v6.0.0-rc1

To install:

git clone --recursive --branch v6.0.0-rc1 [email protected]:BC-SECURITY/Empire.git
cd Empire
./ps-empire install -y
./ps-empire server

If you are updating from an existing install, you may need to rm -rf the existing .venv in the project directory.
You may also need to remote some submodules that are no longer in the repository rm -rf empire/server/csharp empire/server/plugins/ChiselServer-Plugin empire/server/plugins/Report-Generation-Plugin empire/server/plugins/SocksProxyServer-Plugin

---

[6.0.0-rc1] - 2025-03-09

• Updated Starkiller to v3.0.0-rc1

Highlights

• Plugin Marketplace
• Go agents
• Empire Compiler for C#
• Command line client removed

Added

• Added support for plugin registries and installing plugins via the API
  • See the Plugin Marketplace in Starkiller 3.0!
• New allow/deny list implementation that properly supports IPv4, IPv6, Ranges, and CIDRs
• Added API endpoints for managing autorun commands on agent checkin
• Added api.ip and api.secure as server config options
• Added Go agents
  • Added Go to install script
  • Added new stager type multi_go_exe
  • Added Go is an option for multi_launcher
  • Added new compiler class GoCompiler
• Added -f flag for install script to force install as root
• Added dynamic options to modules
• Added module code_execution/invoke-script for remote ps1 script execution
• Added module python/code_execution/invoke-script for remote py script execution
• Added sharphound ingestor for CE and tagged bloodhound with legacy

Changed

• Changed minimum Python version to 3.13
• Updated module_service logic for tasking types
• Swapped C# module RunOF for COFFLoader
• Updated parsing for bof formatting to use bof_pack
• Moved bash and pyinstaller stagers to linux folder
• Change formatter to ruff to consolidate developer tooling
• Revised the staging process for agents. Session IDs are provided by the server and all packets are wrapped in routing packets.
  • Updated stageless agents to work with python, ironpython, and powershell with the new staging process.
• Updated tactics and techniques on all modules
• Added a yaml formatter and run pre-commit across all files
• Combined config with config_manager
• Converted many parts of codebase to be compliant with flake8-use-pathlib
• Csharp and bof tasks attach the executable as a 'download' with a tag 'task:input'
• Pass output path to dotnet compiler, only compile the requested version

Breaking

• Many improvements to plugins - see the plugin-development wiki page
• Moved Agents class to AgentCommunicationService
  • Refactored many of the functions and parameter names
• Moved Stagers class to StagerGenerationService
  • Refactored many of the funtions and parameter names
• Moved Plugin Task handling from PluginService to PluginTaskService
• Moved socks management to AgentSocksService
  • Renamed socks properties on AgentSocksService to use plural naming
• Removed update_lastseen parameter from handle_agent_request
• Renamed all config properties in client and server configs to use snake_case
• Starkiller is now accessed at {api_url}/ instead of {api_url}/index.html
• ip_whitelist and ip_blacklist are now ip_allow_list and ip_deny_list and are lists instead of comma separated strings
• Using a new and improved [Empire-Compiler] for C# compilation
  • Downloads pre-compiled Empire-Compiler to eliminate dotnet as an OS dependency
  • Updated shortened task results to show the C# command ran and full input to show directory of the file
  • Updated C# tasks into folders and split yaml configs to be one per module and match Empire yaml format
  • All C# module code has been moved as submodules of Empire-Compiler
  • Moved EmpireCompiler compression from application to the server
  • Moved EmpireCompiler from install script to startup with autoupdate functionality
  • Replaced csharpserver plugin with DotnetCompiler class in empire.server.common
• module_service.execute_module returns a pydantic model
• agent_task_service functions take a user model instead of user id
• All writeable data moved out of the install path into ~/.local/share/empire

Deprecated

Removed

• Removed autorun config options which haven't been used since Empire 3
• Removed install support for Debian 10
• Removed nim stager from Empire and install script
• Removed slack notifications from listeners
• Removed the following stagers
  • osx/pkg
  • windows/backdoorlnkmacro
  • windows/launcher_lnk
  • windows/launcher_sct
  • windows/ms16-051
  • windows/reverseshell
• Removed the following listeners
  • HTTP COM only supports powershell agent and uses an older COM object that isn't used often
  • OneDrive has new APIs and Microsoft hs made registration harder. May return in the future with revisions.
  • Dropbox has new APIs and may return in the future with revisions.
• Removed empire_config.directories.module_source and empire_config.directories.obfuscated_module_source

Breaking

• Removed the command line client. Use Starkiller instead.
• Removed Listeners class
• Removed Credentials class
• Removed functions from Agents class that were marked as deprecated in 5.x
• Removed --restip and --restport options from the command line. Use the config file instead.
• Removed socketport config option on the client which was no longer being used
• Removed script and module upload to memory in favor of modules with same functionality
• Removed reverseshellserver plugin

Fixed

• Fixed Powershell agent overwritting results for C# taskings
• Simplify option_util.validate_options, fixes a bug where an optional file option was treated as required
• Fixed issue loading a plugin that has multiple files
• Fixed issue with permissions caused by git operations being done with de-elevated permissions

Security

v5.12.2

[5.12.2] - 2025-01-12

Fixed

• Fixed issue with C# exe and shellcode not compiling PowerShell stagers
• Fix delay/jitter adjustment in python agent (@janit0rjoe)

v5.12.1

[5.12.1] - 2025-01-08

Fixed

• Fixed issue with install script caused by Poetry 2.0

v5.12.0

[5.12.0] - 2024-12-14

• Reduce the check-in tests that were adding an unncessary amount of time to the CI
• Allow Python 3.13 to be used
• Fix python install
• Support Empire for system-wide deployment (@D3vil0p3r)
• Paths specified in config.yaml where user does not have write permission will be fallback to ~/.empire directory and config.yaml updated as well (@D3vil0p3r)
• Invoke-Obfuscation is no longer copied to /usr/local/share

v5.11.7

[5.11.7] - 2024-11-11

• Fix arm installs by installing dotnet and powershell manually
• Fix issue initializing some databases by removing the unused Reporting table

v5.11.6

[5.11.6] - 2024-11-08

• Fixed extra character in nanodump.x64.o
• Fixed bof tasking for IronPython agent

v5.11.5

[5.11.5] - 2024-09-22

• Updated Starkiller to v2.8.2
• Fixed various Python 3.12 SyntaxWarning

v5.11.4

[5.11.4] - 2024-09-04

Added

• Added nameserver check for linux hosts (@0x636f646f)

[5.11.3] - 2024-09-04

Changed

• Updated Rubeus to v2.3.2 (@Cx01N)

Fixed

• Fixed Rubeus error where only first arg was being used (@Cx01N)
• Fixed background jobs checking in continuously (@Cx01N)
• Fixed Rubeus killing agent when certain options were given that use System.Environment.Exit (@Cx01N)
• Fixed option parsing error in credential/tokens module (@Cx01N)
• Removed requirement for credid for mimikatz/pth (@Cx01N)

v5.11.2

[5.11.2] - 2024-08-08

• Added Route4Me to sponsor page on Empire (@Cx01N)
• Fixed global obfuscation bug in listener staging (@Cx01N)

[5.11.1] - 2024-07-23

Changed

• Updated Ruff to 0.5.3 and added additional Ruff rules (@vinnybod)

Fixed

• Removed duplicate code for ironpython agent for loading path resetting (@Cx01N)
• Fixed issue of Sharpire taskings not getting assigned correct id (@Cx01N)

[5.11.0] - 2024-07-14

Added

• Added threaded jobs for powershell tasks using Appdomains (@Cx01N)
• Added job tracking for all tasks in Sharpire (@Cx01N)
• Updated agents to track all tasks and removed only tracking jobs (@Cx01N)
• Added Invoke-BSOD modules (@Cx01N)
• Added ticketdumper ironpython module (@Hubbl3)
• Added ThreadlessInject module (@Cx01N)

Fixed

• Fixed issue in python agents where background jobs were failed due to a missing character (@Cx01N)
• Fixed task bundling for the c# server plugin (@Cx01N)
• Fixed missing New-GPOImmediateTask in powerview (@Cx01N)
• Fixed NET45 missing folder causing a compilation error (@Cx01N)
• Fixed NET45 files not being removed on server reset (@Cx01N)

Changed

• Converted C# server plugin to use plugin taskings (@Cx01N)
• Upgraded Ruff to 0.5.0 and Black to 24.4.2 (@vinnybod)
• Added pylint-convention (PLC), pylint-error (PLE), pylint-warning (PLW), and pylint-refactor (PLR) to ruff config (@vinnybod)

v5.10.3

[5.10.3] - 2024-05-23

Changed

• Updated the default value for Sharpup to audit (@Cx01N)
• Updated the default value for Seatbelt to AntiVirus (@Cx01N)
• Updated the default value for SharpWMI to action=query (@Cx01N)
• Updated the default value for SharpSC to action=query service= (@Cx01N)
• Updated GetSystem to require admin (@Cx01N)
• Updated the default value for Moriarty to --debug (@Cx01N)

Fixed

• Fixed issue with generate_agent having a mismatched function name for stageless (@Cx01N)
• Fixed parsing issue for C# portscan with commas (@Cx01N)
• Fixed error for PrivExchange with missing System.XML.dll (@Cx01N)

Removed

• Removed BypassUACGrunt due to compatibility with only Covenant (@Cx01N)
• Removed BypassUACCommand due to compatibility with only Covenant (@Cx01N)