It’s that time of year again — to reflect on the previous year’s accomplishments. I’ve always wanted to work on a team of talented hackers and security engineers that contribute back to the security community in public ways and consider myself quite blessed to be able to do that and even influence more contributions. It truly is a great experience getting to work with a team like this. I thought I’d take a moment to try to list out most (if not all) of these public contributions, knowing full well it’s the tip of the iceberg, since in this line of work we often have to keep certain things close to the chest.
Here are some of my red team’s public contributions for 2017 (you’ll note that many of these affect the Empire Project — which we love):
When we started looking at using the Empire Project to do domain fronting, we found out it was lacking support to do this over SSL/TLS. Turns out it was just a few lines of code affecting how the certificate chains were presented, but sometimes the fewest lines of code take the longest amount of time to troubleshoot.
· Empire server-side RC scripts on agent connect — Carrie
This is huge. My team is still only beginning to scratch the surface from this improvement. Basically, prior to this, there weren’t a ton of good, flexible, repeatable options for setting up Empire quickly. Now, there are many, many options. Like RC scripts within RC scripts within RC scripts. Gone are the days of troubleshooting a broken listener config because copy/paste into a 120 character wide terminal introduced a whitespace character that Empire doesn’t understand.
· Empire slack integration for agent events — Danny
How cool is it that every new Empire install now has the ability to send you a slack notification when shells phone home? That’s right — you can now interrupt your date nights by checking your phone from the dinner table or movie theater to get the exciting news that your shell phoned home! It’s right there in the listener config. On every phone home, log it in real time in the slack channel of your choosing. No code necessary — just configuration (P.S. set this up in your server build RC script — see above!)
· Empire agent-side autorun RC scripts — Carrie
Before this change, when you got an Empire shell, you had two options: do nothing (i.e. stay 100% manual), or configure a single module to auto-fire, whether it contextually made sense or not (e.g. a Windows module on a Mac host). Now, there are many flexible options to automate any Empire module in a string of actions when the shell phones home. Speaking of date nights … Don’t interrupt that special time with your loved ones. Don’t pause the TV show because you have to babysit the shell that phoned home after hours. You can now pre-program in a set of actions that puts that shell in the state you want to find it in when date night is over. That’s right — my red team cares about your social life (or at least our own).
· Empire DDE Word Payloads — James
Yep, DDE payloads were the rage for a big chunk of the summer, so we went ahead and gave you a module to automatically create one right from Empire.
· Empire Mac OS sandbox mode credential prompts — Danny
This was one of several changes we gave back to show some Mac OS love for Empire. Starting with Office 2016, a macro payload dropping an Empire agent would find itself inside a sandbox. This gets detailed quickly and varies quite a bit among the different patch levels of Office; however, we thought it would be nice to add in some support for the sandbox with some neat tricks that work under a variety of conditions. The primary one: we figured out how to still prompt for credentials, giving a privilege escalation possibility to an otherwise dead, sandboxed shell.
· Empire Save credentials from Mac credential prompts — Tim
Previously, if you ran the credential prompt module, which pops a dialog box on the remote host to trick a user into providing their password to the dialog, which in turn sends it to Empire, that password just went out to the stdout ether. Now, Macs have equal treatment similar to Windows and those creds get thrown into the sqlite DB in the credential table, where you can find them like all other credentials.
· Empire cleaned up the keylogger output — Carrie
If you ever ran the keylogger module on an Empire agent, you probably pulled your hair out trying to piece the keystrokes back together in a readable format. If you pull down a fresh Empire build, you can thank Carrie that you no longer have to do that. It’s nice and clean and the output is right in the agent history where you’d expect.
· Empire generate upload functionality for stagers — James
Before this change, Empire’s ability to upload stagers was limited, so James took the time to figure out how to plumb in a better approach. Like most plumbing, you’ll probably not notice it until you do, but it’s there and you can thank James.
This was a fun one (read more details here). The gist is: now you can use a fresh from github install to generate a macro that will run on both windows or mac targets — it’s always nice to have options and backup plans for when that payload lands somewhere you didn’t anticipate. Good teams will probably tweak the output from the template to their latest tradecraft, but it provides a great starting point and resolves dependency issues for Macs.
· Empire improved powershell module output for better results visibility — Carrie
Some of the neat powershell tools that have been written, shared with the community, and then pulled into Empire just return PowerShell objects, which are difficult or impossible to parse in a text based Empire console. Carrie modified the output to make sure the data you were looking for comes back how you’d expect it. Thank her the next time you run a large dump of situation awareness data from an AD module, for instance, via an Empire agent.
· Empire added userland persistence options for MacOS — Tim
Empire had some nice system/admin persistence options for Macs, but there wasn’t any support for userland persistence for when your shell lands on a non-admin user’s desktop. This gives you options to solve that gap.
· Empire lateral movement via NTSD (NT Symbolic Debugger) — James
This is a neat module for lateral movement that involves leveraging the NT Symbolic Debugger to move from one host to another. This isn’t a really common technique, so it may give you an additional option when you want to change things up and try something different.
· ExploitDB/Packetstorm Leaderboard — James
Branching away from Empire … James had a mad minute drop of private 0day exploits he had been sitting on for some time to bump on top of the leaderboard of Exploit DB. There’s a bunch of code out there now, so you have more options when you run up against some of these application targets.
· Commentator — Carrie
Another interesting tool is Commentator, which gets its name from being able to edit the comment field in the properties of an office document to wedge in a larger payload than what you can put into that field when using MS Office directly. But it does oh so much more and she frequently tinkers and adds new things to it.
In addition to all of those tool developments, there were a number of blog posts and conference talks at venues like Derbycon, Wild West Hackin’ Fest, ShowMeCon, and a few BSides.
In summary, it’s been a good year, we’re excited we were able to contribute back to the community, and we’re looking forward to an outstanding 2018 where we plan to do even more. We’re already so busy that I just had to hit the publish button on this or it will turn into a 2018 year review before too long!