There are various command and control options which some of them are utilizing protocols like ICMP and DNS and some others legitimate websites such as DropBox and Gmail. During DerbyCon 3.0 Matt Graeber and Chris Campbell introduced a technique which uses a website keyword in order to trigger the launch of shellcode in a system.

Matt Nelson produced a PowerShell script which utilizes the same technique in order to get a Meterpreter session and use all of its features acting as a command and control tool. The main benefits of this technique is that the shellcode is executed directly from memory, it is less noisy and it achieves persistence through a registry key.

C2Code - PowerShell Script
C2Code – PowerShell Script

When the PowerShell script is executed on the target host it will look for the specific keyword on the website that it has been given and if the keyword exist will execute a payload.

C2Code - Implant
C2Code – Implant

A Meterpreter session will open and commands could be executed remotely.

C2 Website Keyword - Meterpreter
C2 Website Keyword – Meterpreter
C2 Website Keyword - Sysinfo
C2 Website Keyword – Sysinfo

Matt Nelson also created an office macro which performs the same technique but additionally creates a registry key which executes the C2Code PowerShell script every time that the user logs in in order to maintain persistence.

C2Code - Excel Macro
C2Code – Excel Macro

When the user open the document the macro will run and it will execute the Invoke-ShellCode script which is hosted on a website that the red teamer controls.

C2Code - Running Excel Macro
C2Code Running Excel Macro

A Meterpreter session will open:

C2 Website Keyword - Excel Macro Shell
C2 Website Keyword – Meterpreter via Excel Macro

References

Command and Control using Powershell and your favorite website

https://github.com/enigma0x3/Powershell-C2

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s