Note: This blog is quite technical and I wanted it to be a quick, concise reference for TTPs. If you find the text explanations to be a bit dense, I ...

Not Your Grandfather’s Empire I’ve wanted to put this blog together since returning home from DEFCON. Anytime we ran into someone who recognized our swag, they mentioned how much they ...

Note: All code samples shown in the post can be found in our repo here  In recent years, PowerShell tradecraft has seen a drop in popularity among pentesters, red teams, ...

Recently, while discussing cyber risk management with a customer, they made the observation that there is a lot of training for top-level risk management in the shape of things like  ...

Reporting is, by nature, only the threat actors that have been caught. What about all the ones that didn’t get caught? There is no way to examine that and It ...

NOTE: Some of the topics in this article are probably going to be a bit contentious, but part of the hope in publishing this article is to drive some additional ...

We recently released Empire 5.8 and Starkiller 2.7. Sometimes, we forget to highlight the cool new features or changes as they release. So, in addition to covering the Empire 5.8 ...

Forget about feeling overwhelmed with a mess of data. With tags in Starkiller, you have more control over keeping everything organized. You can assign tags to various objects – Listeners, ...

In cybersecurity, techniques evolve rapidly as defenders and attackers adapt to the ever-changing landscape. This article will explore an exemplary example of this evolution in transitioning from Domain Fronting to ...

We recently rolled out Empire 5.2 to our public repo! This latest version brings a host of new features, enhancements, and bug fixes to further streamline your experience. Let’s dive ...

The original goal of Empire 5.0 was to only introduce a better v2 REST API to deal with some shortcomings of the original API found while building Starkiller and the ...

We’ve been using GitHub actions for Empire and Starkiller for quite some time now. It’s been a significant productivity boost for our releases because we manage multiple versions of the ...

Something that we have seen increasingly often on Twitter recently is people ostensibly posting about “Red Teams” and how if they did what APT X did, all their colleagues would ...

Today we wanted to cover one of the lesser-known functions in Empire, the ReverseShell stager. The name may not be as intuitive, so standby for a future name change, but ...

Unless you have been living under an infosec rock the past couple of weeks, you probably heard about the Follina exploit, which allows attackers to achieve remote code execution via ...

It has been another exciting week for the team. First we are just a week away for our inaugural course for Advanced Threat Emulation: Evasion. Second, we were able to ...

It has been a while since we have been able to discuss the new features in Empire. We wanted to take some time to discuss some upgrades under the hood ...

Today, we will talk about combining two fascinating Tactics, Techniques, and Procedures (TTPs) together for deploying Command and Control (C2): IronPython and WebDAV. If you read our previous blog post ...

During a recent engagement, we were asked to employ Turla’s Tactics, Techniques, and Procedures (TTPs) using IronNetInjector. This is not a toolkit that we had a lot of experience with ...

Empire 4.2 was just finalized over the weekend and we are excited to share some of the new features. This version has added some new capabilities to keep our threat ...

It’s that time of year again! This means it’s the season for Halloween, Oktoberfest, and HACKTOBERFEST! So what is Hacktoberfest? Hacktoberfest is a yearly event that encourages participation in the ...

In case you don’t check our commit history on our GitHub on a daily basis, Empire 4.1 and Starkiller 1.9 were released to Kali and Sponsors this week! This release has some much-needed quality of life ...

Are you an infosec developer, blogger, Blue Teamer, or general misfit and want to contribute to the Empire? Well, here’s your chance! We are opening the doors a bit to ...

VBA tradecraft is constantly evolving and this past winter, I came across some articles from Adepts of 0xCC. Specifically, their article Hacking in an Epistolary Way: Implementing Kerberoast in Pure ...

The release of Empire 4.0 is just around the corner and we wanted to take some time to walkthrough some of its new features. So what is Empire 4.0? It ...

One of the lesser-known features in Empire is the ability to use alternative Command and Control (C2) methods. Specifically, we can leverage the Dropbox API as a C2 channel, which ...

Last week we announced a new partnership with Kali for Starkiller and Empire. You can read up more about that in our previous post. The purpose of this post is ...

Beginning January, we will be granting Kali users and Sponsors 30-day exclusive early access to Empire and Starkiller before the code gets publicly released to our repositories, you can check ...

The new Empire CLI is out and includes some big changes to the user experience. We rebuilt the CLI to interact with the Empire team server through the API. These ...

Its been about 2-weeks since we released Empire 3.4, and hopefully, everyone has had a chance to check out all the new features. Our team has put quite a few ...

Empire 3.4.0 is our next major release and is packed with one of the most advanced features to-date, Malleable C2. The Malleable C2 Listener gives control to operators to customize ...

While giving our talk at the DEF CON Red Team Village a couple of weeks ago, I previewed a PowerShell ScriptBlock logging obfuscation technique. I have been working on it ...

This entry will focus on the obfuscation of the PowerShell Script in the ScriptBlock log and Transcription log. First, there will be a little more discussion on a module log ...

You may remember the good ole days where you can connect to pretty much any mail server (like Gmail) with telnet and spoof emails to your friends from whoever you ...

Last month we taught our DEF CON 27 workshop, Introduction to Sandbox Evasion and AMSI Bypasses, as a webinar. It went really well, but the primary focus of the course ...

As part of the Empire 3.1.3 update, we fixed the OneDrive listener and added documentation for easier configuration.

Starkiller represents a huge step forward for red teams trying to operate together on engagements.

Going back to our Offensive Security definition, red teams and pentesters are attempting to validate that an organization’s systems.

There are a lot of significant changes to Empire, so we thought it would be a good idea to walk through them in a little more detail.

JA3/S signature evasion has become a popular Indicator of Compromise(IOC) and has been incorporated into everything from Splunk to…

Hacking Jeeps is nothing new in the media, but we wanted to give it a try and see how difficult it is for ourselves. So we dug out our SDRs, ...

We experienced an unexpected callback to our C2 server while sending a malicious file to an Outlook account.

BC Security found that the August 12/13 definitions update for Windows does not flag Empire or identify Mimikatz.