github BC-SECURITY/Empire v6.6.0
on GitHub

5 hours ago

[6.6.0] - 2026-04-25

  • Updated Starkiller to v3.5.0

Added

  • Added 8 new modules (7 PowerShell, 1 Python) based on Atomic Red Team to fill partial ATT&CK coverage gaps: thread execution hijacking (T1055.003), cached domain credentials (T1003.005), Safe Mode boot defense evasion (T1562.009), default file association hijack (T1546.001), screensaver persistence (T1546.002), Office template macro injection (T1137.001), Wi-Fi credential extraction (T1555, T1016.002), and Linux proc filesystem credential dumping (T1003.007)
  • Added 16 new modules (13 PowerShell, 3 Python) based on Atomic Red Team for ATT&CK gap coverage: mshta execution (T1218.005), CHM execution (T1218.001), CMSTP UAC bypass (T1218.003), InstallUtil execution (T1218.004), regasm execution (T1218.009), msiexec execution (T1218.007), indirect command execution (T1202), browser cookie theft (T1539), base64 file encoding (T1027), compile-after-delivery (T1027.004), root certificate installation (T1553.004), hidden user creation (T1564.002), Python startup hooks (T1546.018), Windows Terminal profile persistence (T1547), exfiltration over alternative protocols (T1048.003), and Linux at job scheduling (T1053.002)
  • Added 25 new modules (19 PowerShell, 6 Python) based on Atomic Red Team for ATT&CK gap coverage: clear command history (T1070.003), impair history logging (T1562.003), disable firewall (T1562.004), hide artifacts (T1564.001), FSUtil indicator removal (T1070), network share removal (T1070.005), rename system utilities (T1036.003), masquerading (T1036, T1036.005), rundll32 proxy execution (T1218.011), regsvr32 proxy execution (T1218.010), signed script proxy (T1216), jsc.exe compilation (T1127), BITS jobs (T1197), logon script persistence (T1037.001), VM detection (T1497.001), system language discovery (T1614.001), web beaconing (T1071.001), and local data staging (T1074.001)
  • Added ./ps-empire test command as a convenience wrapper for pytest with passthrough arguments
  • Added Alembic database migration framework for versioned schema management. Untracked databases are stamped at the baseline revision on first startup; already-tracked databases are left as-is so pending migrations can be applied. Includes migrate_db() and backup_db() functions for future update workflows.
  • Added configurable MySQL connection pool settings (pool_size, max_overflow, pool_pre_ping, pool_recycle) via server config YAML
  • Added pool health monitoring that warns at 80% capacity
  • Added mysql pytest marker for tests requiring MySQL and Docker
  • Added performance test suite (empire/test/test_performance/) for pool exhaustion and event loop blocking regression testing
  • Added performance tests for module obfuscation (event loop blocking detection, latency measurement, pre-obfuscation latency)
  • Added POST /api/v2/obfuscation/modules/preobfuscate endpoint for targeted pre-obfuscation of specific modules by ID (runs in background, returns 202)
  • Added strict and suggested_values to boolean switch options in modules for better validation and UI hints
  • Added dynamic depends_on options to stagers so dependent fields (e.g. Bypasses, Obfuscate, ObfuscateCommand) are shown/hidden based on the selected listener type
  • Added nanodump BOF module for creating minidumps of the LSASS process using various evasion techniques (handle duplication, process forking, snapshot, seclogon handle leaking)
  • Added 7 new BOF modules sourced from Sliver Armory for defense evasion and credential access:
    • unhook — refresh DLLs to remove EDR/AV API hooks (T1562.001)
    • patchit — all-in-one AMSI + ETW patch/check/revert (T1562.001)
    • inject_amsi_bypass — AMSI bypass in a remote process via syscalls (T1562.001)
    • inject_etw_bypass — ETW bypass in a remote process via syscalls (T1562.001)
    • credman — dump Windows Credential Manager via SeTrustedCredManAccess (T1555.004)
    • handlekatz — LSASS dump via handle duplication to evade handle-based detection (T1003.001)
    • bofroast — Kerberoasting as a BOF without .NET CLR dependency (T1558.003)
  • Added multi-language stager support (powershell, csharp, ironpython, go) to UAC bypass privesc modules: bypassuac, bypassuac_env, bypassuac_eventvwr, bypassuac_sdctlbypass, bypassuac_wscript
  • Added configurable obfuscation.timeout setting (default: 300s, set to 0 to disable) for the PowerShell obfuscation subprocess, settable via config.yaml or EMPIRE_OBFUSCATION__TIMEOUT env var

Changed

  • Agent check-in uses single INSERT with ON DUPLICATE KEY UPDATE / ON CONFLICT DO NOTHING instead of SELECT-then-INSERT (2 queries → 1)
  • All FastAPI route handlers converted from async def to def. FastAPI now dispatches every handler to a thread pool, preventing synchronous SQLAlchemy calls from blocking the uvicorn event loop. Handlers that previously offloaded work via asyncio.to_thread() no longer need to — the thread pool provides the same isolation automatically.
  • High-frequency hooks (AFTER_AGENT_CALLBACK_HOOK, AFTER_TASKING_RESULT_HOOK, AFTER_AGENT_CHECKIN_HOOK, AFTER_TASKING_HOOK) now fire with None as the session argument. _run_async_hook and run_hooks provide a fresh managed session to hook callbacks, eliminating the 2x connection amplification that occurred when hooks opened a second connection while the caller still held the first.
  • Cleaned up redundant "Switch." prefixes and duplicate description text from module option descriptions
  • Marked Listener and Command options as conditionally required in 7 lateral movement modules (invoke_psexec, invoke_wmi, invoke_smbexec, invoke_dcom, invoke_psremoting, inveigh_relay, invoke_executemsbuild) so they are validated when their depends_on condition is met

Removed

  • Removed legacy archive field from empire_compiler config; use repo and ref instead

Fixed

  • Fixed flaky test_pool_exhaustion_at_concurrency_levels[250] CI failures by marking the 250-concurrency case with pytest.mark.flaky(reruns=2) via the new pytest-rerunfailures dev dependency. The assertion is preserved exactly (250 stays 250), so a real throughput regression still fails all retries while transient CI resource contention clears on rerun.
  • Fixed DB pool exhaustion under concurrent load causing 503/504 cascading failures. The root cause was hook connection amplification: async hooks called inside DB session blocks opened a second pool connection via _run_async_hook while the caller still held the first, doubling connection usage per check-in.
  • Fixed event loop blocking across all API endpoints. Previously only stager, listener, and plugin endpoints were addressed; now all 216 handlers use def to prevent any synchronous DB call from blocking the event loop.
  • Fixed donut-shellcode failing with "Cannot open file" when a root-owned loader.bin exists in the working directory, breaking all shellcode generation tests and stager paths. Donut calls now run in an isolated temp directory via a shared donut_create() utility with a threading lock for concurrency safety.
  • Fixed unnecessary GitHub API call on every server startup when the compiler is already cached locally
  • Fixed unhandled TagInvalidException in parse_routing_packet that caused request crashes from stale agents or non-agent traffic
  • Fixed TypeError in BOF module parameter packing when integer values were passed to options that require space-checking
  • Fixed module option descriptions for Obfuscate and ObfuscateCommand that contained redundant text
  • Fixed evaluate_dependencies crashing when DependsOn key exists but is None
  • Fixed strict option validation crashing when SuggestedValues is None
  • Fixed options with unmet depends_on conditions being excluded from params, causing KeyError in module generate() functions — they now pass through with their default value
  • Fixed broken revert_options logic in stager_service that assigned entire option dicts as values, causing circular reference errors during JSON serialization
  • Fixed invoke_ntsd module setting stager options without the ["Value"] key, causing TypeError during launcher generation
  • Fixed invoke_executemsbuild Command option depends_on pointing to Payload=Empire instead of Payload=Manual, and added missing depends_on for Listener
  • Fixed agent staging log messages displaying wrong language (e.g. "Python PUB key" for PowerShell agents, "PS" in C# block) by replacing hardcoded language names with the actual agent language
  • Fixed incorrect log levels in agent communication: log.error for normal conditions (agent not active, agent exiting) downgraded to log.debug/log.info, log.info for invalid data (bad language spec, malformed sysinfo) upgraded to log.warning
  • Fixed typo in SOCKS client error message ("failed to started" -> "failed to start")
  • Fixed double-obfuscation in PowerShell module script generation — when a module source was already obfuscated (via get_module_source or auto_get_source), finalize_module was re-obfuscating the entire combined script, spawning a redundant PowerShell subprocess per task. finalize_module now accepts script_already_obfuscated to skip the expensive re-obfuscation while still obfuscating the invoke command (script_end).
  • Fixed obfuscation subprocess (Invoke-Obfuscation) running indefinitely with no timeout. Added 300s timeout, process group isolation (start_new_session), return code checking, and empty output validation. On failure, gracefully falls back to keyword-obfuscated script with error logging.
  • Fixed background jobs for the python agent.
Check out latest releases or
releases around BC-SECURITY/Empire v6.6.0

Don't miss a new Empire release

NewReleases is sending notifications on new releases.

Get notifications