NOTE: Some of the topics in this article are probably going to be a bit contentious, but part of the hope in publishing this article is to drive some additional discussion within the offensive security community Ransomware has become one of the most prevalent threats that companies face today. It [...]
It has been a while since we have been able to discuss the new features in Empire. We wanted to take some time to discuss some upgrades under the hood of Empire and a few quality-of-life features that we are sure everyone will enjoy.
While teaching, we saw how difficult it was for everyone to manually add bypasses. We never noticed since we were so used to modifying the source code. This update adds the ability to load customized bypasses into Empire through YAML files. Now all you have to do is drop a YAML to the bypasses folder and Empire will do all the work to ingest the bypass and get it added.
Bypasses are stored in YAMLs found in /empire/server/bypass/ and uses a similar formatting as modules. Bypasses are currently only available to PowerShell modules and require a minimum version of PowerShell 3. Earlier version of PowerShell did not contain protections that require bypasses. When Empire first loads, it will write the data from the YAMLs to the database. The bypasses can then be edited via Starkiller or the API with the changes going only to the version stored in the database.
If you want to give it a shot, you can grab a bypass from AMSI.fail and learn how to format the files properly using the example below. A quick note, be sure to test the bypass before using it, sometimes the obfuscation may break the code if you aren’t careful.
name: ''
authors:
- ''
description: ''
comments:
- ''
language: powershell
min_language_version: '3'
script: ''Due to the advances of Defender, it had become difficult to obfuscate the Empire PowerShell stager within the size restrictions required for ReflectivePick, which is the underpinning of psinject. As a result, psinject was no longer very usable as Defender would instantly detect and kill the payload. We could have recompiled ReflectivePick with a larger space for the payload to be inserted into, but that would have been a Bandaid for the problem. Instead, Hubbl3 modernized ReflectivePick by adding an AMSI bypass to the native C code, which eliminates the need for obfuscating the agent PowerShell code when utilizing ReflectivePick for process injection and lateral movement. This makes psinject relevant again in a modern environment and provides Empire with some new options when building lateral movements.
I don’t know why this wasn’t integrated earlier, but thank you to everyone who recommended this feature at the Empire Ops course. I put this feature together a few hours after the course was over.
Have you run into issues running Empire on a custom build? This feature is important to you because it lets you customize the directories where things are placed and helps our partners at Kali Linux. You can now customize your downloads, stagers, and obfuscated modules folders to anywhere on your machine. Hopefully, this eliminates some headaches when people try to do customer Empire builds for engagements. You can find more server and client configuration options here.
# Server
directories:
downloads: empire/server/downloads/
module_source: empire/server/data/module_source/
obfuscated_module_source: empire/server/data/obfuscated_module_source/# Client
directories:
downloads: empire/client/downloads/
generated-stagers: empire/client/generated-stagers/I know this is not something that is going to make you get up and dance (unless you are Vinnybod). We’ve integrated formatting checks and automated tests into our GitHub pull request process. On the formatting side, Black is a great tool for consistent code formatting while isort keeps imports sorted consistently. For contributors, it is possible to have this formatting automatically applied when committing by using pre-commit. For more info see the contributing.md file.
Vinnybod also added automated testing. Every pull request will run the test suite on Python 3.8 and 3.9. For now, the test count is fairly low but will grow over time. The current test count in the upcoming Empire 5.0 is over 150 and increasing. Having these tests in place increases confidence when adding features and refactoring code. It also reduces the amount of manual testing we need to do for some of the more basic features. We aren’t perfect, but we try not to break existing functionality whenever possible.
Thank you to everyone for the support and we look forward to more features in the next update.
Today, we will talk about combining two fascinating Tactics, Techniques, and Procedures (TTPs) together for deploying Command and Control (C2): IronPython and WebDAV. If you read our previous blog post ...
