There are various command and control options which some of them are utilizing protocols like ICMP and DNS and some others legitimate websites such as DropBox and Gmail. During DerbyCon 3.0 Matt Graeber and Chris Campbell introduced a technique which uses a website keyword in order to trigger the launch of shellcode in a system.
Matt Nelson produced a PowerShell script which utilizes the same technique in order to get a Meterpreter session and use all of its features acting as a command and control tool. The main benefits of this technique is that the shellcode is executed directly from memory, it is less noisy and it achieves persistence through a registry key.
When the PowerShell script is executed on the target host it will look for the specific keyword on the website that it has been given and if the keyword exist will execute a payload.
A Meterpreter session will open and commands could be executed remotely.
Matt Nelson also created an office macro which performs the same technique but additionally creates a registry key which executes the C2Code PowerShell script every time that the user logs in in order to maintain persistence.
When the user open the document the macro will run and it will execute the Invoke-ShellCode script which is hosted on a website that the red teamer controls.
A Meterpreter session will open:
Command and Control using Powershell and your favorite website
Leave a Reply