Hackers of all sorts are getting an early Christmas present this year in the form of a resurrected PowerShell Empire post-exploitation framework all wrapped up in Python 3.
Released in 2015, the tool was officially discontinued by its original developers on July 31. Being open-source, the framework was forked more than 1,500 times and continued to be available for anyone who wanted to still try it out.
The decision was motivated by "the security optics and improvements that have been provided by Microsoft in the past few years."
BC Security, a consulting firm specialized in the assessment of wireless networks and threat emulation for enterprise networks, still believed that the project was an asset for offensive security and forked it.
Today, the security outfit published Empire 3.0 officially along with details about the changes introduced.
Under the new wrapping
The most notable modification is the conversion to Python 3 since support for version 2.7 ends on January 1, 2020. Apart from being essential to keeping the project alive, this also ensures that Empire is still relevant to Kali Linux distribution for advanced penetration testing.
The modules incorporated also went through changes, some of them being new additions and older ones receiving a refresh that pulled them out of the Dev branch of the original Powershell Empire framework.
Mimikatz version 2.2.0 20191125
Get-Subnet_Ranges
Get-WinUpdates
Get-KerberosServiceTicket
Invoke-RID_Hijack
Invoke-internal_monologue
Get-LAPSPasswords
Invoke-SMBLogin
Sherlock
Outlook Sandbox Evasion for Windows Macro launcher
Invoke-CredentialPhisher
Invoke-Phant0m
Get-AppLockerConfig
HostRecon
One of the significant upgrades BC Security lists for the revamped Empire is improved evasion on Windows.
"This has been achieved by updating the base launchers to remove some of the distinctive signatures that existed."
Some bugs that stood in the way of reaching new evasion levels were fixed. One of them in particular made obfuscation more difficult and alerted Windows Defender.
The bypasses for the Antimalware Scan Interface (AMSI) have been updated so that they are smaller in size and have a different signature since security suites were already triggered by them.
Adding Mimikatz 2.2.0 to the framework makes it possible to run attacks against Windows 10 versions and dump hashes, passwords, and tickets stored in the memory of this operating system.
"Another new feature is the addition of Data Protection API (DPAPI) support for Powershell PSCredential and SecureString."
Another big improvement is the implementation of JA3/S signature randomization. JA3 is a method of fingerprinting TLS handshakes that is useful for identifying malicious encrypted traffic.
In the case of JA3, modifying the signature requires administrator permission level on the compromised computer. Randomization helps hide Empire agent's communication with its command and control (C2) server. With JA3/S, admin privilege is not needed.
BC Security plans on continuing the development of the new PowerShell Empire post-exploitation framework and on expanding its feature set.
While the developers admit that PowerShell is no longer the most effective attack vector as there are methods to determine when it is aiding malicious activity, they say that the threat continues to be a realistic one.
Such exploitation toolkits, even if they are intended for penetration testers to probe the security of an organization, are also weapons of choice for real threat actors and Empire is no exception.
The unsupported version of the framework was used by Ryuk and BitPaymer ransomware operators and other advanced adversaries, such as FIN7 and Hades APT group. The new release is expected to follow a similar path.
