Skip to content

Command and Control

netbiosX edited this page Sep 14, 2017 · 6 revisions

ICMP

WebDAV

This method uses the WebDAV protocol and more specifically the display name of PROPFIND responses in order to deliver the payload. Since the communication and the delivery of the payload will performed via the PROPFIND responses it will not drop anything into disk. On the defense side the svchost.exe process and it is proxy aware.

WebDAVC2 implements this technique and it will automatically start a WebDAV server and produce three stagers that needs to be executed on the target.

  • BAT Stager
  • 2x Office Macros

WebDAVC2

The BAT stager is based-64 encoded and it will deleted once it is executed.

When the agent binary is sent to the stager it will open a shell.

All the commands will be delivered through the WebDAV server.

WebDavDelivery is the server side part of WebDAVC2 and can be used as a standalone tool for delivery of arbitrary files. The tool will encode the stager as base-64 and it will deliver it into chunks of 250 characters long (limitation of WebDAV).

The PowerShell script and the macros that exist in this tool will perform the PROPFIND request which will trigger the execution of the payload.

A sample of the PROPFIND responses that will generated can be seen below:

Website Keyword

This method uses a specific keyword that exists on a website in order to execute a payload. The following elements are required to implement this attack:

  • Metasploit Meterpreter
  • PowerShell Script
  • Office Macro
  • Website keyword

Metasploit Meterpreter will act as a command and control tool and the PowerShell script and office macro as the implants. The office macro contains also a registry key that will execute this attack every time that the legitimate user logs in so persistence is achieved.

The C2Code PowerShell script implements this attack by triggering the payload only when the keyword exists on the website that it has been given.

The PowerShell script needs to executed on the target host. The Payload will executed directly from the memory of the PowerShell process evading detection by antivirus and endpoint solutions.

Metasploit multi handler module will receive the connection.

Commands can be executed against the target through the new meterpreter session.

The office macro implements the above technique but also maintains persistence by creating a registry key that will automate the task above every time that the legitimate user logs in.

When the user open the weaponised document that contains the macro the payload will executed.

A new meterpreter session will open.

When access is not required deleting the keyword will avoid the payload execution.

Clone this wiki locally