The Empire post-exploitation framework used by hackers of all hats has been discontinued this week, passing the torch to newer tools for offensive activities.

The announcement came on Wednesday from Chris Ross, one of the developers of the framework.

He said that the project fulfilled its original purpose, that of showing PowerShell's post-exploitation capabilities and raising awareness to advanced actors using PowerShell for malicious operations.

The researcher further explains that the decision was supported by "the security optics and improvements that have been provided by Microsoft in the past few years."

Empire PowerShell framework discontinued

Lightweight and modular

Empire was released in 2015 at the BSides Las Vegas security conference to show how PowerShell could be used beyond the infection stage of an attack.

Its open-source nature and modular architecture allowed it to grow and fulfill the needs of offensive security teams, who saw in it an opportunity to test defenses by imitating attacks from real threat actors.

One of its major advantages is that it uses encrypted communication with the command and control server and made it difficult to detect its traffic, especially in large networks.

An adversary can use Empire to control an agent planted on the compromised host and forward the attack. Further development removed the necessity of powershell.exe on the infected machine.

Over time, numerous exploit modules were added to the framework for various hacking needs, and a Python agent for Linux and macOS systems.

Also good for malicious use

While it became a common tool for penetration testers, Empire was also embraced for malicious activities. Researchers saw it used by various threat groups, from nation-state hackers to financially-driven ones.

APT group Hades used Empire in its Olympic Destroyer campaign during the 2018 edition of the Winter Olympics in South Korea.

At the end of 2018, the FIN7 cybercrime group also started to rely on the Empire framework, not just on the Cobalt Strike threat emulation software.

Threat actors also used it with increased frequency in high-profile ransomware incidents. Security researcher Vitali Kremez points to Trickbot and Dridex botnets that use Empire for network exploitation and lateral movement to delivered Ryuk and BitPaymer file-encrypting malware. One example is the Trickbot-Ryuk partnership, which relied on the Empire toolkit to distribute the payload across the victim's network.

The researcher told BleepingComputer that the framework is very popular with malware operators due to being "lightweight and extensible for modular development."

Ryuk and BitPaymer included Empire in their malicious campaigns in 2018, but other ransomware families that engaged in targeted attacks began to take advantage of the tool.

The researcher believes that cybercriminals started to use Empire more intensely after version 2.0 of the framework, which was more stable than ever before.

This is not the only example. Another researcher on Wednesday points to an Empire agent hosted on Pastebin.

Although discontinuing Empire is a blow to hackers on both sides of the law, there are alternative frameworks available for red teams, which Kremez has not seen adopted by cybercriminals.

Alternatives for the Empire PowerShell framework

Unfortunately, it is impossible to prevent malicious actors from adopting the tools used by the infosec industry to strengthen defenses.