a year in the empire
TRANSCRIPT
![Page 1: A Year in the Empire](https://reader031.vdocument.in/reader031/viewer/2022030317/586f709b1a28ab10258b4c4b/html5/thumbnails/1.jpg)
A Year in the _______ .___ ___. .______ __ .______ _______ | ____|| \/ | | _ \ | | | _ \ | ____| | |__ | \ / | | |_) | | | | |_) | | |__ | __| | |\/| | | ___/ | | | / | __| | |____ | | | | | | | | | |\ \----.| |____ |_______||__| |__| | _| |__| | _| `._____||_______|
![Page 2: A Year in the Empire](https://reader031.vdocument.in/reader031/viewer/2022030317/586f709b1a28ab10258b4c4b/html5/thumbnails/2.jpg)
First Things First
✣ Empire would not be possible without the help and phenomenal work from:� PowerSploit by @mattifestation, @obscuresec
and @JosephBialek� Posh-SecMod by @Carlos_Perez� UnmanagedPowerShell by @tifkin_� Mimikatz by @gentilkiwi and Vincent LE
TOUX✣ Everyone who contributed modules, bugs,
fixes, and time! You all rock!
![Page 3: A Year in the Empire](https://reader031.vdocument.in/reader031/viewer/2022030317/586f709b1a28ab10258b4c4b/html5/thumbnails/3.jpg)
Co-founder of Empire/EmPyre | PowerTools | Veil-Framework
PowerSploit/BloodHound developerMicrosoft PowerShell MVP
@harmj0y
![Page 4: A Year in the Empire](https://reader031.vdocument.in/reader031/viewer/2022030317/586f709b1a28ab10258b4c4b/html5/thumbnails/4.jpg)
Red teamer and Empire developerUAC bypasser extraordinaire
Offensive PowerShell advocate
@enigma0x3
![Page 5: A Year in the Empire](https://reader031.vdocument.in/reader031/viewer/2022030317/586f709b1a28ab10258b4c4b/html5/thumbnails/5.jpg)
tl;dr
✣ Empire overview✣ Empire 2.0
� Motivations� New features� EmPyre integration� ‘Modular’ listeners
✣ Demos
![Page 6: A Year in the Empire](https://reader031.vdocument.in/reader031/viewer/2022030317/586f709b1a28ab10258b4c4b/html5/thumbnails/6.jpg)
1.Empire Overview
Release and the Year Since
![Page 7: A Year in the Empire](https://reader031.vdocument.in/reader031/viewer/2022030317/586f709b1a28ab10258b4c4b/html5/thumbnails/7.jpg)
✣ A full-featured PowerShell post-exploitation agent� Released at BSides LV ‘15
✣ Core agent built in PowerShell� Module structure implements various
post-exploitation actions✣ Controller built in Python
� Backend sqlite database� UI focus
Teh Empire
![Page 8: A Year in the Empire](https://reader031.vdocument.in/reader031/viewer/2022030317/586f709b1a28ab10258b4c4b/html5/thumbnails/8.jpg)
✣ Started as a thought exercise!
✣ Wanted to:� bring together all the existing offensive
PowerShell tech� build a flexible platform that’s easily
customizable in the field� train defenders on how to stop and
respond to PowerShell “attacks”
y u Build PowerShell Botnet :(
![Page 9: A Year in the Empire](https://reader031.vdocument.in/reader031/viewer/2022030317/586f709b1a28ab10258b4c4b/html5/thumbnails/9.jpg)
y u Build PowerShell Botnet :(
![Page 10: A Year in the Empire](https://reader031.vdocument.in/reader031/viewer/2022030317/586f709b1a28ab10258b4c4b/html5/thumbnails/10.jpg)
(the guy who invented PowerShell)
![Page 11: A Year in the Empire](https://reader031.vdocument.in/reader031/viewer/2022030317/586f709b1a28ab10258b4c4b/html5/thumbnails/11.jpg)
✣ Nearly 400 commits✣ 25+ contributors✣ 150+ GitHub issues (most closed : )✣ 100+ PRs✣ Tons of new modules!
A Year of Development
![Page 12: A Year in the Empire](https://reader031.vdocument.in/reader031/viewer/2022030317/586f709b1a28ab10258b4c4b/html5/thumbnails/12.jpg)
#WatchDogs2
![Page 13: A Year in the Empire](https://reader031.vdocument.in/reader031/viewer/2022030317/586f709b1a28ab10258b4c4b/html5/thumbnails/13.jpg)
SkyWalker!@zeroSteiner
![Page 14: A Year in the Empire](https://reader031.vdocument.in/reader031/viewer/2022030317/586f709b1a28ab10258b4c4b/html5/thumbnails/14.jpg)
A Meterpreter Replacement?
![Page 15: A Year in the Empire](https://reader031.vdocument.in/reader031/viewer/2022030317/586f709b1a28ab10258b4c4b/html5/thumbnails/15.jpg)
Controller Client
2. return key negotiation stager.ps1 w/ shared AES staging key
3. gen priv/pub keys, post ENCstaging(PUB) to /<stage1>
5. decrypt, post ENCsession(nonce+1 | sysinfo) to /<stage2>
6. return ENCsession(agent.ps1). Agent starts beaconing.
1. GET /<stage0>
4. return ENCpub(nonce+ AES session key)
Empire Staging/Crypto
![Page 16: A Year in the Empire](https://reader031.vdocument.in/reader031/viewer/2022030317/586f709b1a28ab10258b4c4b/html5/thumbnails/16.jpg)
Empire Process Injection
*.exeInvoke-PSInjector
ReflectivePick
.NET AssemblyDownload Cradle
![Page 17: A Year in the Empire](https://reader031.vdocument.in/reader031/viewer/2022030317/586f709b1a28ab10258b4c4b/html5/thumbnails/17.jpg)
Still Just a Toy Language?
![Page 18: A Year in the Empire](https://reader031.vdocument.in/reader031/viewer/2022030317/586f709b1a28ab10258b4c4b/html5/thumbnails/18.jpg)
New Features Since Release
✣ From 90 modules to 180!� Inveigh/Tater!� regsrv32!� MS16-032!� More TrollSploit!� KeeThief!� Lots of UAC bypasses!� Tons more!
✣ A RESTful API interface✣ Autoruns, lost limits, and more.
![Page 19: A Year in the Empire](https://reader031.vdocument.in/reader031/viewer/2022030317/586f709b1a28ab10258b4c4b/html5/thumbnails/19.jpg)
Python EmPyre
✣ A Python Empire variant built for a customer’s heavy OS X environment� Python 2.6/2.7 compatible agent� Works on Linux too!
✣ Controller/architecture HEAVILY adopted from Empire
✣ Released publicly at HackMiami� Presented on at BSides LV ‘16
![Page 20: A Year in the Empire](https://reader031.vdocument.in/reader031/viewer/2022030317/586f709b1a28ab10258b4c4b/html5/thumbnails/20.jpg)
Empire Drawbacks
✣ We’ve never built a RAT before� Mistakes were made ¯\_(ツ)_/¯
✣ Only comms methods were HTTP[S]� Modules were expandable, transports
weren’t✣ Separate projects for Empire/EmPyre
� Name/project confusion� Separate codebases ==
![Page 21: A Year in the Empire](https://reader031.vdocument.in/reader031/viewer/2022030317/586f709b1a28ab10258b4c4b/html5/thumbnails/21.jpg)
Empire 2.0
![Page 22: A Year in the Empire](https://reader031.vdocument.in/reader031/viewer/2022030317/586f709b1a28ab10258b4c4b/html5/thumbnails/22.jpg)
Motivations
Empire/EmPyreIntegrationWanted one single controller for our Python Linux/OS X agents and PowerShell agents.
Modularize C2Expandable listeners that you can drag/drop into the framework for additional transports.
Code RotFix our past mistakes and build a foundation for the future viability of the project.
![Page 23: A Year in the Empire](https://reader031.vdocument.in/reader031/viewer/2022030317/586f709b1a28ab10258b4c4b/html5/thumbnails/23.jpg)
Laying the Foundation
✣ For future transports, agents may need to be able figure out where to route packets for other agents
✣ All Empire comms are not wrapped in ‘routing’ packets encrypted w/ the staging key
✣ All individual agent comms still use the negotiated agent key
![Page 24: A Year in the Empire](https://reader031.vdocument.in/reader031/viewer/2022030317/586f709b1a28ab10258b4c4b/html5/thumbnails/24.jpg)
New Routing/Metadata Packet: +---------+-------------------+--------------------------+
| RC4 IV | RC4s(RoutingData) | AESc(client packet data) |
+---------+-------------------+--------------------------+
| 4 | 16 | RC4 length |
+---------+-------------------+--------------------------+
RC4s(RoutingData): +-----------+------+------+-------+--------+
| SessionID | Lang | Meta | Extra | Length |
+-----------+------+------+-------+--------+
| 8 | 1 | 1 | 2 | 4 |
+-----------+------+------+-------+--------+
RC4s = RC4 w/ the shared staging keyHMACs = SHA1 HMAC w/ shared stagingAESc = AES w/ client's session keyHMACc = first 10 bytes of a SHA256 HMAC using the client's session key
![Page 25: A Year in the Empire](https://reader031.vdocument.in/reader031/viewer/2022030317/586f709b1a28ab10258b4c4b/html5/thumbnails/25.jpg)
AESc(client data) +--------+-----------------+-------+
| AES IV | Enc Packet Data | HMACc |
+--------+-----------------+-------+
| 16 | % 16 bytes | 10 |
+--------+-----------------+-------+
Client data decrypted: +------+--------+--------------------+----------+---------+-----------+
| Type | Length | total # of packets | packet # | task ID | task data |
+------+--------+--------------------+--------------------+-----------+
| 2 | 4 | 2 | 2 | 2 | <Length> |
+------+--------+--------------------+----------+---------+-----------+
RC4s = RC4 w/ the shared staging keyHMACs = SHA1 HMAC w/ shared stagingAESc = AES w/ client's session keyHMACc = first 10 bytes of a SHA256 HMAC using the client's session key
![Page 26: A Year in the Empire](https://reader031.vdocument.in/reader031/viewer/2022030317/586f709b1a28ab10258b4c4b/html5/thumbnails/26.jpg)
Newz
✣ The HTTP listener has been redone with Flask
✣ Epoch-syncing removed✣ PowerShell:
� Staging now uses HMAC and nonces� RC4 implemented for first stage
PowerShell obfuscation� @mattifestation’s AMSI bypass added to
the PowerShell stager
![Page 27: A Year in the Empire](https://reader031.vdocument.in/reader031/viewer/2022030317/586f709b1a28ab10258b4c4b/html5/thumbnails/27.jpg)
Newz
✣ Orphaned agent renegotiation� If agent shares a server staging key, but
isn’t in the cache, it will restage
✣ external/* modules� For things that don’t rely on an agent� external/generate_agent will generate a
“fully-staged” agent
![Page 28: A Year in the Empire](https://reader031.vdocument.in/reader031/viewer/2022030317/586f709b1a28ab10258b4c4b/html5/thumbnails/28.jpg)
New Modules: Improved Kerberoast
![Page 29: A Year in the Empire](https://reader031.vdocument.in/reader031/viewer/2022030317/586f709b1a28ab10258b4c4b/html5/thumbnails/29.jpg)
New Modules: BloodHound
![Page 30: A Year in the Empire](https://reader031.vdocument.in/reader031/viewer/2022030317/586f709b1a28ab10258b4c4b/html5/thumbnails/30.jpg)
New Modules: eventvwr UAC Bypass
![Page 31: A Year in the Empire](https://reader031.vdocument.in/reader031/viewer/2022030317/586f709b1a28ab10258b4c4b/html5/thumbnails/31.jpg)
3.EmPyre Integration
PowerShell + Python Living Together in Harm0ny ♫
![Page 32: A Year in the Empire](https://reader031.vdocument.in/reader031/viewer/2022030317/586f709b1a28ab10258b4c4b/html5/thumbnails/32.jpg)
![Page 33: A Year in the Empire](https://reader031.vdocument.in/reader031/viewer/2022030317/586f709b1a28ab10258b4c4b/html5/thumbnails/33.jpg)
EmPyre Integration
✣ EmPyre and Empire are now one code base!� https://github.com/AdaptiveThreat/Empire � The EmPyre repo will be deprecated� Python/PowerShell agents can
communicate on the same listener/port!✣ We also now have a 5 person “full-time”
dev team:� @harmj0y, @enigma0x3, @424f424f,
@xorrior, @tifkin_
![Page 34: A Year in the Empire](https://reader031.vdocument.in/reader031/viewer/2022030317/586f709b1a28ab10258b4c4b/html5/thumbnails/34.jpg)
![Page 35: A Year in the Empire](https://reader031.vdocument.in/reader031/viewer/2022030317/586f709b1a28ab10258b4c4b/html5/thumbnails/35.jpg)
Language-Aware Menus
![Page 36: A Year in the Empire](https://reader031.vdocument.in/reader031/viewer/2022030317/586f709b1a28ab10258b4c4b/html5/thumbnails/36.jpg)
interact AGENTDrops you into the language-appropriate agent menu with the same options you’re used to for either project.
Interface Integration
stagers/*Now broken out into OS-applicable folders (Windows/OS X/Linux).
usemodule [tab]Executed from an agent, only tab-completes language-appropriate modules.
![Page 37: A Year in the Empire](https://reader031.vdocument.in/reader031/viewer/2022030317/586f709b1a28ab10258b4c4b/html5/thumbnails/37.jpg)
4.Modular C2i lik turtles transports
![Page 38: A Year in the Empire](https://reader031.vdocument.in/reader031/viewer/2022030317/586f709b1a28ab10258b4c4b/html5/thumbnails/38.jpg)
Listener Modularization
✣ Previously, listeners were hard integrated into the code base, adding transports was extremely difficult
✣ Now listeners are encapsulated in self-contained modules� Allows you to drag/drop modules into the
framework!
![Page 39: A Year in the Empire](https://reader031.vdocument.in/reader031/viewer/2022030317/586f709b1a28ab10258b4c4b/html5/thumbnails/39.jpg)
Listener Modules
✣ At least two functions are required for a listener module:� generate_comms() - generates the
communication functions patched for the given listener
� start() - starts the server component of the listener
✣ Agents are responsible for language support
![Page 40: A Year in the Empire](https://reader031.vdocument.in/reader031/viewer/2022030317/586f709b1a28ab10258b4c4b/html5/thumbnails/40.jpg)
Listener Modules
✣ If you want staging supported:� generate_launcher() - generates
PowerShell/Python launcher code� generate_stager() - generates the
key-negotiation code� generate_agent() - generates the complete
patched agent code
![Page 41: A Year in the Empire](https://reader031.vdocument.in/reader031/viewer/2022030317/586f709b1a28ab10258b4c4b/html5/thumbnails/41.jpg)
listeners/http
✣ The original HTTP[S] listener� But now redone with flask!� “Routing packet” is base64’ed and stuffed
into a new cookie value✣ Generates Python and PowerShell
launchers, staging, and agent code✣ You can easily modify the cookie
used/transforms on the data itself to change up indicators!
![Page 42: A Year in the Empire](https://reader031.vdocument.in/reader031/viewer/2022030317/586f709b1a28ab10258b4c4b/html5/thumbnails/42.jpg)
listeners/http_com
✣ Utilizes Internet Explorer COM objects to communicate instead of Net.WebClient� Proxy-aware/etc.!
✣ Slightly different communication structure (data is base64’ed, etc.)� Example of modifying basic C2 indicators
![Page 43: A Year in the Empire](https://reader031.vdocument.in/reader031/viewer/2022030317/586f709b1a28ab10258b4c4b/html5/thumbnails/43.jpg)
listeners/http_foreign
✣ Simplified “foreign” Empire listeners
✣ Allows you to easily pass sessions between control servers, given the staging keys are the same
![Page 44: A Year in the Empire](https://reader031.vdocument.in/reader031/viewer/2022030317/586f709b1a28ab10258b4c4b/html5/thumbnails/44.jpg)
listeners/http_hop
✣ Completely redone “hop” listener� Simpler (with new packet structure) and
should be more stable✣ Uses a .php redirector to tunnel
comms through a third site✣ We’re looking for more
lanugage-based redirectors!� .ASP/.JSP/etc.
![Page 45: A Year in the Empire](https://reader031.vdocument.in/reader031/viewer/2022030317/586f709b1a28ab10258b4c4b/html5/thumbnails/45.jpg)
listeners/meterpreter
✣ The only thing present is the generate_launcher() method� This generates Invoke-ShellCode code
applicable for the given Meterpreter listener specification
✣ Allows you to easily spawn Meterpreter/Cobalt Strike sessions from Empire!
![Page 46: A Year in the Empire](https://reader031.vdocument.in/reader031/viewer/2022030317/586f709b1a28ab10258b4c4b/html5/thumbnails/46.jpg)
✣ The new structure allows you to communicate (and possibly stage) through well-known third party websites
✣ Let your imagination run with it…� * don’t break any terms of service, we’re not
lawyers
Third Party Listeners
![Page 47: A Year in the Empire](https://reader031.vdocument.in/reader031/viewer/2022030317/586f709b1a28ab10258b4c4b/html5/thumbnails/47.jpg)
![Page 48: A Year in the Empire](https://reader031.vdocument.in/reader031/viewer/2022030317/586f709b1a28ab10258b4c4b/html5/thumbnails/48.jpg)
Listener Hot-Swapping
✣ The management/switch_listener module allows you to generate the comms for a listener, and dynamically update a running agent with new comms!
✣ You can switch from HTTP -> Dropbox -> IE_COM -> Dropbox, even en masse!
![Page 49: A Year in the Empire](https://reader031.vdocument.in/reader031/viewer/2022030317/586f709b1a28ab10258b4c4b/html5/thumbnails/49.jpg)
Future Listeners
✣ In the next few months:� SMB - just need to work out some of the
routing components� DNS - @enigma0x3 is working as we speak
✣ Ideas?
![Page 50: A Year in the Empire](https://reader031.vdocument.in/reader031/viewer/2022030317/586f709b1a28ab10258b4c4b/html5/thumbnails/50.jpg)
Demos!
![Page 51: A Year in the Empire](https://reader031.vdocument.in/reader031/viewer/2022030317/586f709b1a28ab10258b4c4b/html5/thumbnails/51.jpg)
Code Release!
![Page 52: A Year in the Empire](https://reader031.vdocument.in/reader031/viewer/2022030317/586f709b1a28ab10258b4c4b/html5/thumbnails/52.jpg)
Any questions?
https://github.com/AdaptiveThreat/Empirehttp://theempire.io/
@harmj0y, @enigma0x3, @sixdub
@xorrior, @424f424f, @tifkin_