Nemesis 2.0

TL;DR We took a chainsaw to Nemesis 1.0, kept the parts that operators loved (i.e., automated file processing), and rebuilt everything else from the ground up. Nemesis 2.0 is a streamlined, Docker Compose-based platform that focuses on the file triage problem instead of trying to be everything to everyone.

It’s been almost two years since @tifkin_, @0xdab0, and I released Nemesis 1.0 at BlackHat USA Arsenal 2023. After numerous operator feedback sessions, feedback from the community, and some honest soul-searching about what we actually built versus what people actually needed, we’re excited to announce Nemesis 2.0, a complete rewrite that focuses on what operators actually need during engagements: the ability to triage massive amounts of files.

The Journey So Far

When we first introduced Nemesis back in 2023, we had ambitious goals. We wanted to build a centralized platform that could ingest, process, and unify ALL offensive data from ALL available offensive tools. We envisioned a universal model for an entire engagement that would ALSO solve the file triage bottleneck that plagues red team operations.

That vision proved to be…well, let’s call it “slightly overambitious” 😉

While Nemesis 1.0 successfully demonstrated the value of centralized file analysis and automated processing, we quickly ran into several challenges:

• Data modeling complexity – Different command and control (C2) frameworks and tools represent hosts, targets, and data in fundamentally different ways. Unifying these into a single coherent model proved to be a significant challenge.
• Over-engineering – Our Kubernetes-based architecture, strict protobuf schemas, and overly-engineered code base created unnecessary complexity for what was essentially a file processing pipeline.
• UI/UX frustrations – Our Streamlit-based interface hit limitations quickly and created a frustrating experience for the primary way users interacted with Nemesis.
• Extensibility barriers – Adding new data types, enrichments, or modifications ended up being more difficult than it should have been. In short, it just wasn’t hackable enough, not even for us as the original creators.

Lessons Learned: Focus on What Actually Works

The most important lesson from Nemesis 1.0 was simple: keep what operators actually use and ruthlessly cut everything else.

Through real-world usage across multiple red team operations, we discovered that our operators tended to mostly use Nemesis for:

1. Automated file enrichment and analysis
2. Centralized file triage in a browser interface
3. Structured data storage and search
4. Finding credentials and “interesting information”

Everything else (the complex data models, the attempt to unify all offensive data types, the over-engineered microservice architecture, etc.) added complexity without providing proportional value. This resulted not just in a project that was difficult to develop for (even for us), but also one that users found difficult to set up and use.

So in late December 2024, @tifkin_ and I met up and had an honest discussion about what we needed to do to keep the Nemesis project alive. Our new philosophy for Nemesis 2.0:

1. Focus on file triage – Refocus on the one problem we solved reasonably well instead of trying handle ALL data
2. Simplify everything and make it extensible – Radically simplify our architecture and make it easy for operators to add new Nosey Parker/Yara rules, enrichments, and extensions
3. Prioritize operator workflows – Better support operator workflows with the Nemesis interface instead of it feeling like a burden

We ruthlessly reviewed every component of Nemesis and slashed everything we felt was unnecessary for our new core use case. Several months and coding sessions later, we’re happy to announce Nemesis 2.0!

Nemesis 2.0: Focused and Streamlined

Nemesis 2.0 represents a complete philosophical shift. Instead of trying to be everything to everyone, we focused on building the best possible file enrichment and triage platform for offensive operations.

Major Changes

Simplified Architecture: We moved from Kubernetes to Docker Compose, dropped Elasticsearch (consolidating all data storage in PostgreSQL), and dropped complex protobuf schemas for a more flexible approach. The entire codebase is now significantly simpler and easier to understand.

Dapr Integration: We integrated with Dapr (Distributed Application Runtime) for workflow management, pub/sub messaging, and service invocation. This gives us the reliability and observability we need while maintaining simplicity.

Completely New UI: Built from scratch in React, the new interface focuses on operator workflow and provides a smooth, intuitive experience for file and findings triage.

Findings-Focused Workflow: Instead of just processing files, Nemesis 2.0 is built around the concept of “findings”: actionable pieces of information extracted from files that operators need to triage.

Key New Features

Enhanced File Viewers: The new interface provides multiple ways to view and interact with files directly in the browser, including ZIP exploration, hex viewers, and syntax-highlighted code display.

Keyboard-Driven Triage: Press ‘t’ in any file or findings list to enter triage mode, allowing you to quickly mark items as viewed/triaged and navigate to more details

Dynamic Yara Rules: Add, edit, and manage Yara rules directly through the web interface. Rules are stored in the database and automatically applied to new files.

File Tagging and Filtering: Custom tagging system allows teams to organize and filter files based on their specific workflow needs.

Collaborative Triage: File views are tracked per operator, and files can be filtered by the view state, making multi-player mass file triage easier.

Smart Alerting: Integration with Slack (and other services via Apprise) provides real-time notifications for high-priority findings in a more flexible way, and for more services, than Nemesis 1.0.0’s alerting system.

Container Build Pipelines: We now have GitHub workflows to build and publish Nemesis containers to the GitHub container registry! This meant that in prod mode for Nemesis, you can pull these containers directly without having to build everything locally. In addition, we have pre-built containers for both x86 and arm!

Enrichment Modules

Nemesis 2.0 ships with 28+ file enrichment modules; all the existing modules from Nemesis 1.0.0 are ported along with some new modules. We redesigned the module system to be more extensible. Simply drop a new module folder into file_enrichment_modules/ and it will be dynamically loaded with its dependencies. There is a short guide in the documentation on creating new enrichment modules, and we are currently working on a more detailed blog post documenting the process.

Getting Started

Getting Nemesis 2.0 up and running is now straightforward. You just need to have Docker, set a handful of ENV variables, and run ./tools/start.sh [dev | prod] for development or production mode. We have all of this documented extensively in the Quickstart Guide.

You can then navigate to https://localhost:7443/ and start uploading files for analysis.

Our Nemesis CLI guide documents other connectors and submission options.

The Road Ahead

While Nemesis 2.0 represents a major milestone, we’re not stopping here. Our roadmap includes:

• More file analyzers: Continued expansion of supported file types and analysis capabilities
• AI integration: Exploring LLM assistance for file analysis and triage prioritization
• Scalable Deployment Options*: Explore proper deployment on Kubernetes and/or using cloud infrastructure services
• Performance optimizations: Handling even larger datasets more efficiently
• Enhanced collaboration features: Better team workflows and knowledge sharing

Note: We are aiming to always support a Docker-compose option for Nemesis, but we will explore a proper Kubernetes deployment option with the help from people who know what they’re doing. We want the ability to scale up, but also want to preserve the ability to run Nemesis locally.

Try It Today!

Nemesis 2.0 is available now on GitHub. The documentation has also been completely rewritten and includes comprehensive setup guides, usage examples, and development information.

Join us in the #nemesis-chat channel in the BloodHound Slack for any questions or feedback, and feel free to report any issues on GitHub. We hope you’re as excited as we are for this new rewrite!