555.001 | Keychain Sub-technique | Empire uses the command `/usr/bin/security dump-keychain -d` to read the keychain credential.CitationEmpire Keychain Decrypt |
| Enterprise | T1615 | Group Policy Discovery | |
| Enterprise | T1087.002 | Domain Account Sub-technique | |
| Enterprise | T1547.005 | Security Support Provider Sub-technique | Empire can enumerate Security Support Providers (SSPs) as well as utilize PowerSploit's |
| Enterprise | T1021.004 | SSH Sub-technique | |
| Enterprise | T1558.003 | Kerberoasting Sub-technique | Empire uses PowerSploit's |
| Enterprise | T1134.005 | SID-History Injection Sub-technique | |
| Enterprise | T1574.009 | Path Interception by Unquoted Path Sub-technique | |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | |
| Enterprise | T1135 | Network Share Discovery | |
| Enterprise | T1574.008 | Path Interception by Search Order Hijacking Sub-technique | |
| Enterprise | T1558.001 | Golden Ticket Sub-technique | |
| Enterprise | T1210 | Exploitation of Remote Services | |
| Enterprise | T1569.002 | Service Execution Sub-technique | |
| Enterprise | T1567.001 | Exfiltration to Code Repository Sub-technique | |
| Enterprise | T1083 | File and Directory Discovery | |
| Enterprise | T1056.004 | Credential API Hooking Sub-technique | |
| Enterprise | T1574.007 | Path Interception by PATH Environment Variable Sub-technique | |
| Enterprise | T1106 | Native API | |
| Enterprise | T1047 | Windows Management Instrumentation | |
| Enterprise | T1055 | Process Injection | |
| Enterprise | T1550.002 | Pass the Hash Sub-technique | |
| Enterprise | T1217 | Browser Information Discovery | |
| Enterprise | T1127.001 | MSBuild Sub-technique | |
| Enterprise | T1552.004 | Private Keys Sub-technique | |
| Enterprise | T1567.002 | Exfiltration to Cloud Storage Sub-technique | |
| Enterprise | T1071.001 | Web Protocols Sub-technique | |
| Enterprise | T1134 | Access Token Manipulation | Empire can use PowerSploit's |
| Enterprise | T1040 | Network Sniffing | |
| Enterprise | T1114.001 | Local Email Collection Sub-technique | |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | |
| Enterprise | T1102.002 | Bidirectional Communication Sub-technique | |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | |
| Enterprise | T1087.001 | Local Account Sub-technique | |
| Enterprise | T1574.004 | Dylib Hijacking Sub-technique | |
| Enterprise | T1049 | System Network Connections Discovery | |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | |
| Enterprise | T1003.001 | LSASS Memory Sub-technique | |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | |
| Enterprise | T1134.002 | Create Process with Token Sub-technique |
Groups, software, and campaigns
G0091: Silence
Silence is a financially motivated threat actor targeting financial institutions in different countries. The group was first seen in June 2016. Their main targets reside in Russia, Ukraine, Belarus, Azerbaijan, Poland and Kazakhstan. They compromised various banking systems, including the Russian Central Bank's Automated Workstation Client, ATMs, and card processing.[1][2]
G0051: FIN10
G0010: Turla
Turla is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least 2004, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies. Turla is known for conducting watering hole and spearphishing campaigns, and leveraging in-house tools and malware, such as Uroburos.[1][2][3][4][5]
G0090: WIRTE
WIRTE is a cyberespionage actor, believed to be a subgroup of the Hamas-affiliated Gaza Cybergang, that has been active since at least August 2018. WIRTE has targeted diplomatic, financial, military, legal, and technology organizations across the Middle East, North Africa, and in Europe to gather intelligence. WIRTE has remained persistently active despite the ongoing Israel-Hamas conflict and has expanded their operations to include wiper malware attacks against Israeli targets.[1][2][3][4]
G0034: Sandworm Team
Sandworm Team is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.[1][2] This group has been active since at least 2009.[3][4][5][6]
In October 2020, the US indicted six GRU Unit 74455 officers associated with Sandworm Team for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide NotPetya attack, targeting of the 2017 French presidential campaign, the 2018 Olympic Destroyer attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.[1][2] Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as APT28.[7]
G1040: Play
Play is a ransomware group that has been active since at least 2022 deploying Playcrypt ransomware against the business, government, critical infrastructure, healthcare, and media sectors in North America, South America, and Europe. Play actors employ a double-extortion model, encrypting systems after exfiltrating data, and are presumed by security researchers to operate as a closed group.[1][2]
G0065: Leviathan
Leviathan is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security's (MSS) Hainan State Security Department and an affiliated front company.[1] Active since at least 2009, Leviathan has targeted the following sectors: academia, aerospace/aviation, biomedical, defense industrial base, government, healthcare, manufacturing, maritime, and transportation across the US, Canada, Australia, Europe, the Middle East, and Southeast Asia.[1][2][3][4]
G1016: FIN13
G0073: APT19
APT19 is a Chinese-based threat group that has targeted a variety of industries, including defense, finance, energy, pharmaceutical, telecommunications, high tech, education, manufacturing, and legal services. In 2017, a phishing campaign was used to target seven law and investment firms. [1] Some analysts track APT19 and Deep Panda as the same group, but it is unclear from open source information if the groups are the same. [2] [3] [4]
G0119: Indrik Spider
Indrik Spider is a Russia-based cybercriminal group that has been active since at least 2014. Indrik Spider initially started with the Dridex banking Trojan, and then by 2017 they began running ransomware operations using BitPaymer, WastedLocker, and Hades ransomware. Following U.S. sanctions and an indictment in 2019, Indrik Spider changed their tactics and diversified their toolset.[1][2][3]
G0052: CopyKittens
CopyKittens is an Iranian cyber espionage group that has been operating since at least 2013. It has targeted countries including Israel, Saudi Arabia, Turkey, the U.S., Jordan, and Germany. The group is responsible for the campaign known as Operation Wilted Tulip.[1][2][3]
G1001: HEXANE
HEXANE is a cyber espionage threat group that has targeted oil & gas, telecommunications, aviation, and internet service provider organizations since at least 2017. Targeted companies have been located in the Middle East and Africa, including Israel, Saudi Arabia, Kuwait, Morocco, and Tunisia. HEXANE's TTPs appear similar to APT33 and OilRig but due to differences in victims and tools it is tracked as a separate entity.[1][2][3][4]
C0001: Frankenstein
Frankenstein was described by security researchers as a highly-targeted campaign conducted by moderately sophisticated and highly resourceful threat actors in early 2019. The unidentified actors primarily relied on open source tools, including Empire. The campaign name refers to the actors' ability to piece together several unrelated open-source tool components.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.8 | Current bundle | f6ddcf771a4e… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
NCSC Joint Report Public Tools
The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019.
Open source URL -
[2]
Github PowerShell Empire
Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
Open source URL -
[3]
GitHub ATTACK Empire
Stepanic, D. (2018, September 2). attck_empire: Generate ATT&CK Navigator layer file from PowerShell Empire agent logs. Retrieved March 11, 2019.
Open source URL -
[4]
EmPyre
(Citation: Github PowerShell Empire)
-
[5]
PowerShell Empire
(Citation: Github PowerShell Empire)
-
[6]
mitre-attack S0363Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.