Merge main into fix-skeletonkey#1
Merged
asantoma merged 39 commits intofix-skeletonkeyfrom Apr 10, 2026
Merged
Conversation
The SSH agent setup step was conditional on the sponsors repo, but the Docker builds unconditionally require SSH_AUTH_SOCK to be set. Start the SSH agent on both repos - private keys are only loaded when the CI_SSH_KEY_BOT secret is available. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…ect#1143) Pre-load all existing Module records into a dict before the module loading loop, replacing 435 individual SELECT queries with a single bulk query. Reduces startup time by ~4 seconds. Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Notable upgrades: - cryptography 45.x -> 46.x (removed deprecated default_backend()) - bcrypt 4.x -> 5.x - fastapi 0.116 -> 0.129 (Starlette 0.52 adds allow_private_network to CORSMiddleware) - ruff 0.12 -> 0.15 (fix 63 new lint violations from stabilized rules) - pytest 8.x -> 9.x - pytest-cov 6.x -> 7.x - uvicorn 0.35 -> 0.41 - packaging 25.x -> 26.x - requests-file 2.x -> 3.x - aiofiles 24.x -> 25.x Breaking change fixes: - Remove deprecated default_backend() from encryption.py (cryptography) - Fix CORSMiddleware positional args for new allow_private_network param (Starlette) - Migrate (str, Enum) to StrEnum (ruff UP042) - Fix unused unpacked variables (ruff RUF059) - Fix single-item membership tests (ruff FURB171) - Fix ternary expressions (ruff FURB110) - Apply ruff 2026 formatter style guide Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
…ependency upgrade (EmpireProject#1157) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…y-pick-ubuntu-docs
* Fix MITRE ATT&CK tagging in PowerShell modules Correct malformed technique IDs (T11082→T1082, T1555.03→T1555.003, T11638→T1040), replace deprecated techniques (T1076→T1021.001, T1933 removed, T1101.005→T1547.005), fix malformed tactic strings, add missing software fields (S0521 for BloodHound/SharpHound, S0002 for Mimikatz), add missing tactics to modules that had none, and resolve technique-to-tactic inconsistencies across 63 modules. Validated against MITRE ATT&CK Enterprise STIX data. Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-opencode) Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai> * Fix MITRE ATT&CK tagging in Python modules Add missing tactics field to 80 Python modules (macOS collection, Linux persistence/privesc, DCOS, AD discovery) that had no tactic tags. Fix wrong software field (T1169→empty) on sudo_spawn and piggyback modules. Resolve technique-to-tactic inconsistencies. Tactics derived from MITRE ATT&CK Enterprise STIX technique→tactic mappings and module directory categorization. Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-opencode) Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai> * Fix MITRE ATT&CK tagging in C# modules Correct malformed technique IDs (T1557.0001→T1557.001, T1558.0003→T1558.003, T1555.03→T1555.003, T11082→T1082), fix malformed tactic string on SharpSC, replace deprecated techniques (T1076→T1021.001, T1933 removed), add missing software field (S1071 for Rubeus), add missing tactics to Spawn module, and resolve technique-to-tactic inconsistencies across 15 modules. Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-opencode) Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai> * Fix MITRE ATT&CK tagging in BOF modules Add missing tactics for technique-to-tactic consistency across 12 BOF modules. Ensures all listed techniques map to at least one tactic the module declares. Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-opencode) Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai> * Update CHANGELOG and module development docs for MITRE ATT&CK audit Add changelog entry documenting the ATT&CK tagging audit and fixes across all 439 modules. Update the module development guide to include a MITRE ATT&CK Fields section with proper formatting guidance, and fix the YAML example to use real tactic/technique IDs instead of empty placeholders. Ultraworked with [Sisyphus] Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai> * Fix MITRE ATT&CK technique assignments in PowerShell modules Remove incorrect T1482 (Domain Trust Discovery) from 19 modules that enumerate users, groups, computers, or network shares — not domain trusts. Remove incorrect T1615 (Group Policy Discovery) from 3 modules unrelated to GPO enumeration. Add missing T1049 (System Network Connections Discovery) to session enumeration modules. Fix T1514 removal in powershell_template and correct edge-case technique assignments for sessiongopher, honeyhash, and smbautobrute. Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-opencode) Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai> * Fix MITRE ATT&CK technique assignments in Python modules Replace 27 deprecated technique IDs predating ATT&CK v10 with current equivalents: T1141→T1056.002, T1142→T1555.001, T1156→T1546.004, T1165→T1037.005, T1166→T1548.001, T1168→T1053.003, T1208→T1558.003, T1081→T1552.001, T1139→T1552.003, T1155→T1059.002, T1157→T1574.004. Remove Mobile ATT&CK IDs (T1414, T1426) and invalid IDs (T1256, T1156.001, T1081.001). Remove incorrect T1482 from 12 AD enumeration modules. Replace T1106 (Native API) with T1059.006 (Python) on 5 DCOS REST API modules. Remove T1514 from python_template. Fix edge cases in SuidGuidSearch, HijackScanner, etcd_crawler, mail, and prompt modules. Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-opencode) Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai> * Fix MITRE ATT&CK technique assignments in C# modules Remove incorrect T1482 (Domain Trust Discovery) from Rubeus, Certify, and 5 SharpSploit enumeration modules that query users, groups, computers, or local groups — not domain trusts. Add missing T1049 (System Network Connections Discovery) to GetNetSession. Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-opencode) Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai> * Fix MITRE ATT&CK technique assignments in BOF modules Remove incorrect T1482 (Domain Trust Discovery) from 3 ADCS enumeration modules that query certificate templates and CAs — not domain trusts. Replace with T1069.002 (Domain Groups) which better describes their certificate-related AD enumeration. Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-opencode) Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai> * Update CHANGELOG for MITRE ATT&CK technique audit Add 5 entries documenting round 2 of the ATT&CK audit: deprecated ID replacements, T1482/T1615 over-tagging removal, T1106 DCOS correction, and missing technique additions. Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-opencode) Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai> * Enrich MITRE ATT&CK technique tags across 53 modules Corrected 10 wrong technique assignments (e.g. LaunchAgent T1055→T1543.001, screensaver T1113→T1056.002, DownloadFile T1041→T1105), upgraded 6 parent techniques to specific sub-techniques, added T1105 to 12 lateral movement modules, and enriched 33 existing technique tags across PowerShell, Python, and C# modules. Net coverage: 181→190 unique techniques (+10 new IDs). Fixed 2 pre-existing duplicate technique entries in RevertToSelf and NetRipper. Ultraworked with [Sisyphus] Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai> --------- Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>
…y-pick-backgroundjob-bugfix Cherry-pick: Backgroundjob bugfix (BC-SECURITY#807)
* Add Sprint 1 modules: PatchETW, PatchlessAMSI, CredentialPrompt, VSSExtract, RDPHijack, linux_keyring, aws_imds Add 7 new post-exploitation modules across C#, PowerShell, and Python: - C# PatchETW: in-process ETW patching via ntdll!EtwEventWrite - C# PatchlessAMSI: patchless AMSI bypass using hardware breakpoints and VEH - PowerShell Invoke-CredentialPrompt: credential harvesting via Windows CredUI - PowerShell Invoke-VSSExtract: NTDS.dit/SYSTEM hive extraction via VSS - PowerShell Invoke-RDPHijack: RDP session hijacking via tscon.exe - Python linux_keyring: Linux kernel keyring credential extraction - Python aws_imds: AWS IAM role credential theft via EC2 IMDS All modules authored by Anthony Rose (@Cx01N) with source citations. MITRE ATT&CK techniques mapped for each module. Ultraworked with [Sisyphus] Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai> * Fix runtime errors in Sprint 1 modules - Remove redundant Invoke-CredentialPrompt (SharpLoginPrompt already exists) - Fix VSSExtract CleanupShadow: [String] to [Switch] for Empire PARAMS compatibility - Fix RDPHijack ListSessions: [String] to [Switch] for Empire PARAMS compatibility - Fix RDPHijack query user handling: remove unreliable $LASTEXITCODE check, pipe through Out-String - Fix linux_keyring: replace raise SystemExit(0) with function wrapper and return (was killing agent) - Remove CHANGELOG entry for removed CredentialPrompt module Empire module_service formats True/False option values as PowerShell switches, not string arguments. All boolean-like options must use [Switch] type. Ultraworked with [Sisyphus] Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai> --------- Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>
…es (EmpireProject#1170) * Add PIC shellcode compiler, refactor bof_packer to Packer class, and update BOF modules Add shellcode_compiler utility for compiling position-independent C stagers into raw x64 shellcode for BOF process injection. Refactor bof_packer from standalone functions to a Packer class with granular packing methods. Rewrite clipboard_window_inject to use PIC shellcode instead of PowerShell launcher, add clipboard_window_inject_list module, remove secinject module, and bump Empire Compiler to v0.4.4. Update test_bof_packer to cover the new Packer class API (32 tests), add test_shellcode_compiler for _string_to_wchar_initializer (13 tests), and bump stager template count in test_stager_api. * fixed test_stager_api
…ireProject#1171) Replace random URI generation in Stager._defaults() with a deterministic fallback so profiles without an http-stager block get a consistent URI across server restarts. Update launcher generation test to match.
…nts (EmpireProject#1176) * Add format_bof_output() and pass agent_language to custom-generate BOF modules Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-opencode) Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai> * Fix custom-generate BOF modules to use format_bof_output() for Go agent support Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-opencode) Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai> * Add tests for BOF Go agent format and update changelog Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-opencode) Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai> * updated generate for bofs with consistent functions --------- Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>
…private v6.5.0 into private-main
Resolve merge conflicts: - CHANGELOG.md: keep full 6.5.0 release notes, incorporate main's backfilled Starkiller entries - docs/modules/module-development/README.md: keep MITRE ATT&CK Fields section from release - empire/server/config.yaml: use Starkiller v3.4.0 from release, keep public plugin registry from main Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.