Merge public/main into release/6.5.0

vinnybod · claude · vinnybod · commit 62f2cd9b46a7 · 2026-04-05T10:50:27.000-07:00
Resolve merge conflicts:
- CHANGELOG.md: keep full 6.5.0 release notes, incorporate main's backfilled Starkiller entries
- docs/modules/module-development/README.md: keep MITRE ATT&amp;CK Fields section from release
- empire/server/config.yaml: use Starkiller v3.4.0 from release, keep public plugin registry from main

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -97,6 +97,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 -   Fixed PSRansom module `name` field incorrectly set to `Invoke-Script` instead of `PSRansom`
 
 ## [6.4.1] - 2026-02-15
+-   Fixed the `docs/quickstart/installation/README.md` file to specify a previously missing reference to Ubuntu
+-   Updated Starkiller to v3.3.0
 
 ### Added
 
@@ -118,6 +120,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [6.4.0] - 2026-01-18
 
+
 ### Added
 
 -   Added Debian 13 support
@@ -129,6 +132,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 -   Added local ticket support to Invoke-PSRemoting module
 -   Added an endpoint to stop background jobs on agents
 -   Added foreground C# tasking support to IronPython agent
+-   Added Get-ClipboardHistory PowerShell module to enumerate Windows clipboard history (Windows 10/11) via WinRT APIs
 
 ### Changed
 
@@ -142,6 +146,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 -   Fixed results not coming back properly for powershell agents on C# background tasks
 
 ## [6.3.0] - 2025-12-11
+-   Updated Starkiller to v3.2.0
 
 ### Added
 
@@ -189,6 +194,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [6.2.0] - 2025-09-02
 
+-   Updated Starkiller to v3.1.0
 -   Added clean and reset options to the server
 -   Added other agent language support to fodhelper
 -   Added go support to spawn and spawnas
@@ -201,10 +207,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 -   Allow 'X-Empire-Token' as an alternative header to 'Authorization'
 -   Remove abandoned passlib library and use bcrypt directly
 
-## [6.1.4] - 2025-08-16
-
 ## [6.1.3] - 2025-07-11
 
+-   Updated Starkiller to v3.0.1
 -   Fixed PowerShell agent having base64 encoded Cookie name for HTTP listener
 
 ## [6.1.2] - 2025-05-21
@@ -258,6 +263,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 -   Fixed issue generating Sharpire exes
 
 ## [6.0.0] - 2025-03-25
+-   Updated Starkiller to v3.0.0
 
 ### Highlights
 
@@ -406,6 +412,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [5.11.5] - 2024-09-22
 
+-   Updated Starkiller to v2.8.2
 -   Fixed various Python 3.12 SyntaxWarning
 
 ## [5.11.4] - 2024-09-04
@@ -497,8 +504,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 -   Removed BypassUACCommand due to compatibility with only Covenant (@Cx01N)
 
 ## [5.10.2] - 2024-05-05
+-   Updated Starkiller to v2.8.1
 
 ## [5.10.1] - 2024-04-26
+-   Updated Starkiller to v2.8.0
 
 ### Added
 
@@ -539,6 +548,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 -   Fixed module generation error in ComputerDetails (@Cx01N)
 
 ## [5.9.5] - 2024-02-22
+-   Updated Starkiller to v2.7.3
 
 ## [5.9.4] - 2024-02-17
 
@@ -559,6 +569,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 -   Fixed skywalker exploit (again) and added tests (@Cx01N)
 
 ## [5.9.2] - 2024-01-31
+-   Updated Starkiller to v2.7.2
 
 ### Fixed
 
@@ -643,6 +654,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 -   Fixed the publishing of docker images to go to the correct DockerHub coordinate (@Vinnybod)
 
 ## [5.8.1] - 2023-11-30
+-   Updated Starkiller to v2.7.1
 
 ### Added
 
@@ -717,6 +729,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [5.7.3] - 2023-10-17
 
+-   Updated Starkiller to v2.6.1
 -   Fixed global obfuscation not working on modules (@Cx01N)
 -   Added bypass module in PowerShell to run bypasses after agent is staged (@Cx01N)
 -   Fixed IronPython and Python stagers not getting obfuscation applied (@Cx01N)
@@ -749,6 +762,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [5.6.3] - 2023-08-27
 
+-   Updated Starkiller to v2.5.3
 -   Added Advanced Reporting Plugin and dependencies (@Cx01N)
 -   Pin linters in the workflow
 -   Catch error when starting up database that was seeded by an older version of Empire (@Vinnybod)
@@ -780,9 +794,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 -   Fix changelog link in README (@theguly)
 
 ## [5.5.4] - 2023-07-20
+-   Updated Starkiller to v2.4.3
 
 ## [5.5.3] - 2023-07-20
 
+-   Updated Starkiller to v2.4.2
 -   Updated restip message to show IP address on server (@Cx01N)
 -   Fixed onedrive taskings for powershell (@Cx01N)
 -   Update pyyaml to 6.0.1 to avoid build issue from cython (@Vinnybod)
@@ -832,6 +848,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [5.4.2] - 2023-06-07
 
+-   Updated Starkiller to v2.3.2
 -   Fixed python modules not running properly (Cx01N)
 -   Updated python multi_socks to run with Python 3 (Cx01N)
 
@@ -855,6 +872,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [5.2.2] - 2023-04-30
 
+-   Updated Starkiller to v2.2.0
 -   Dependency upgrades (@Vinnybod)
 
 ## [5.2.1] - 2023-04-30
@@ -880,6 +898,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [5.1.2] - 2023-03-29
 
+-   Updated Starkiller to v2.1.1
 -   Removed thread from IronPython agent (@Hubbl3)
 -   Fixed foreign listener issue with cookies (@Hubbl3)
 -   Fixed error message handling for port forward pivot (@Cx01N)
@@ -912,6 +931,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [5.0.3] - 2023-02-20
 
+-   Updated Starkiller to v2.0.5
 -   Fix Invoke-Kerberoast with etype 17 or 18 (@AdrianVollmer)
 -   Add 3.11 support, bump Dockerfile to 3.11, bump Debian install to 3.8.16 (@Cx01N)
 -   Update the GitHub actions to remove usages of deprecated ::set-output function (@Vinnybod)
diff --git a/docs/modules/module-development/README.md b/docs/modules/module-development/README.md
@@ -44,6 +44,7 @@ Every module should include proper MITRE ATT&CK metadata. The fields are:
 
 Refer to the [MITRE ATT&CK Enterprise Matrix](https://attack.mitre.org/matrices/enterprise/) for valid tactic, technique, and software IDs.
 
+
 ## Special Options
 
 Empire reserves certain option names that receive special handling during module execution. These are filtered out of the parameters passed to the module's script and instead control how the task is dispatched or processed.
diff --git a/docs/quickstart/server.md b/docs/quickstart/server.md
@@ -4,6 +4,7 @@ The Server configuration is managed via [empire/server/config.yaml](https://gith
 
 Once launched, Empire checks for user write permissions on paths specified in `config.yaml`. If the current user does not have write permissions on these paths, `~/.empire` will be set as fallback parent directory and the configuration file will be updated as well. If `empire-priv.key` and `empire-chain.pem` are not found in \~/.local/share/empire directory, self-signed certs will be generated.
 
+
 ## User Config Overrides
 
 To customize settings without modifying `config.yaml`, create a `config.user.yaml` file in the same directory as the base config (e.g. `~/.config/empire/config.user.yaml`). This file only needs to contain the settings you want to override — everything else falls through to the base config.
diff --git a/empire/server/config.yaml b/empire/server/config.yaml
@@ -55,7 +55,7 @@ submodules:
 plugin_marketplace:
   registries:
     - name: BC-SECURITY
-      git_url: git@github.com:BC-SECURITY/Empire-Plugin-Registry-Sponsors.git
+      git_url: https://github.com/BC-SECURITY/Empire-Plugin-Registry.git
       ref: main
       file: registry.yaml
 directories:
diff --git a/empire/server/data/module_source/collection/Get-ClipboardHistory.ps1 b/empire/server/data/module_source/collection/Get-ClipboardHistory.ps1
@@ -0,0 +1,48 @@
+function Get-ClipboardHistory {
+
+    $ErrorActionPreference = 'Stop'
+
+    function Fail($msg) { throw $msg }
+
+    Add-Type -AssemblyName System.Runtime.WindowsRuntime
+
+    $asTaskGeneric = ([System.WindowsRuntimeSystemExtensions].GetMethods() |
+        Where-Object {
+            $_.Name -eq 'AsTask' -and
+            $_.GetParameters().Count -eq 1 -and
+            $_.GetParameters()[0].ParameterType.Name -eq 'IAsyncOperation`1'
+        })[0]
+
+    function Await($WinRtTask, $ResultType) {
+        $asTask  = $asTaskGeneric.MakeGenericMethod($ResultType)
+        $netTask = $asTask.Invoke($null, @($WinRtTask))
+        $null = $netTask.Wait(-1)
+        $netTask.Result
+    }
+
+    $null = [Windows.ApplicationModel.DataTransfer.Clipboard, Windows.ApplicationModel.DataTransfer, ContentType=WindowsRuntime]
+
+    $result = Await (
+        [Windows.ApplicationModel.DataTransfer.Clipboard]::GetHistoryItemsAsync()
+    ) ([Windows.ApplicationModel.DataTransfer.ClipboardHistoryItemsResult])
+
+    if ($result.Status -ne [Windows.ApplicationModel.DataTransfer.ClipboardHistoryItemsResultStatus]::Success) {
+        Fail "ClipboardHistory is not accessible, it might not be enabled. Status: $($result.Status)"
+    }
+
+    try {
+
+        $textOps = $result.Items.Content.GetTextAsync()
+
+        $out = New-Object System.Collections.Generic.List[string]
+        for ($i = 0; $i -lt $textOps.Count; $i++) {
+            $txt = Await ($textOps[$i]) ([string])
+            if ($txt) { $out.Add("---`n$txt") }
+        }
+
+        Write-Output $out
+
+    } catch {
+        Fail "Clipboard is empty."
+    }
+}
diff --git a/empire/server/modules/powershell/situational_awareness/host/clipboard_history.yaml b/empire/server/modules/powershell/situational_awareness/host/clipboard_history.yaml
@@ -0,0 +1,26 @@
+name: Invoke-ClipboardHistory
+authors:
+  - name: ''
+    handle: '@e1k'
+    link: ''
+description: |
+  Retrieves Windows clipboard history via WinRT APIs and returns the text items
+  currently stored in history. Useful for quickly enumerating recently copied
+  data on hosts where clipboard history is enabled (Windows 10+) using
+  PowerShell 5+.
+software: ''
+tactics: [TA0009]
+techniques: [T1115]
+background: false
+output_extension:
+needs_admin: false
+opsec_safe: true
+language: powershell
+min_language_version: '5'
+comments:
+  - Requires Windows 10/11 with Clipboard History enabled
+  - Leverages WinRT ClipboardHistory API; returns text entries only
+  - No network communication; local enumeration of clipboard history
+  - Script adapted from Raymond Chen (https://devblogs.microsoft.com/oldnewthing/20230303-00/?p=107894)
+script_path: collection/Get-ClipboardHistory.ps1
+script_end: Get-ClipboardHistory {{ PARAMS }}
