BC-SECURITY/Empire v6.0.0-rc1

on GitHub

To install:

git clone --recursive --branch v6.0.0-rc1 git@github.com:BC-SECURITY/Empire.git
cd Empire
./ps-empire install -y
./ps-empire server

If you are updating from an existing install, you may need to rm -rf the existing .venv in the project directory.
You may also need to remote some submodules that are no longer in the repository rm -rf empire/server/csharp empire/server/plugins/ChiselServer-Plugin empire/server/plugins/Report-Generation-Plugin empire/server/plugins/SocksProxyServer-Plugin

[6.0.0-rc1] - 2025-03-09

• Updated Starkiller to v3.0.0-rc1

Highlights

• Plugin Marketplace
• Go agents
• Empire Compiler for C#
• Command line client removed

Added

• Added support for plugin registries and installing plugins via the API
  • See the Plugin Marketplace in Starkiller 3.0!
• New allow/deny list implementation that properly supports IPv4, IPv6, Ranges, and CIDRs
• Added API endpoints for managing autorun commands on agent checkin
• Added api.ip and api.secure as server config options
• Added Go agents
  • Added Go to install script
  • Added new stager type multi_go_exe
  • Added Go is an option for multi_launcher
  • Added new compiler class GoCompiler
• Added -f flag for install script to force install as root
• Added dynamic options to modules
• Added module code_execution/invoke-script for remote ps1 script execution
• Added module python/code_execution/invoke-script for remote py script execution
• Added sharphound ingestor for CE and tagged bloodhound with legacy

Changed

• Changed minimum Python version to 3.13
• Updated module_service logic for tasking types
• Swapped C# module RunOF for COFFLoader
• Updated parsing for bof formatting to use bof_pack
• Moved bash and pyinstaller stagers to linux folder
• Change formatter to ruff to consolidate developer tooling
• Revised the staging process for agents. Session IDs are provided by the server and all packets are wrapped in routing packets.
  • Updated stageless agents to work with python, ironpython, and powershell with the new staging process.
• Updated tactics and techniques on all modules
• Added a yaml formatter and run pre-commit across all files
• Combined config with config_manager
• Converted many parts of codebase to be compliant with flake8-use-pathlib
• Csharp and bof tasks attach the executable as a 'download' with a tag 'task:input'
• Pass output path to dotnet compiler, only compile the requested version

Breaking

• Many improvements to plugins - see the plugin-development wiki page
• Moved Agents class to AgentCommunicationService
  • Refactored many of the functions and parameter names
• Moved Stagers class to StagerGenerationService
  • Refactored many of the funtions and parameter names
• Moved Plugin Task handling from PluginService to PluginTaskService
• Moved socks management to AgentSocksService
  • Renamed socks properties on AgentSocksService to use plural naming
• Removed update_lastseen parameter from handle_agent_request
• Renamed all config properties in client and server configs to use snake_case
• Starkiller is now accessed at {api_url}/ instead of {api_url}/index.html
• ip_whitelist and ip_blacklist are now ip_allow_list and ip_deny_list and are lists instead of comma separated strings
• Using a new and improved [Empire-Compiler] for C# compilation
  • Downloads pre-compiled Empire-Compiler to eliminate dotnet as an OS dependency
  • Updated shortened task results to show the C# command ran and full input to show directory of the file
  • Updated C# tasks into folders and split yaml configs to be one per module and match Empire yaml format
  • All C# module code has been moved as submodules of Empire-Compiler
  • Moved EmpireCompiler compression from application to the server
  • Moved EmpireCompiler from install script to startup with autoupdate functionality
  • Replaced csharpserver plugin with DotnetCompiler class in empire.server.common
• module_service.execute_module returns a pydantic model
• agent_task_service functions take a user model instead of user id
• All writeable data moved out of the install path into ~/.local/share/empire

Deprecated

Removed

• Removed autorun config options which haven't been used since Empire 3
• Removed install support for Debian 10
• Removed nim stager from Empire and install script
• Removed slack notifications from listeners
• Removed the following stagers
  • osx/pkg
  • windows/backdoorlnkmacro
  • windows/launcher_lnk
  • windows/launcher_sct
  • windows/ms16-051
  • windows/reverseshell
• Removed the following listeners
  • HTTP COM only supports powershell agent and uses an older COM object that isn't used often
  • OneDrive has new APIs and Microsoft hs made registration harder. May return in the future with revisions.
  • Dropbox has new APIs and may return in the future with revisions.
• Removed empire_config.directories.module_source and empire_config.directories.obfuscated_module_source

Breaking

• Removed the command line client. Use Starkiller instead.
• Removed Listeners class
• Removed Credentials class
• Removed functions from Agents class that were marked as deprecated in 5.x
• Removed --restip and --restport options from the command line. Use the config file instead.
• Removed socketport config option on the client which was no longer being used
• Removed script and module upload to memory in favor of modules with same functionality
• Removed reverseshellserver plugin

Fixed

• Fixed Powershell agent overwritting results for C# taskings
• Simplify option_util.validate_options, fixes a bug where an optional file option was treated as required
• Fixed issue loading a plugin that has multiple files
• Fixed issue with permissions caused by git operations being done with de-elevated permissions

Security