Lee Christensen and Max Harley - Nemesis

Presented on Friday 15th September 2023 at 44CON 2023 The offensive industry is about exploring what’s possible. Part of this is observing and taking lessons from other disciplines that have already solved a myriad of related challenges, from proper software engineering practices to using graph theory for offensive problems. But despite various leaps forward over the last several years, the offensive post-exploitation community has yet to fully embrace data analysis and enrichment pipelines beyond basic log aggregation and searching. If offensive tools were structured for automated processing instead of solely human consumption, we could unify post-ex data to exploit the known (and unknown) relationships within the data our offensive tools emit. Imagine a system that could ingest data from any C2 framework or post-ex tool, and could not just automate common operator tasks like binary analysis for known vulnerabilities and hash extraction and cracking of encrypted documents, but could perform complex offline analysis like host privilege escalation. If we could unify all post-exploitation data from offensive engagements we could improve operator workflows, provide tradecraft assistance, facilitate automation of onerous tasks, and uncover new data-driven research opportunities. A year ago, our team embarked on the development of just such a system, and we are excited to introduce the result of our effort: Nemesis. This presentation will start by detailing the various red team challenges regarding data, leading into how this influenced Nemesis’ architectural decisions and design. Along the way we’ll cover various time-saving automations Nemesis can perform along with offensive data enrichments and analytics the engine can produce. This is the start of a true universal operator assistance platform, with operator guidance contextualized by data as it comes into command and control platforms. Beyond this, Nemesis will enable the emerging discipline of offensive data analysis, which we hope will unlock possibilities we can’t even imagine. Lee Christensen: Lee Christensen is a member of the R&D team at SpecterOps, where he helps research and develop new offensive techniques and capabilities. He has an extensive background in offensive security, particularly enjoying research of Windows, Active Directory, and the components commonly found inside them. His research has resulted in several CVEs and new offensive tradecraft used throughout the industry. In addition, Lee has contributed to many open-source tools including GhostPack, BloodHound, SpoolSample, UnmanagedPowerShell, and KeeThief. Max Harley: Max Harley is an operator and red team tool developer at SpecterOps. His passion for cybersecurity and software development has motivated him to release open source tools, mostly focused on safe payload delivery and JA3. Max has given presentations at multiple security conferences including CarolinaCon and BSides Charleston. He is a Clemson University alumni and former president of their cybersecurity club, CU Cyber.