Reviewing the Udemy Course “Penetration Testing with PowerShell Empire”
In part two of this series “The Professional Development Challenge for Cybersecurity Investigators”, a short Udemy online course called “Penetration Testing with PowerShell Empire” was completed in under 6 hours, and we reflect on these experiences.

WHY THIS COURSE IS RELEVANT FOR CYBERSECURITY INVESTIGATORS
In the most recent report issued by the UK’s National Cyber Security Centre entitled “Joint Report on Publicly Available Hacking Tools”, PowerShell Empire is listed as number one under the category “lateral movement frameworks” (PowerShell similarly describes itself as a post-exploitation tool).
This official report is based on “collaboration based on research provided by the cyber security authorities of five nations: Australia, Canada, New Zealand, the UK and USA”. Specifically, these authors from the Five Eyes (FVEY) nations are the: Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, UK National Cyber Security Centre (UK NCSC), and US National Cybersecurity and Communications Integration Center (NCCIC) which is part of the US Department of Homeland Security. Given the credibility of the authors and the representation of all the data they have collected and reviewed on cyber incidents, cyber security investigators (and potential victim organizations) should take note of this finding.

PowerShell Empire has been around since 2015 although very recently PowerShell Empire development has stopped because the founding developers have stated the project has reached its objectives. Also given the relatively low barrier to entry for using the tool to inflict damage on victim organizations even by unskilled actors, it is reasonable to continue to expect PowerShell Empire to be encountered frequently by incident response professionals working on cyber incidents. Sophisticated nation state actors and established hacking groups like APT10, FIN7, APT29 also have reportedly used PowerShell Empire. Cyber investigators typically are concerned with post-incident artifacts to collect and analyze in order to figure out that hacking tools such as PowerShell Empire were used.
Courses like the one offered by Udemy focus on the penetration testing side of the incident and not so much on the forensic analysis side. However, it can be very beneficial to change perspectives of an incident for the cyber investigator to gain a deeper understanding of the incident at hand. A short, targeted, focused online class like the one offered by Udemy can serve that purpose…but just how beneficial is it?
WHAT THE COURSE COVERS
This course contains a balance of short but effective presentations and labs. Both techniques cover installing PowerShell Empire as a C2 server (Kali Linux virtual machine), deploying stagers/agents on a victim machine (using a vulnerable Windows 7 virtual machine), establishing asynchronous/encrypted communications to intended targets, all the way through some of more advanced features and use of the framework’s use of modules.
Even though PowerShell Empire is known as a post-exploitation tool used for such tasks as maintaining persistence after compromise, elevating privileges and facilitating lateral movement to other machines on a network, the course clearly and methodically explores other aspects of the framework including how a bad actor can leverage the PowerShell Empire tools to actually compromise the initial system and then later using modules to capture keystrokes (keylogger) and to steal contents of a victim’s clipboard.
STRENGTHS OF COURSE
- Plenty of Tool Demos in Various Situations: the course has a lot of short labs demonstrating many different modules and tools of PowerShell Empire.
- Great Representation of the Potential Power for Damage of the Hacking Framework: watching the course from beginning to end makes one realize just how powerful and easy-to-use this framework can be, since it leverages PowerShell on a victim machine without the need for “powershell.exe” and runs from memory.
- Grounded Against Established Intrusion Models: the course author chooses an attacker methodology model and explains how the framework fits against the model as the course progresses. Providing context and reasoning behind the presentation and demos makes the course that much more effective.
SUGGESTED IMPROVEMENTS TO THE COURSE
The course’s demonstrated labs are not conducted against the backdrop of a realistic domain and Active Directory environment, which is noted during the training course. The labs are also conducted as part of “internal pen testing” and not external pen testing where hardware firewalls, routers, IDSes, etc. are absent from the course and therefore discussions about “bypassing” or overcoming these realistic obstacles in real-life are also absent from the course.
Because the course focuses on pen testing side of the incident, there is no time spent on detecting and analyzing artifacts indicative of PowerShell Empire as having been used by malicious threat actors. Cyber investigators should be aware that artifacts may be available in memory, registry, from IDS logging and other sources. However, the author of this course has also written a 2018 SANS white paper that does discuss detection of PowerShell Empire on an infected network/systems.
CONCLUSION
One of the metrics I like to use is can one get the same content from other open sources such as YouTube? From the cursory searching I did, it doesn’t appear so. You’re more likely to see this type of content and instruction as part of a larger ethical hacking week long course. Overall, the short course which can be completed in well under six hours, is effective in conveying just enough of what PowerShell is capable of doing and just how dangerous it can be, in the hands of an inexperienced or a seasoned hacker.
For those who have built their own pen test labs either at home or at work, the course provides enough content to springboard into exploring some of the more advanced features of PowerShell Empire that aren’t really addressed during the course. For those professionals who don’t have ready access to pen test environments to further explore PowerShell Empire, the course effectively communicates its points verbally and visually well enough through well-placed and organized labs such that one walks away with a much a significantly better understanding of the framework compared to simply just reading about it.
The course, which has no quizzes or tests, produces a certificate of completion at the end. For those interested in gaining continuing education credits (e.g. “CPEs” or “CEUs”), check with the organization in question to see if they will accept these types of courses’ credits.
UPCOMING
In this next article, we continue to dive into specific course examples and reflect on our experiences.
NEXT: A review of another Udemy Online Course >> “How Hackers Find SQL Injections in Minutes with SQLMap” that was recently completed in under two hours. Publish date to be announced soon.
ABOUT THE AUTHOR

Mr. Spurlock is a digital forensics professional having worked on a number of low to high profile cases for 15 years in the FBI, typically assigned to cyber squads, revolving around these types of cases: white collar, counter terrorism, crimes against children, counter intelligence, human trafficking, cyber and violent crimes. Between 2015–2019, he served on behalf of the FBI as the deputy co-chairman on the US/UK digital media exploitation working group interfacing with various UK police, intel and government agencies. He has testified as an expert and fact witness at the US federal/state level many times. In his current role, he works in private industry investigating how businesses were victimized from cyber based incidents such as ransomware, business email compromise, and cloud-based intrusions. Opinions expressed are solely his own and do not express the views or opinions of his past and present employers.
