-
Notifications
You must be signed in to change notification settings - Fork 508
Command and Control
This method uses a specific keyword that exists on a website in order to execute a payload. The following elements are required to implement this attack:
- Metasploit Meterpreter
- PowerShell Script
- Office Macro
- Website keyword
Metasploit Meterpreter will act as a command and control tool and the PowerShell script and office macro as the implants. The office macro contains also a registry key that will execute this attack every time that the legitimate user logs in so persistence is achieved.
The C2Code PowerShell script implements this attack by triggering the payload only when the keyword exists on the website that it has been given.
The PowerShell script needs to executed on the target host. The Payload will executed directly from the memory of the PowerShell process evading detection by antivirus and endpoint solutions.
Metasploit multi handler module will receive the connection.
Commands can be executed against the target through the new meterpreter session.
The office macro implements the above technique but also maintains persistence by creating a registry key that will automate the task above every time that the legitimate user logs in.
When the user open the weaponised document that contains the macro the payload will executed.
A new meterpreter session will open.
When access is not required deleting the keyword will avoid the payload execution.