NOTE: Some of the topics in this article are probably going to be a bit contentious, but part of the hope in publishing this article is to drive some additional discussion within the offensive security community Ransomware has become one of the most prevalent threats that companies face today. It [...]
We recently released Empire 5.8 and Starkiller 2.7. Sometimes, we forget to highlight the cool new features or changes as they release. So, in addition to covering the Empire 5.8 / Starkiller 2.7 changes, this will also recap some of the things from the recent releases you may have missed. The full changelogs can be found here: Empire | Starkiller .
This allows arbitrary tagging of different elements within Empire, allowing operators to keep their engagement organized. It also enables automation for plugins. There’s more detail on this in the tagging blog post.
Previously, real-time alerts would pop up in the corner of Starkiller. And while this might work for a small one person engagement, it doesn’t scale very well when multiple operators and lots of events are firing. So now all the events are nice and tidy within the notification bell and can be viewed on the notifications page.
This change to notifications enabled us to allow all the task results to go to the notifications page. Operators can also subscribe/unsubscribe to individual agents.
A much requested feature. The Starkiller homepage for the sponsors’ build is a dashboard giving top-level data about agents, listeners, and credentials.
Sponsors have had a version of this feature for a while now, but we’ve made it better and rolled it out to the public version now as well. The terminal allows for executing shell commands, modules, and most things available from the “interact” menu on the Empire client—type `shell` to drop into an “interactive” mode.
Some modules will output their data with ANSI coloring. Previously, Starkiller would display the ANSI codes as text. Now, the task outputs display ANSI coloring.
The advanced filtering widget has been expanded to most list views.
We have noticed for a while that Empire has been missing an important peer-to-peer lateral technique. Since we have been shifting a lot of our TTPs in Empire to focus on IronPython, we incorporated an SMB agent that allows multiple IronPython agents to communicate with one another.
The chances are that most Linux endpoints aren’t going to be running an EDR solution, but in the rare case you do encounter them, Empire now includes Python obfuscation for agents and modules.
Exegol is a community-driven hacking environment powered by Docker and Python. Empire has recently been added to its arsenal of tools!
Empire 5.8 is very much a housekeeping update. Just take a look at the changelog… There are lots of dependency updates, a revamp of the install script, some changes to help support Exegol, change in support for Python version (added 3.12, removed 3.8, 3.9), added Debian 12 support, and added an ARM64 docker image! Also, new linting rules. refactoring listener code, and rewriting Python agent code.
The Python agent code has been neglected for quite some time and it has finally gotten to the point that it needed a complete overhaul. We finally broke out functionality into Staging and MainAgent codes which gives some commonality to formatting and allows different communication profiles to be easily dropped in.
With the amount of work it takes to maintain a multi-linux-flavor install script… I was looking at alternatives. We have Docker images, but the documentation on how to use it is spotty and we still recommend the install script as the preferred method.
I don’t know how this will pan out, but I’m working on what we’re calling the “Empire Launcher,” which allows someone to run one bash command that installs the Empire Launcher, a thin wrapper around docker-compose. From there, empire up will spin up an Empire instance and MySQL database, empire down will turn it off, and empire destroy will wipe it all. There’s additional commands for dumping the database, tailing the logs, and using the client.
If this sounds interesting to you, and you want to provide some early feedback, it is pushed to BC-SECURITY/Empire-Launcher ‘s dev branch. Feedback can be discussed in our Discord!
Forget about feeling overwhelmed with a mess of data. With tags in Starkiller, you have more control over keeping everything organized. You can assign tags to various objects – Listeners, ...
