Home/Powershell Empire 101/Listeners
4 min read

Listeners

listeners serve as the communication endpoints that await connections from compromised hosts (referred to as agents). They are an essential component of the command-and-control (C2) infrastructure, en

Listeners

types of listeners in powershell-empire

  • http
  • http-foreign
  • http_hop
  • http_maleable
  • portforward
  • smb

http listener

An HTTP listener in PowerShell Empire is a core component used to establish and manage communication between the compromised target (agent) and the attacker's command and control (C2) server. It operates over the HTTP/HTTPS protocol, making it suitable for blending into normal web traffic and evading network-based detection mechanisms.

Purpose

The HTTP listener acts as a beaconing endpoint that:

  • Receives connections from Empire agents (infected systems)
  • Delivers stager payloads and modules
  • Handles encrypted tasking and data exfiltration over HTTP/S

http_foreign

The http_foreign listener in PowerShell Empire is a special-purpose listener designed to allow Empire agents to communicate with an external (foreign) C2 endpoint that’s not managed directly by Empire.

In contrast to regular HTTP/HTTPS listeners, which serve the stager and host the agent’s communication, the http_foreign listener only handles post-exploitation communication from an agent that was staged elsewhere — such as a redirector, another team’s infrastructure, or even a standalone stager.

Primary Use Case

  • Empire is not serving the payload or stager
  • The agent beacons to a third-party server, and that server forwards or redirects traffic to your Empire listener
  • Common in redirector setups, pivoting, or shared infrastructure

How It Works

Unlike the standard HTTP listener:

  • You don’t host the stager payload
  • The stager connects to an external server (like redirector.domain.com)
  • That server forwards the traffic to Empire’s http_foreign listener

Empire then:

  • Picks up the staged agent
  • Handles encrypted agent tasking, exfil, etc.

http_hop

The http_hop listener is a special PowerShell Empire listener used in multi-hop red team infrastructure. It allows an agent to pass traffic through an intermediate hop server (redirector or proxy), adding a layer of operational security and segmentation between the agent and the actual Empire C2 server.

This type of listener does not serve payloads or stagers, but handles encrypted agent traffic routed through a predefined staging path.

Key Benefits:

  • Protects C2 infrastructure behind redirectors
  • Obfuscates C2 architecture using chained hops
  • Enables more advanced pivoting setups

Use Case:

  • Deploy an HTTP listener on a redirector.
  • Use http_hop on the backend C2 server.
  • All agent communication is routed through the redirector.

http_maleable listener

The http_malleable listener is an advanced version of the standard HTTP listener, allowing the operator to fully customize the way Empire agents communicate over the network using malleable C2 profiles, similar to what Cobalt Strike offers.

These profiles define:

  • URI paths
  • HTTP headers
  • HTTP methods
  • Sleep patterns
  • Response structure

This makes Empire traffic blend in with legitimate web traffic (e.g., mimicking Google, Microsoft, Dropbox, etc.).

Key Benefits:

  • Bypasses signature-based detection
  • Tailored C2 traffic that looks real and clean
  • Enables OPSEC-safe long-term persistence

Profile Examples:

  • Normal – generic HTTP traffic
  • Crimeware – noisy, fast beacons
  • APT – stealthy, mimics nation-state traffic

portforward listeners

The portforward module allows an Empire agent to act as a proxy, forwarding traffic from the attacker's machine through the victim’s machine to internal services or devices (pivoting).

It’s used in lateral movement, internal scanning, and persistence operations.

Key Benefits:

  • Access internal systems not reachable externally
  • Pivot into segmented networks
  • Create reverse tunnels to internal services

smb listener

The smb listener is used for local, fileless lateral movement, especially in air-gapped or isolated networks. It enables Empire agents to communicate via named pipes (SMB over IPC$) instead of traditional network traffic like HTTP or TCP.

Perfect for stealth in internal Windows networks where outbound traffic is heavily restricted.

Key Benefits:

  • Fileless communication
  • No network traffic (ideal for internal ops)
  • Useful for multi-hop peer-to-peer agent communication

Requirements:

  • Agent and listener must run on the same machine or local network
  • Works only on Windows-based targets
  • Requires proper privileges to create pipe connections