Tear Labs

    Open-Source security tools and researches by Tear Security team

Normalizing Empire's Traffic to Evade Anomaly-Based IDS [Research]

Perimeter defenses are holding an important role in com- puter security. However, when we check the method of APT groups, a single spear-phishing usually enough to gain a foothold on the network. Therefore, red teams are mostly focused on ”assume breach” type of scenarios. In these scenarios, testers need to use a post-exploitation framework. Besides that, testers also need to hide the server-agent communication from NIDS (Network Intru- sion Detection Systems). In this paper, we will discuss one of the most famous post-exploitation tool, Empire’s situation against payload-based anomaly detection sys- tems. We will explain how to normalize Empire’s traffic with polymorphic blending attack (PBA) method. We will also cover our tool, ”firstorder” which is designed to evade anomaly-based detection systems.

White Paper: https://tearsecurity.com/papers/defcon26.pdf
Video: https://www.youtube.com/watch?v=Cz1duUCIM-g


firstorder is designed to evade Empire's C2-Agent communication from anomaly-based intrusion detection systems. It takes a traffic capture file (pcap) of the network and tries to identify normal traffic profile. According to results, it creates an Empire HTTP listener with appropriate options.

Project Page: https://github.com/tearsecurity/firstorder

Leviathan Framework

Leviathan is a mass audit toolkit which has wide range service discovery, brute force, SQL injection detection and running custom exploit capabilities. It consists open source tools such masscan, ncrack, dsss and gives you the flexibility of using them with a combination.

The main goal of this project is auditing as many system as possible in country-wide or in a wide IP range.

Project Page: https://github.com/tearsecurity/leviathan