finds.dev← search

// the find

byt3bl33d3r/DeathStar

★ 1,617 · Python · GPL-3.0 · updated Jan 2024

Uses Empire's (https://github.com/BC-SECURITY/Empire) RESTful API to automate gaining Domain and/or Enterprise Admin rights in Active Directory environments using some of the most common offensive TTPs.

DeathStar automates Active Directory privilege escalation by orchestrating Empire's post-exploitation modules via its REST API. It chains common AD misconfigurations — GPP passwords, local admin reuse, lateral movement — to walk from a foothold to Domain Admin without human intervention. Built for pentesters who already have an Empire agent running and want the privesc chain handled automatically.

The async architecture using asyncio is the right call here — lateral movement involves a lot of waiting on agent callbacks, and blocking would be miserable. The Kyber Crystal plugin system is a clean abstraction: each module gets its own file responsible for invoking and parsing exactly one Empire module, which makes it straightforward to add coverage. The Active Monitoring feature that polls for new logins and reprioritizes targets is genuinely useful — AD environments are dynamic and a static attack path misses opportunities. The Defense & Detection section is honest and actually useful for blue teamers.

Crystal Injection still requires manual code edits to deathstar.py — the plugin system is only half-finished, which the author admits. The PowerShell output parsers (posh_object_parser) are self-described as awful and don't handle edge cases, so you'll hit parsing failures on any environment that doesn't look exactly like the test setup. Hard dependency on BC-Security's Empire fork means you're two projects deep before you can run anything, and Empire itself has had significant API churn — the last commit is from 2024 but Empire has moved on. No test coverage for the actual attack chains, only the API client and utility functions.

View on GitHub →

// want more like this?

We dig through GitHub every week and send a few repos picked for what you actually care about — each with an honest take like this one.

Get finds in your inbox → Search again →