Open
Conversation
Member
|
Looks good. Just merge the latest main into yours and it should be good to go. |
Cx01N
approved these changes
Apr 9, 2026
* Fix CI Docker builds failing on public repo The SSH agent setup step was conditional on the sponsors repo, but the Docker builds unconditionally require SSH_AUTH_SOCK to be set. Start the SSH agent on both repos - private keys are only loaded when the CI_SSH_KEY_BOT secret is available. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Added C stager (EmpireProject#1136) * Optimize test suite to reduce CI and local run times (EmpireProject#1141) * Batch module DB queries during startup for faster loading (EmpireProject#1143) Pre-load all existing Module records into a dict before the module loading loop, replacing 435 individual SELECT queries with a single bulk query. Reduces startup time by ~4 seconds. Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> * Modernize Python patterns in core code (EmpireProject#1146) * Replace os.path with pathlib in core code (EmpireProject#1147) * Replace os.path with pathlib in listener files (EmpireProject#1150) * Pathlib migration follow-ups (EmpireProject#1156) * Optimize test fixtures: reduce boilerplate and make dependencies explicit (EmpireProject#1155) * Upgrade all dependencies with poetry up --latest (EmpireProject#1157) Notable upgrades: - cryptography 45.x -> 46.x (removed deprecated default_backend()) - bcrypt 4.x -> 5.x - fastapi 0.116 -> 0.129 (Starlette 0.52 adds allow_private_network to CORSMiddleware) - ruff 0.12 -> 0.15 (fix 63 new lint violations from stabilized rules) - pytest 8.x -> 9.x - pytest-cov 6.x -> 7.x - uvicorn 0.35 -> 0.41 - packaging 25.x -> 26.x - requests-file 2.x -> 3.x - aiofiles 24.x -> 25.x Breaking change fixes: - Remove deprecated default_backend() from encryption.py (cryptography) - Fix CORSMiddleware positional args for new allow_private_network param (Starlette) - Migrate (str, Enum) to StrEnum (ruff UP042) - Fix unused unpacked variables (ruff RUF059) - Fix single-item membership tests (ruff FURB171) - Fix ternary expressions (ruff FURB110) - Apply ruff 2026 formatter style guide Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> * Add unit tests for encryption, packets, helpers, transformations, and listener utils (EmpireProject#1158) * docs: Specify Ubuntu in the relevant installation documentation. (BC-SECURITY#811) * Add missing changelog entries for C stager (EmpireProject#1136) and dependency upgrade (EmpireProject#1157) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Apply suggestion from @vinnybod * Move Ubuntu docs fix changelog entry to Unreleased section Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Replace handle_error_message with raised exceptions in all modules (EmpireProject#1160) * Convert 51 modules to use @auto_get_source and @auto_finalize decorators (BC-SECURITY#716) (EmpireProject#1161) * Replace unmaintained terminaltables with prettytable (BC-SECURITY#809) (EmpireProject#1162) * Fix MITRE ATT&CK tagging across all modules (EmpireProject#1163) * Fix MITRE ATT&CK tagging in PowerShell modules Correct malformed technique IDs (T11082→T1082, T1555.03→T1555.003, T11638→T1040), replace deprecated techniques (T1076→T1021.001, T1933 removed, T1101.005→T1547.005), fix malformed tactic strings, add missing software fields (S0521 for BloodHound/SharpHound, S0002 for Mimikatz), add missing tactics to modules that had none, and resolve technique-to-tactic inconsistencies across 63 modules. Validated against MITRE ATT&CK Enterprise STIX data. Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-opencode) Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai> * Fix MITRE ATT&CK tagging in Python modules Add missing tactics field to 80 Python modules (macOS collection, Linux persistence/privesc, DCOS, AD discovery) that had no tactic tags. Fix wrong software field (T1169→empty) on sudo_spawn and piggyback modules. Resolve technique-to-tactic inconsistencies. Tactics derived from MITRE ATT&CK Enterprise STIX technique→tactic mappings and module directory categorization. Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-opencode) Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai> * Fix MITRE ATT&CK tagging in C# modules Correct malformed technique IDs (T1557.0001→T1557.001, T1558.0003→T1558.003, T1555.03→T1555.003, T11082→T1082), fix malformed tactic string on SharpSC, replace deprecated techniques (T1076→T1021.001, T1933 removed), add missing software field (S1071 for Rubeus), add missing tactics to Spawn module, and resolve technique-to-tactic inconsistencies across 15 modules. Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-opencode) Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai> * Fix MITRE ATT&CK tagging in BOF modules Add missing tactics for technique-to-tactic consistency across 12 BOF modules. Ensures all listed techniques map to at least one tactic the module declares. Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-opencode) Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai> * Update CHANGELOG and module development docs for MITRE ATT&CK audit Add changelog entry documenting the ATT&CK tagging audit and fixes across all 439 modules. Update the module development guide to include a MITRE ATT&CK Fields section with proper formatting guidance, and fix the YAML example to use real tactic/technique IDs instead of empty placeholders. Ultraworked with [Sisyphus] Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai> * Fix MITRE ATT&CK technique assignments in PowerShell modules Remove incorrect T1482 (Domain Trust Discovery) from 19 modules that enumerate users, groups, computers, or network shares — not domain trusts. Remove incorrect T1615 (Group Policy Discovery) from 3 modules unrelated to GPO enumeration. Add missing T1049 (System Network Connections Discovery) to session enumeration modules. Fix T1514 removal in powershell_template and correct edge-case technique assignments for sessiongopher, honeyhash, and smbautobrute. Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-opencode) Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai> * Fix MITRE ATT&CK technique assignments in Python modules Replace 27 deprecated technique IDs predating ATT&CK v10 with current equivalents: T1141→T1056.002, T1142→T1555.001, T1156→T1546.004, T1165→T1037.005, T1166→T1548.001, T1168→T1053.003, T1208→T1558.003, T1081→T1552.001, T1139→T1552.003, T1155→T1059.002, T1157→T1574.004. Remove Mobile ATT&CK IDs (T1414, T1426) and invalid IDs (T1256, T1156.001, T1081.001). Remove incorrect T1482 from 12 AD enumeration modules. Replace T1106 (Native API) with T1059.006 (Python) on 5 DCOS REST API modules. Remove T1514 from python_template. Fix edge cases in SuidGuidSearch, HijackScanner, etcd_crawler, mail, and prompt modules. Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-opencode) Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai> * Fix MITRE ATT&CK technique assignments in C# modules Remove incorrect T1482 (Domain Trust Discovery) from Rubeus, Certify, and 5 SharpSploit enumeration modules that query users, groups, computers, or local groups — not domain trusts. Add missing T1049 (System Network Connections Discovery) to GetNetSession. Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-opencode) Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai> * Fix MITRE ATT&CK technique assignments in BOF modules Remove incorrect T1482 (Domain Trust Discovery) from 3 ADCS enumeration modules that query certificate templates and CAs — not domain trusts. Replace with T1069.002 (Domain Groups) which better describes their certificate-related AD enumeration. Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-opencode) Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai> * Update CHANGELOG for MITRE ATT&CK technique audit Add 5 entries documenting round 2 of the ATT&CK audit: deprecated ID replacements, T1482/T1615 over-tagging removal, T1106 DCOS correction, and missing technique additions. Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-opencode) Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai> * Enrich MITRE ATT&CK technique tags across 53 modules Corrected 10 wrong technique assignments (e.g. LaunchAgent T1055→T1543.001, screensaver T1113→T1056.002, DownloadFile T1041→T1105), upgraded 6 parent techniques to specific sub-techniques, added T1105 to 12 lateral movement modules, and enriched 33 existing technique tags across PowerShell, Python, and C# modules. Net coverage: 181→190 unique techniques (+10 new IDs). Fixed 2 pre-existing duplicate technique entries in RevertToSelf and NetRipper. Ultraworked with [Sisyphus] Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai> --------- Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai> * Backgroundjob bugfix (BC-SECURITY#807) * Add Sprint 1 post-exploitation modules (EmpireProject#1165) * Add Sprint 1 modules: PatchETW, PatchlessAMSI, CredentialPrompt, VSSExtract, RDPHijack, linux_keyring, aws_imds Add 7 new post-exploitation modules across C#, PowerShell, and Python: - C# PatchETW: in-process ETW patching via ntdll!EtwEventWrite - C# PatchlessAMSI: patchless AMSI bypass using hardware breakpoints and VEH - PowerShell Invoke-CredentialPrompt: credential harvesting via Windows CredUI - PowerShell Invoke-VSSExtract: NTDS.dit/SYSTEM hive extraction via VSS - PowerShell Invoke-RDPHijack: RDP session hijacking via tscon.exe - Python linux_keyring: Linux kernel keyring credential extraction - Python aws_imds: AWS IAM role credential theft via EC2 IMDS All modules authored by Anthony Rose (@Cx01N) with source citations. MITRE ATT&CK techniques mapped for each module. Ultraworked with [Sisyphus] Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai> * Fix runtime errors in Sprint 1 modules - Remove redundant Invoke-CredentialPrompt (SharpLoginPrompt already exists) - Fix VSSExtract CleanupShadow: [String] to [Switch] for Empire PARAMS compatibility - Fix RDPHijack ListSessions: [String] to [Switch] for Empire PARAMS compatibility - Fix RDPHijack query user handling: remove unreliable $LASTEXITCODE check, pipe through Out-String - Fix linux_keyring: replace raise SystemExit(0) with function wrapper and return (was killing agent) - Remove CHANGELOG entry for removed CredentialPrompt module Empire module_service formats True/False option values as PowerShell switches, not string arguments. All boolean-like options must use [Switch] type. Ultraworked with [Sisyphus] Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai> --------- Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai> * Add Python 3.14 support (EmpireProject#1166) * Add PIC shellcode compiler, refactor bof_packer, and update BOF modules (EmpireProject#1170) * Add PIC shellcode compiler, refactor bof_packer to Packer class, and update BOF modules Add shellcode_compiler utility for compiling position-independent C stagers into raw x64 shellcode for BOF process injection. Refactor bof_packer from standalone functions to a Packer class with granular packing methods. Rewrite clipboard_window_inject to use PIC shellcode instead of PowerShell launcher, add clipboard_window_inject_list module, remove secinject module, and bump Empire Compiler to v0.4.4. Update test_bof_packer to cover the new Packer class API (32 tests), add test_shellcode_compiler for _string_to_wchar_initializer (13 tests), and bump stager template count in test_stager_api. * fixed test_stager_api * Fix malleable HTTP listener stagers failing after server restart (EmpireProject#1171) Replace random URI generation in Stager._defaults() with a deterministic fallback so profiles without an http-stager block get a consistent URI across server restarts. Update launcher generation test to match. * added spawn bof (EmpireProject#1175) * Fix custom-generate BOF modules returning .NET-only format for Go agents (EmpireProject#1176) * Add format_bof_output() and pass agent_language to custom-generate BOF modules Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-opencode) Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai> * Fix custom-generate BOF modules to use format_bof_output() for Go agent support Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-opencode) Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai> * Add tests for BOF Go agent format and update changelog Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-opencode) Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai> * updated generate for bofs with consistent functions --------- Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai> * Fix SQLAlchemy connection pool exhaustion in agent check-ins (EmpireProject#1178) * Fix PSRansom module name from Invoke-Script to PSRansom (EmpireProject#1179) * Log version, commit SHA, and git tag at Empire startup (EmpireProject#1181) * fix: wrap async hooks in fresh session to prevent DB pool exhaustion (EmpireProject#1183) * Prepare release 6.5.0 private * fix: merge duplicate Fixed section in changelog * Update starkiller version to v3.4.0 --------- Co-authored-by: Vince Rose <vrose04@gmail.com> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: Anthony Rose <20302208+Cx01N@users.noreply.github.com> Co-authored-by: Zoe Braiterman <zbraiterman@gmail.com> Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai> Co-authored-by: Jean-François Maes <55604242+jfmaes@users.noreply.github.com> Co-authored-by: GitHub Actions <noreply@github.com>
Author
done! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Describe your changes
I've fixed the single and double quote order in skeleton_key's
Invoke-Mimikatzcall. I've manually tested the change and the module works now, albeit making the agent unresponsive for a short while.Issue ticket number and link (if there is one)
Checklist before requesting a review
CHANGELOG.mddocs/(if applicable)