Nemesis: Open-source offensive data enrichment and analytic pipeline

Nemesis is a centralized data processing platform that ingests, enriches, and performs analytics on offensive security assessment data (i.e., data collected during penetration tests and red team engagements). Nemesis was created by Lee Chagolla-Christensen, Will Schroeder, and Max Harley from SpecterOps.

nemesis specterops

Analyzing the details of an individual file

Centralized data processing with Nemesis

The solution attempts to address three main issues:

Knowledge about offensive tradecraft is difficult to scale due to the rapid pace at which new techniques are released, the vast array of technologies companies use, and the time requirements to learn about new tradecraft.
Offensive data is not unified: it’s siloed inside specific tools and machines rather than being modeled and analyzed holistically.
File and tool output triaging is inconsistent due to differing levels of experience, training, knowledge, tedium, and time constraints.

Cybersecurity analysis

Chagolla-Christensen told us that Nemesis aggregates data from several C2 platforms (e.g., Cobalt Strike, Mythic, Sliver, etc.) to a central location, where it then analyzes, enriches and provides collaborative UI interfaces for the data. Nemesis right now primarily focuses on analyzing downloaded files, and notable features include:

Document processing: Converts all documents to a PDF accessible in a browser, extracts text from the documents and makes them searchable, scans all the text in all documents/files for credentials, and attempts to crack password-protected documents.

Software vulnerability analysis: Extracts and stores common features from executable files (e.g., PE imports and exports, version/signature details, .NET metadata, section information), decompiles .NET code, scans .NET executables for potential vulnerabilities, and indexes source code so easily searchable/viewable.

Automatic decryption of sensitive data: Scans all files for data encrypted using Window’s data protection API (which includes data like saved Wi-Fi passwords or passwords/cookies in Chrome or Edge), tracks and cracks cryptographic keys used to protect this data, and automatically decrypts the data to reveal the sensitive data.

nemesis specterops

File triage view

Interesting findings

The SpecterOps team uses Nemesis internally, and Chagolla-Christensen told us some great wins have included:

Secret scanning greatly expediting the triage of downloaded files (e.g., instantly identifying credentials in bash histories and long bash/PowerShell/VBS scripts) and discovering several API keys embedded in a third-party product (a .zip containing all of the product’s binaries was uploaded to Nemesis and it extracted the zip and discovered the API keys).
Automated file processing discovering files and registry key values containing DPAPI blobs that were previously unknown.
Great feedback from our assessment teams regarding the file triage user interface enabling them to quickly analyze files (e.g., in the embedded text editor or viewing converted Microsoft Office documents in the browser) and to collaboratively track their file triaging efforts.

What’s next for Nemesis?

“The next big thing we plan to add to Nemesis is host data modeling. We’re excited about this since it will allow us to highlight workflow-specific tradecraft suggestions derived from data collected (so far) in the target network, such as local privilege escalation opportunities and/or better host and network situational awareness. In addition to the host data modeling, we plan to add many more file processing capabilities over the next year, squash some bugs that have arisen, and ease some deployment burdens,” Chagolla-Christensen told Help Net Security.

Nemesis is available for download on GitHub.

Must read:

More about