Not Your Grandfather’s Empire I’ve wanted to put this blog together since returning home from DEFCON. Anytime we ran into someone who recognized our swag, they mentioned how much they loved Empire back in the day and didn’t realize it was being actively maintained. This made me reflect on all [...]
Note: All code samples shown in the post can be found in our repo here In recent years, PowerShell tradecraft has seen a drop in popularity among pentesters, red teams, and to some extent APTs. There are several reasons for this, but at the core, it was the introduction of ...
It has been another exciting week for the team. First we are just a week away for our inaugural course for Advanced Threat Emulation: Evasion. Second, we were able to put together a new build for Empire, bringing us one step closer to 5.0. If you were paying close attention, ...
It has been a while since we have been able to discuss the new features in Empire. We wanted to take some time to discuss some upgrades under the hood of Empire and a few quality-of-life features that we are sure everyone will enjoy. Customizable Bypasses While teaching, we saw ...
Empire 4.2 was just finalized over the weekend and we are excited to share some of the new features. This version has added some new capabilities to keep our threat emulation capabilities in line with current adversary TTPs. We have added a brand new IronPython stager, which can be compiled ...
Its been about 2-weeks since we released Empire 3.4, and hopefully, everyone has had a chance to check out all the new features. Our team has put quite a few hours into development and we wanted to give an overview so everyone can leverage Empire’s full capabilities.
Empire 3.4.0 is our next major release and is packed with one of the most advanced features to-date, Malleable C2. The Malleable C2 Listener gives control to operators to customize their beacons to match specific threats. It does this through profiles, which are simple scripts that instruct the listener how ...
While giving our talk at the DEF CON Red Team Village a couple of weeks ago, I previewed a PowerShell ScriptBlock logging obfuscation technique. I have been working on it (and a few other techniques) for a while and decided to write a short blog about it. But as I ...
This entry will focus on the obfuscation of the PowerShell Script in the ScriptBlock log and Transcription log. First, there will be a little more discussion on a module log bypass technique because we can also use it to create some obfuscation!
As part of the Empire 3.1.3 update, we fixed the OneDrive listener and added documentation for easier configuration.
