BSidesAugusta 2023

The offensive industry is about exploring what’s possible. Part of this is observing and taking lessons from other disciplines that have already solved a myriad of related challenges, from proper software engineering practices to using graph theory for offensive problems. But despite various leaps forward over the last several years, the offensive post-exploitation community has yet to fully embrace data analysis and enrichment pipelines beyond basic log aggregation and searching. If offensive tools were structured for automated processing instead of solely human consumption, we could unify post-ex data to exploit the known (and unknown) relationships within the data our offensive tools emit.

Imagine a system that could ingest data from any C2 framework or post-ex tool, and could not just automate common operator tasks like binary analysis for known vulnerabilities and hash extraction and cracking of encrypted documents, but could perform complex offline analysis like host privilege escalation. If we could unify all post-exploitation data from offensive engagements we could improve operator workflows, provide tradecraft assistance, facilitate automation of onerous tasks, and uncover new data-driven research opportunities. A year ago, our team embarked on the development of just such a system, and we are excited to introduce the result of our effort: Nemesis.

This presentation will start by detailing the various red team challenges regarding data, leading into how this influenced Nemesis’ architectural decisions and design. Along the way we’ll cover various time-saving automations Nemesis can perform along with offensive data enrichments and analytics the engine can produce. This is the start of a true universal operator assistance platform, with operator guidance contextualized by data as it comes into command and control platforms. Beyond this, Nemesis will enable the emerging discipline of offensive data analysis, which we hope will unlock possibilities we can’t even imagine.