 Hi everybody, I'm Anthony. I go by coin and I'm one of the developers of Starkiller and Empire. I'm also here with Jake and Vince Hey, I'm Jake. I go by Hubble. I'm also one of the developers for Starkiller and Empire And I'm Vince. I created Starkiller and I'm the lead developer So we're gonna be talking about Starkiller today, which is our threat emulation platform that we use for red teaming What this allows us to do is to have an intuitive interface that multiple users can log in from and interact with the team server As well as it has some hooks built into it to the mitre attack framework that gives links to techniques within side of all our modules And what this setup allows us to do is to have our teams most accurately emulate the threats for assessments Since we're trying to emulate that threat what we're really focusing on is trying to make sure that we're replicating their TTPs Those tactics techniques and procedures Since it's what we're this is what the threat is going to use to obtain their objectives We're gonna make sure that everything we do and our tests focus around what the threats going to be and be representative That includes our infrastructure. We want to make sure that our infrastructure mirrors exactly what an APT Setup is going to look like for example our stagers pay and payloads as well as our implants will mirror the threats Our setup will typically include multiple operators across different locations all connected to the team server They may be spread out as well to make sure that everything is segregated So that way if one server goes down, we're not going to lose our entire operation and burn it We want to make sure that our our infrastructure mirrors what the threats going to do and are going to be able to emulate What they're going to be running for their attacks So what you kind of saw in the diagram before is is that Starkiller is the UI that connects to our team server so Starkiller provides a UI on top of the the C2 server in this case Empire and it allows us to Interact as a team. So we have multi-user support. We have a live reporting interface So anytime a team member runs a modular command We're able to instantly see those those commands through the interface and it simplifies a lot of the workflows that are a little bit More tedious through the CLI So as we mentioned and Starkiller is a GUI interface that interacts with the Empire C2 server Empire is built on PowerShell and Python for those of you that aren't aware With the addition of Starkiller can now be ran as either a team server and all in one C2 Which means just a person's running the C2 on the command line directly like there's no other infrastructure required for to run that C2 Has a bunch of adaptive modules are up to about 300 now and then the original project ended support Back in August of 2019 But we forked it and have been Maintaining and updating it ever since which is why we built Starkiller on top of it and we really built Starkiller to address some of the shortfalls that Vincent meant Mentioned to allow for threat emulation and just like a modern red team engagement when using Empire as your primary C2 So ever since we forked Empire when it was originally when support was originally ended We asked a lot why we still think PowerShell is important Because there's a whole bunch of mitigations in place, you know extra block logging and AMZ and All those kinds of things that do make PowerShell much more difficult when it is implemented properly But even though red teams have started moving on to C sharp and other dotnet tradecraft and Microsoft to start kind of focusing protections elsewhere PowerShell is still a huge attack vector. It's wise like every day by APT's Crouch right came out with a report in 2019 that said as many as 90% of breaches Use PowerShell in some way now that doesn't mean that PowerShell is their primary means of operations or Even this the majority of what's being done But it's still used in 90% of breaches according to crouch right so we still think it's really worthwhile for red teams To emulate threats using PowerShell because even though all those mitigations do exist for it We still see many many organizations that are vulnerable to PowerShell because they don't have those mitigations properly implemented So what we have here is our team server setup running Empire. We also have multiple star killer instances all connected to that team server That team server is then sitting in a secure location That could be either in the cloud or that like one of our offices There is then a secure line directly into our server or cloud server. In this case, it's AWS That cloud server is then going to reach out to all of our redirectors We had these multiple redirectors up in case one of them gets burned and that way if it does happen We don't lose our entire infrastructure Why we do this is this setup allows us to rebuild certain parts of our infrastructure very easily So we don't lose critical pieces Yeah, and then just another advantage of setting up our infrastructure this way Is it allows us to really lock down our Empire server on top of Using like reverse port forwarding to connect to the AWS server so that the Empire server can't be accessed directly from from external our Network we can also lock down it it down internally because we can basically lock everything down except for the Starkiller ports and That way if our network is compromised it limits the ability for an attacker to Access the Empire server and more importantly access the customer data that we're going to be handling since many times that data is extremely sensitive so really the the main two goals for Starkiller for us is one we want to make our Our workflows for red teams to be more efficient and we do that by Eliminating some of the menu options that were in Empire and making them more simplified Previously in Empire what you had to do is you had to memorize or go through multiple menus to be able to set up your listeners your Stagers and your modules Through Starkiller what you have now is you have these menus that are pre-populated Sometimes they have drop-down menus and this makes workflows much much easier for teams The second thing is the team-oriented engagements With Empire previously you can only have one person logged in at a time They're using that command line interface and if somebody else wanted to do engagement get to stand up a completely separate server Now with Starkiller you can have multiple users all using the same team server They can share credentials They can share their results from their modules and they can generate a single report for their entire engagement Yeah, and then just to add a little more to that We're good. We plan on future growth for this capability as well But it also provides more oversight for the team lead by giving them a centralized location to see what their operators are doing What things have been done as well as like when things are ran on individual boxes and that kind of thing isn't a centralized location to See all that data and keep an eye on the operation as it's progressing So setting up Starkiller is fairly simple when you run Empire you're going to pass the rest parameter Which tells it to run the rest API? There's a default login and password which you can change and then to actually run Starkiller You can either download the installer for Windows Mac OS or Linux off of the releases page on github or There's instructions in the read me to build it from this horse All right. Thanks guys. We're going to demo the features of Starkiller now So Vince has a instance set up already back into our personal range Where Empire is already running on a team server and then we have Starkiller connecting into that Okay, so this is the Starkiller login page. I'm going to log in using the default username and password And we're connecting to an Empire instance that we have that we already have running When I go to the settings page We can change our password. We can Turn dark mode on and off and we have access to our API token for For connecting to the Empire API This is useful if you want to Interact with the Empire API outside of Starkiller or if you wanted to use some other tool like that star to interact with with Empire API The next piece is the user management page So on this page we get a list of of all the users that have an account for Starkiller We can see when they when they last logged in and we're able to Enable and disable those users I'm going to go ahead and create a user account for myself With the password of password and We can see that I now have an account So the next thing is the modules list page So this page gives you a list of all of the modules that we have access to in our instance of Empire and Using the search box. We can search down by the name of the module. We can search down by the miter attack techniques and also The descriptions of the modules. So here I'm going to filter down by a miter attack technique And I get the two modules that that are in this in this technique and if I click into it, it'll bring us to the To the webpage for that miter attack technique so that we can get more information about it And then here if we expand an individual module We can get the author information We can get the description about that module and then often the the comments will have a link back to the source Material for that module Okay, so this is the listeners list page and here we can see all the listeners that have already been created in Empire So let's go ahead and create another one We're going to choose a type and then once we choose that type we get the form prefilled out with with all the defaults and we're going to go ahead and just update this so it doesn't overlap with the previously created and Any optional fields are just in this expandable context here I'm going to submit and that listener has been created The next page is the Stagers page Stagers are the initial payload that we send to the agent to initiate the connection back to our C2 server So you can see that we already have a couple stages created here But I'm going to go ahead and generate a couple more So the first one that I'm going to create is a multi launcher and We're going to have it connect to the listener that I just created and we're going to keep the rest of the settings the same Up here. I can expand the information box and that'll give us some more info about the Stager Okay, so that one's been created now. I'm going to create one more This one is going to be a downloadable DLL And again, I'm going to choose the listener that we just created I'm going to hit submit Okay, so now that we've created those two Stagers we can see Some information about it which listener it connects back to the language and When it was created and then over here we have the ability to copy or download So this first one that we generated multi launcher Has a little paperclip icon and when you click that it copies it to the clipboard Because this is like a one-liner that you can then paste into a command prompt or your your PowerShell window and The second one here has a download icon Because it's a file and you can download this file and then get that to your target. However, you need to get get it to them Yeah, and something that's really nice about this over Empire is that our Stagers remain persistent Not only for when we change between menus But also like if you log out of Starkiller and then log back in like your agents will still be there Because in Empire as soon as especially when we create like one-liners as soon as we move to another menu It's gone and we have to regenerate it and then cut and paste it and save it and all those things Whereas Starkiller just keeps it all in one place for us and saves it between You know sessions and all that kind of stuff Which is just significantly more convenient than operating directly in Empire Okay, so now that we've Sent those Stagers out. We've gotten some some callbacks into our Empire server And so that brings us to the agents list and here we can see all of the agents that have called back to us We can see the last time they checked in we can see the username of the account that we're connected to and if we click into it that brings us to Probably the screen that you'll spend the most time in when you're using Starkiller, which is the agent interaction screen And this is where I'm going to hand it off to Quinn to talk about interacting with agents So we have here is our agent screen as Vince talked about before this allows us to do our shell commands As well as execute modules of the couple nice features here All we can see at the bottom is Hubble actually just ran something this interface allows multiple users interact the same agent And every command that you run is going to be tagged with the username that you have associated with yourself So for example, I ran earlier I set my beacon to be delay zero and I ran that command under my Empire admin account Well, Hubble ran who am I and then he got his results back I can also go in here and I can go to shell commands I could type in ps just like they would in Empire to get my process list It's now going to run that it puts it in a queue all commands are set into a queue Regardless of who sends it and I'll execute that queue throughout and then drop all the results in this screen Your results aren't just going to be in this screen. It's also saved in a database that then gets populated on a reports page So everything everybody does will be aggregated together into one master log You can see here the process list just came back so you can come in take a look I can scroll through and see all the different processes that are running As well as I can also adjust the size of this screen if I wanted to expand it a little bit as well Next is the modules. So you have access to all the modules that are inside of Empire It's nice because you don't have to navigate all the menus. You can actually come in here and just type in exactly what you want to run I can type in mini cats in this case. We're actually going to run Sherlock I come in select Sherlock just a nice little tool that'll allow me to look at some privilege escalation opportunities We still have access to those Miter attack techniques from before so I can click on those As well as a description and an information about the module. I want to run So once I hit submit It's going to run that module It's going to queue it up and then we'll get the results and we can see that later in the reporting function Next we're going to go over into a elevated process agents that way we can show off another feature So now I can come in here now that I'm in an elevated process I can go in and run Some techniques that maybe I don't have access to under a normal user such as mini cats So I'm going to go in I'll pull up mini cats. I have all the same interface stuff as well I'm going to hit submit there as well. So now both of those are queued up and I can see those results later Inside of my reporting function So now we're going to look at the credentials page and you can see here We already have a couple entries from running mini cats And so the nice thing about this credentials page is it's central to everybody all of the team members engaging On this empire server. So whether I run mini cats or Hubble is is getting credentials They're all going to be dumped to this page and we can we can all see all of the credentials and These password hashes are going to be useful to us when we want to try to do lateral movement Now the the last piece that we want to show you a star killer is this reporting interface it's going to Show you in order of when it ran when a command was run on an agent who ran it and What the response was so for example? This is the last command that was run We can see that it was run by empire admin, which is me And we can see The agent that it was run on and we can see the full output of of that command And now just a side note here You'll notice this function name is just a random five character string That's one of the the features that are built into empire For keyword randomization. So this function name is just a random five character string That string is typically known as Mimi cats. And so that randomization just allows us to Prevent strings that are known flags from showing up in memory when empire is being ran Okay, so now if we expand another one We can see the output of the ps command in in its entirety And this page is really useful to the The operator of the the engagement so that they can get a holistic view of all of the different things that are going on during the engagement So at the at the bottom of star killer, we have links to the empire and star killer repos We'd love to get feature requests and bug tickets that we can fix And we look forward to your feedback