======================= 9/16/2016 - RELEASE 1.6 ======================= -Encompasses all changes since the 1.5 tagged release 9/16/2016 --------- -Fix for 'skywalker v2' file overwrite exploit on control server (thanks again @zeroSteiner :) 9/10/2016 --------- -Fixes for Invoke-WScriptBypassUAC 8/31/2016 --------- -Invoke-ARPScan.ps1 now uses reflection 8/15/2016 --------- -Added stagers/scrambled_macro 8/15/2016 --------- -Added in "Fileless" UAC bypass using eventvwr.exe 8/13/2016 --------- -Merged in updated Normal.dotm persistence module. 7/20/2016 --------- -Version 1.5.3 -Fix for issue #273 - added hostnames to raw screenshot output file -Fix for issue #285 - credential export supporting commas -Start of code standardization/pep8 cleanup - mods to agents.py, empire.py, and credentials.py -moved collection/keethief to collection/vaults/keethief -added collection/vaults/find_keepass_config to enumerate KeePass configs on a system -added collection/vaults/add_keepass_config_trigger to add a trigger backdoor to all reachable KeePass instances -added collection/vaults/get_keepass_config_trigger to enumerate all triggers for all reachable KeePass instances -added collection/vaults/remove_keepass_config_trigger to remove all triggers for all reachable KeePass instances -Misc. bug fixes 7/16/2016 --------- -Added collection/keethief module to pilfer KeePass key material from memory -"creds X" now searches additional fields for the term (like domain) -merged credentials/enum_cred_store from @BeetleChunks 7/15/2016 --------- -Merged @rvrsh3ll's collection/browser_data module -Merged @curi0usJack's situational_awareness/network/smbautobrute module -fix for issue #258 - "interact AGENT" now works globally in every menu except an active agent menu -fix for issue #221 - hop listeners -fix for issue #252 - management/invoke_script now no longer requires an external script -fix for issue #257 - sysinfo now executed after running the steal_token command 6/24/2016 --------- -Updated Invoke-Mimikatz to include a fix for multi-cpu boxes/processor detection -Merged @n0clues pull request to change paths from %TEMP% to %PUBLIC% for spawnas module to fix a bug when spawning as a different user. -Fixed a typo in the dcsync_hashdump that caused it to crash the Empire server -Merged in Inveigh 1.1.1 and current Tater build thanks to @Kevin-Robertson -Fixed a bug in the REST API due to the port being a string and not an int -Added 417 Expectation failed error bug fix for older proxies (Squid) thanks to @i223t 6/9/2016 --------- -Updated SQLite dll for Get-ChromeDump.ps1 5/27/2016 --------- -Fixed format issues with Get-ComputerDetails.ps1 -More verbose output added to PowerUp's Invoke-ServiceCMD -Made Get-SPN PowerShell 2.0 compatible -Updated RunAs to include an argument parameter -Merged @tristandostaler's /api/map feature to the Rest API -Merged in @andrew-morris's installer update to include -Y switch for apt-get commands -Merged in MS16-032 local privesc from @leoloobeek 5/4/2016 --------- -Merged @jaredhaight's Invoke-MetasploitModule module 5/2/2016 --------- -tightened up argparse validation 4/24/2016 --------- -Added credentials/get_spn_tickets to request SPN tickets. -Added credentials/mimikatz/extract_tickets 4/21/2016 --------- -Merged @Subtee's regsvc32 (sct) stager 4/1/2016 --------- -listener starting now returns more verbose errors on failure in console and API -merge of @mynameisiv's .jpg screenshot PR -Fix for path errors in some cases for ./setup/setup_database.py ======================= 3/31/2016 - RELEASE 1.5 ======================= -Encompasses all changes since the 1.4 tagged release 3/31/2016 --------- -Merge of Inveigh 1.1 update and privesc/tater -Updated of Invoke-Mimikatz.ps1 source -Updated mimikatz dlls to version 2.1 alpha -Included modification to suppress cmd.exe when spawned via PTH. 3/30/2016 --------- -Added loading of external modules with 'load /path/modules/' 3/25/2016 --------- -RESTful API modifications -expanded agent/server epoch check to +/- 12 hours -stagers now run -sta 3/24/2016 --------- -RESTful API modifications 3/22/2016 --------- -added auth to RESTful API, additional API fixes 3/21/2016 --------- -start of RESTful API implementation 3/19/2016 --------- -PowerView.ps1 update and multiple related module additions -added github issue templates -added situational_awareness/network/powerview/get_gpo_computer 3/11/2016 --------- -added privesc/getsystem -bug fix for Invoke-PsExec and some x64 pointers 3/3/2016 --------- -first pass at stager retry interval -download chunking modified 2/17/2016 --------- - '--debug 2' now displays debug information to the console as well as the empire.debug file -added privesc/mcafee_sitelist 1/15/2016 --------- -start of command line option integration, use './empire -h' to see options -bug fixes -'searchmodule' with no arguments now lists all modules 1/14/2016 --------- -Fix for some UTF-8 encoding issues 1/10/2016 ---------- -Corrected several bugs in how the workingHours window is handled in the agent ============ 12/29/2015 - RELEASE 1.4 ============ -Encompasses all changes since 1.3.1 tagged release 12/29/2015 ---------- -Added situational_awareness/network/powerview/find_managed_security_groups to integrate @stufus' new code -Fixed various issues with agent profile handling -'DefaultProfile' option in listener menu is now tab-completable and can take a path to a profile.txt 12/28/2015 ---------- -Merge of @stufus' Find-ManagedSecurityGroups code into PowerView.ps1 base 12/26/2015 ---------- -Merge of @jamcut's situational_awareness/host/findtrusteddocuments module 12/22/2015 ---------- -Sync of Kevin Robertson's lateral_movement/inveigh_relay module -Sync @stufus' exfiltration/egresscheck module -Added module menu dynamic sizing for prettified output 12/20/2015 ---------- -hop.php redirector fix 12/16/2015 ---------- -Sync of Kevin Robertson's collection/inveigh update -Added trollsploit/rick_ascii -Bug fixes 12/11/2015 ---------- -Updated powerview.ps1 -Added situational_awareness/network/powerview/get_cached_rdpconnection -Added situational_awareness/network/powerview/set_ad_object -Added management/downgrade_account -Merge of @mubix's setup automation 12/9/2015 --------- -Added credentials/mimikatz/cache and credentials/mimikatz/sam 11/30/2015 ---------- -Combined persistence/debugger/* into persistence/misc/debugger -Added SysWow64 option to management/spawn to spawn a 32-bit powershell.exe -Added persistence/userland/backdoor_lnk 11/29/2015 ---------- -Built several modules in management/mailraider/* to integrate @xorrior's MailRaider.ps1 11/28/2015 ---------- -Merged @xorrior's FoxDump and ChromeDump modules 11/25/2015 ---------- -Merged @rvrsh3ll's lateral_movement/invoke_sshcommand 11/24/2015 ---------- -Added script autorun functionality 11/23/2015 ---------- -Merged @rvrsh3ll's recon/http_login 11/21/2015 ---------- -Merge of exploitation/exploit_jboss, bug fix -Fix in case module returns None -Merged debian setup.sh fix -Merged non-interactive cert generation and added to setup.sh -Fixed nested menu bug that caused buildup of "Agent X not active." -Main display menu now shows each time "main" menu is entered 11/8/2015 --------- -All PowerUp modules now dynamically built from a single source file -PowerUp bug fixes -Added privesc/powerup/service_exe_restore, pulled logic from other modules -Added management/spawnas to spawn agents with explicit credentials -Debug functionality (--debug) now outputs the source of the last tasked script to ./LastTask.ps1 -Write-Verbose and Write-Debug lines now stripped from tasked scripts -Added situational_awareness/network/powerview/get_forest module 11/4/2015 --------- -Added persistence/misc/add_netuser to add local/domain users 11/2/2015 --------- -Fixed small bug in TASK_CMD_WAIT response parsing ============ 10/30/2015 - RELEASE 1.3.1 ============ -Updated reflectivepick dlls to fix bug in injection and dll payload injection ============ 10/29/2015 - RELEASE 1.3 ============ -Encompasses all changes since 1.2 tagged release 10/26/2015 ---------- -Fix for psinject bug due to lack of .NET 4.0 on target. -Fix for bug in persistence/misc/add_sid_history 10/23/15 -------- -Updated powerview.ps1 source to Version 2.0 -Built a way to dynamically generate the stripped PowerView code for functions needed by PowerView modules (helpers -> generate_dynamic_powershell_script), and updated all relevant PowerView modules -Renamed PowerView modules to better match PowerView 2.0 naming scheme and moved to situational_awareness/network/powerview/* -Removed old split-out PowerView source files -Removed situational_awareness/network/netview -Combined stealth_userhunter into option for userhunter -Added situational_awareness/network/get_forest_domain, situational_awareness/network/powerview/get_object_acl, situational_awareness/network/powerview/find_computer_field, situational_awareness/network/powerview/find_user_field, situational_awareness/network/powerview/get_ou, situational_awareness/network/powerview/get_group, situational_awareness/network/powerview/get_group_member, situational_awareness/network/powerview/get_gpo, situational_awareness/network/powerview/find_gpo_location, situational_awareness/network/powerview/find_gpo_computer_admin, situational_awareness/network/powerview/process_hunter, situational_awareness/network/powerview/find_foreign_group, situational_awareness/network/powerview/find_foreign_user -renamed collection/filesearch to collection/find_interesting_file 9/21/2015 --------- -Fix for 'skywalker' file overwrite exploit on control server (thanks @zeroSteiner!) 9/12/2015 --------- -Added credentials/mimikatz/mimitokens to take advantage of Mimikatz' token listing/elevation -Added management/enable_multi_rdp to patch terminal services to allow mutiple connections -Fixed bug in write_dllhijacker that prevented the dll from being written out ============ 8/30/2015 - RELEASE 1.2 ============ -Encompasses all changes below --- 'Native' shell commands in agent core ported to WMI equivalents --- HMAC now uses SHA1 instead of MD5 --- Numerous bug fixes and UI tweaks throughout code --- Six new modules and WAR stager added, /sids option added to golden_ticket --- Fixed international locale bug with unicode text in agent.ps1 8/29/2015 --------- -HMAC algorithm for packet comms upgraded to use SHA1 instead of MD5 -credentials collected from collection/prompt now scraped/added to credential model 8/26/2015 --------- -Added module privesc/bypassuac_wscript -Added module collection/inveigh -Added stager war 8/24/2015 --------- -Added credentials/mimikatz/dcsync for remote DC credential extraction -Added situational_awareness/network/get_domaintrusts -Added /sids argument for credentials/mimikatz/golden_ticket -Added credential parsing for dcsync output -updated links for PowerTools -Fixed bug in credential parsing with ":" inside of the password,username, or domain -Fixed international locale bug with unicode text in agent.ps1. Now all results are base64 encoded prior to being packetized. Encoding will be handled at server. 8/20/2015 --------- -Continued porting native shell commands to WMI replacents in agent core -In agent menu, 'shell CMD' now runs straight IEX CMD, and 'help agentcmds' shows safe aliases -Modified ./setup/reset.sh to work from parent or ./setup/ folders -Agent core functions streamlined -"list [agents/listeners] " should now be a global command 8/19/2015 --------- -Added collection/netripper, port of the NetRipper project -Added collection/packet_capture for netsh event tracing -Added management/zipfolder for native folder compression -Corrected menu behavior on agent exit, bug fix on some dir behavior -Started porting native shell commands to WMI in the agent core ============ 8/16/2015 - RELEASE 1.1 ============ -Encompasses all changes below --- Crypto patch to prevent DOS condition --- Numerous bug fixes throughout code --- Extra modules added and HTA stager --- Ability for agents to die after certain number of failed checkins --- Added ability to easily remove "stale" agents 8/15/2015 --------- -Added modules management/timestomp, trollsploit/process_killer, persistence/elevated/wmi, situational_awareness/network/smbscanner, lateral_movement/invoke_psexec -Accepted HTA Stager from subtee 8/12/2015 -------- -Merged in list stale and remove stale functionality -Fixed delay in list stale feature -Fixed active agent message in list stale feature -Fixed registry storage in schtasks and registry persistence modules (userland and elevated) 8/11/2015 --------- -Merged in Lost Agent Detection -"agents> remove X" now removes agents that checked in > X minutes ago -"agents> list stale" and "agents> remove stale" now list/remove stale agents past their max checkins 8/10/2015 --------- -Fixed tab completion of usestager module -Added dependencies for Ubuntu 14.04 -Fixed IP Whitelisting set from file -Added "Lost Agent Detection". Allows the ability for an agent to die after a certain number of missed checkins. This is implemented via the "lostlimit" command. Default set to 60 missed checkins. 8/9/2015 ---------- -Fixed flaw in crypto allowing a DOS condition. -Added authentication to the AES crypto scheme to verify integrity of messages 8/6/2015 ----------- -Initial release. All components released -Commited path fix to correct bug in certain modules