{
	"id": "dd304fb2-452f-4ab4-b20b-c0e1cd3facf7",
	"created_at": "2026-04-06T01:31:54.855495Z",
	"updated_at": "2026-04-10T13:12:37.893005Z",
	"deleted_at": null,
	"sha1_hash": "a854536a34aae4996355e810467fb18e04dfb41c",
	"title": "GitHub - dstepanic/attck_empire: Generate ATT\u0026CK Navigator layer file from PowerShell Empire agent logs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 42428,
	"plain_text": "GitHub - dstepanic/attck_empire: Generate ATT\u0026CK Navigator\r\nlayer file from PowerShell Empire agent logs\r\nBy Daniel Stepanic\r\nArchived: 2026-04-06 01:10:06 UTC\r\nOverview\r\nGenerate ATT\u0026CK Navigator layer files (JSON) based on PowerShell Empire modules used during red\r\nteam/pentesting engagements. The modules are pulled from each host's agent.log file and mapped to one or more\r\nATT\u0026CK techniques. This can be used as a learning tool for handoffs between red/blue teams as well as part of a\r\nfinal pentest report.\r\nPlease note the layer generation portion (gen_layer.py) was developed by the MITRE ATT\u0026CK team and slightly\r\nmodified in order to output JSON file. A spreadsheet (Empire_modules.xlsx) is included that contains the\r\ntechnique/module mapping for any custom modifications.\r\nUsing the script\r\n1. Perform red team engagement using PowerShell Empire, generate agent.log files by compromising hosts\r\nand using different modules.\r\n2. Run main Python script (attck_empire.py) in Powershell Empire downloads folder or point to specific\r\nagent.log file:\r\npython attck_empire.py (Searches within sub-directories for agent.log files)\r\npython attck_empire.py -a C:/tmp/agent.log\r\n3.\r\nPlease note, the Navigator hosted instance by MITRE stores and utilizes layer files on the client-side, not server-side. For any internal/sensitive data, it's recommended to use your own instance.\r\n4. Click on the plus sign on top left corner of ATT\u0026CK Navigator page, select \"Open Existing Layer\" and\r\nchoose your generated layer file (JSON).\r\nSource: https://github.com/dstepanic/attck_empire\r\nhttps://github.com/dstepanic/attck_empire\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://github.com/dstepanic/attck_empire"
	],
	"report_names": [
		"attck_empire"
	],
	"threat_actors": [
		{
			"id": "f4f16213-7a22-4527-aecb-b964c64c2c46",
			"created_at": "2024-06-19T02:03:08.090932Z",
			"updated_at": "2026-04-10T02:00:03.6289Z",
			"deleted_at": null,
			"main_name": "GOLD NIAGARA",
			"aliases": [
				"Calcium ",
				"Carbanak",
				"Carbon Spider ",
				"FIN7 ",
				"Navigator ",
				"Sangria Tempest ",
				"TelePort Crew "
			],
			"source_name": "Secureworks:GOLD NIAGARA",
			"tools": [
				"Bateleur",
				"Carbanak",
				"Cobalt Strike",
				"DICELOADER",
				"DRIFTPIN",
				"GGLDR",
				"GRIFFON",
				"JSSLoader",
				"Meterpreter",
				"OFFTRACK",
				"PILLOWMINT",
				"POWERTRASH",
				"SUPERSOFT",
				"TAKEOUT",
				"TinyMet"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775439114,
	"ts_updated_at": 1775826757,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a854536a34aae4996355e810467fb18e04dfb41c.pdf",
		"text": "https://archive.orkl.eu/a854536a34aae4996355e810467fb18e04dfb41c.txt",
		"img": "https://archive.orkl.eu/a854536a34aae4996355e810467fb18e04dfb41c.jpg"
	}
}