Hooks, Filters, and Other Really, Really, Cool Things
In case you don’t check our commit history on our GitHub on a daily basis, Empire 4.1 and Starkiller 1.9 were released to Kali and Sponsors this week! This release has some much-needed quality of life updates that include new Starkiller interfaces, IronPython3 integration, and a new plugin ability, Hooks & Filters. Now before you read about all this cool stuff that our team has been working hard to knock out, enjoy this picture that summarizes managing an open-source project.
Starkiller
File Browser
In Starkiller 1.9.0, the file browser has gotten a boost. The directory refresh functionality is much more reliable now. Also, we recently added uploading files and zipping directories directly from the file browser. This adds new, simpler ways for users to interact inside of Starkiller.
View Tab
The agent “View” tab was something we always wanted to “eventually” get to. It’s now much more useful in displaying the info about the agent, and things like sleep and kill date can be updated directly from this view.
Modules
Credential IDs have been a bit difficult to use for modules. Previously you had to know the ID number for the credentials you wanted to use and then enter that number into the options for a module. It seems like a lot of steps, right? Now it’s much easier to use since Starkiller provides a preview of the credentials and autocompletes the rest.
Process Browser
The process browser view is a new feature for Sponsors. Works for PowerShell and Python (and IronPython) agents. It displays the processes belonging to a host and shows which agents are injected into which processes. For Powershell agents, there are quick actions to inject into processes or spawn new processes on the host.
Empire
IronPython 3 Agent
On the Empire server-side, we have the beginnings of an IronPython 3 agent thanks to @Cx01N.
First of all, the Python and IronPython agents share a common launcher! This is great because you won’t have to tailor the initial payload too much. The switch between running an IronPython or Python agent code happens after the launcher checks in and begins the staging process. This allows us to not muddy up the agent code with a ridiculous number of if statements.
At the moment, you will have to do your own embedding/compiling to launch the IronPython agent, unless your target happens to have it installed already. But it shouldn’t be too much work using the IronPython3 repo.
Documentation on how to use this to come later on!
View Tasks
In 4.0, we added the ability to view history for agents which would give you the last N-number of taskings results. But, what if you wanted to view the result of a single-tasking remotely? Well, this is why we added the view taskings command. Simply, type view
and you will get a dropdown of the commands that were run and who executed them. Then select the tasking to view the result.
Hooks & Filters
There is a new feature that will be useful for plugin developers that allow for hooking into different server events.
Hooks
Hooks are implemented to perform some side effects of an event happening. A hook does not need to return anything.
An example of a minimal hook implementation:
from empire.server.common.hooks import hooks
def my_hook(agent: models.Agent):
"""
print to the console whenever an agent checks in.
"""
print(f'New Agent Check in! Name: {agent.name}')
hooks.register_hook(hooks.AFTER_AGENT_CHECKIN_HOOK, 'checkin_logger_hook', my_hook)
Filters
Filters are implemented to perform some modification of data after an event happens. A filter should return the modified arguments that it was given.
An example of a minimal filter implementation:
from empire.server.common.hooks import hooks
def my_filter(tasking: models.Tasking):
"""
Reverses the output string of a tasking.
"""
tasking.output = tasking.output[::-1]
return tasking
hooks.register_filter(hooks.BEFORE_TASKING_RESULT_FILTER, 'reverse_filter', my_filter)
An example of the Hook and Filter features can be seen in the Twilio-Plugin. The Twilio plugin is a basic implementation that sends a text message to the user whenever an agent connects. It is relatively simple, but it was just a PoC.
Wrap-Up
Download the latest version of Empire and Starkiller through Kali or keep up-to-date on our public repositories on GitHub. Feel free to drop us any feedback on our Discord.
The post Hooks, Filters, and Other Really, Really, Cool Things appeared first on BC Security.
If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.