When I went to Derbycon 3.0 last year, I saw @mattifestation and @obscuresec‘s talk about using pre-existing windows components for post-exploitation. What I absolutely loved was the section on using Powershell and a website for C2 after a compromise.
In a nutshell, you gain access to a system and create some way of getting script execution on startup (for persistence). This particular script is a rather neat one. What it does is define a key word and a website. It will check the website for the keyword and if it exists, it will execute a new payload using Invoke-Shellcode. Pretty badass, right? That means when you are ready for your shell back, you go to the website and enter the keyword. When the script goes to check the site, it will see the key word and execute a new payload. You can find their talk here
What I have done is implement this into a word macro that you send to a target.
You can find the code here: https://github.com/enigma0x3/Powershell-C2
When the target opens the document, you get a shell.
The macro also creates a registry key called WindowsUpdate in HKCU:Software\Microsoft\Windows\CurrentVersion\Run\ that invokes the C2 script (you have to host Invoke-Shellcode and the C2 script).
So say you decide to close your sessions and go watch some ShmooCon talks. Once it is time to work again, simply fire up your multi/handler, point your browser to the website you set in your C2 script and create a comment with your magical word. Here is an example:
As you can see, I set my site to my blog and I set the keyword to h4x0r. So I go to my blog and create a comment using my keyword:
Since we created a registry key to execute our C2 script, it will start once the user logs in. When it comes to check the site for the keyword, it will find it and execute our payload:
And boom, we get a new shell:
-Matt Nelson (@enigma0x3)