Empire 6.0 is finally here with tons of new updates and features. The team has been working on this for about a year now and we are really excited to show off all the changes. We have added new agents, revamped our compilers and added an all new marketplace for plugins. [...]
Empire 6.0 is finally here with tons of new updates and features. The team has been working on this for about a year now and we are really excited to show off all the changes. We have added new agents, revamped our compilers and added an all new marketplace for plugins. Before we dive into these exciting additions let’s discuss one of the other bigger changes, the deprecation and removal of the Empire Client.
The client was the first interface that Empire was published with so it’s with a bit of sadness that we say goodbye to it. Unfortunately, maintaining and updating the client has become too much of a development overheard with many of the new Empire features over the past few years. That combined with the added workload of maintaining it and Starkiller made it the right decision for long-term support of the project. For the diehards out there, the good news is that the terminal in Starkiller is no longer in beta and still provides a command-line-like interface for agent interaction.
In addition to these major internal changes there a number of internal code changes that were made to improve maintainability and security that will be transparent to most users. Those will be listed at the end for anyone interested but first, let’s dive into the changes we are most excited about.
Empire has supported plugins for a long time now with multiple iterations and expansion of capabilities, the most recent being the introduction of filters and hooks. However, there hasn’t been a great place for users to see what plugins are available or install the plugins they wanted to use. More importantly, it couldn’t be done from within Starkiller which made the workflow very clunky, especially for server deployment. As of Empire 6.0 that problem will now be solved with in-built Plugin Marketplace. Users will be able to browse and install plugins from within Starkiller and utilize those plugins without the need to restart the server.
By default, Starkiller will point to the BC Security Empire Plugin Registry but it will also support private registries for those who want to build in-house plugins for operations or maintain their own marketplace for community users. This configuration is in the server config.yaml and simply requires that you add an entry for any additional registries you would like to use.
We hope that not only does this make workflows easier for operators but also encourages community development for more plugins. If you develop a cool plugin submit it to us as a pull request for the registry and we will vet the plugin. If approved it will go into the registry and everyone will be able to natively see your hard work.
When we first took over the Empire Framework we stated that one of our goals was to provide a long-term project that reflects the real-world TTPs being utilized by APTs and that threat emulation would always be core to what we do. We think we have done a pretty good job of that with expanding Empire into C#, IronPython, and the integration of BOFs. This has provided Empire with immense flexibility for threat emulation but as always threat actors continue to evolve and unmanaged code continues to expand its role in their TTPs. As a result, we felt that it was now necessary for Empire to support an unmanaged agent. Cx01N spent the better part of the past year building and testing the new agent and Go agents are now operational in Empire!
The agent supports all current modules in Empire giving it plenty of flexibility for any threat you are trying to emulate.
Going forward the server will now be pulled down as a pre-compiled executable. Prior to 6.0, Empire required that the .NET SDK be installed in order to support C# operations. These introduced a lot of overhead both in the disk space required for utilizing Empire and the time it took to install. It also made it more likely for things to become unstable in the compiler if there happened to be conflicts with other tools installed on the Empire host machine.
In addition to these topline changes there have also been a number of additional quality of life improvements.
For a full list of changes and updates see the changelog.
6.0 represents a major move forward in the operational capabilities of Empire ensuring that it stays an operationally relevant and accessible framework for offensive security operators. We are looking forward to all the community contributions to the new Plugin Marketplace and continue to work on improvements. Stay tuned for more updates in the near future!
Ready to take your offensive security skills to the next level? Don’t miss out on our upcoming Advanced Threat Emulation; Active Directory course on April 11. This hands-on course dives deep into attacking Active Directory, covering everything from enumeration and credential dumping to Kerberos exploitation and multi-domain trust attacks. You’ll gain real-world experience in our curated lab environment and hone your skills in modern adversary emulation.
Sign up today!
Note: This blog is quite technical and I wanted it to be a quick, concise reference for TTPs. If you find the text explanations to be a bit dense, I ...
