Having trouble tracking down where to update code to modify the default info displayed by agents

[Hubbl3]

Empire Version

2.5

OS Information (Linux flavor, Python version)

Kali 2019.2

Any additional information

Trying to figure out where in the code base the parsing of data returned from the initial stager is done. I updated the stager code and I get the initial call back but the additional data seems to break the negotiation as the next stager is never passed back. If anyone could point me in the right direction it would be much appreciated.

[mr64bit]

Most likely `handle_agent_staging` in `lib/common/agents.py`

…

On Fri, Apr 12, 2019 at 12:50 PM lonewolf210 ***@***.***> wrote: Empire Version 2.5 OS Information (Linux flavor, Python version) Kali 2019.2 Any additional information Trying to figure out where in the code base the parsing of data returned from the initial stager is done. I updated the stager code and I get the initial call back but the additional data seems to break the negotiation as the next stager is never passed back. If anyone could point me in the right direction it would be much appreciated. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#1350>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ACFwUNeXyOQnJF9d1CwED_dP6zm4eNX0ks5vgLlpgaJpZM4cshzT> .

[Hubbl3]

Most likely handle_agent_staging in lib/common/agents.py
…
On Fri, Apr 12, 2019 at 12:50 PM lonewolf210 @.***> wrote: Empire Version 2.5 OS Information (Linux flavor, Python version) Kali 2019.2 Any additional information Trying to figure out where in the code base the parsing of data returned from the initial stager is done. I updated the stager code and I get the initial call back but the additional data seems to break the negotiation as the next stager is never passed back. If anyone could point me in the right direction it would be much appreciated. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#1350>, or mute the thread https://github.com/notifications/unsubscribe-auth/ACFwUNeXyOQnJF9d1CwED_dP6zm4eNX0ks5vgLlpgaJpZM4cshzT .

Thanks that did it. I am working on a=some code that allows for vm identification/evasion. If I get it working I can put in a pull request.

In the mean time would you also be able to point me in the direction of how I would modify the cipher suite negotiation order? It looks like Empire is just using the default urllib3 cipher list?

[mr64bit]

https://github.com/EmpireProject/Empire/blob/dev/lib/listeners/http.py#L1173

You can call set_ciphers on the SSL context object created here, giving it the list of ciphers you want the Flask server to offer. (untested, just reading docs)

[Hubbl3]

OKay. Thank you. If you don't mind me asking one more question. If I was looking at modifying the powershell download cradles would I need to modify every module or if I used say an Internet Explorer COM object in the initial stager would that be sufficient?

Thanks again for the help

[Hubbl3]

Just to add a bit of context trying to do some research on JA3 signatures and seeing what may or may not change them