-
Notifications
You must be signed in to change notification settings - Fork 99
Home
Chris Ross edited this page Sep 2, 2017
·
2 revisions
Remote Recon is a C# post-exploitation agent that utilizes WMI and the registry as a C2 channel. Remote Recon maintains a few common post-ex capabilities such as keylogging, screenshot, token impersonation, and PowerShell execution via runspaces. The agent is compiled into a class library, and then converted to a JScript payload using @tiraniddo's DotNetToJScript tool. To gain execution on a remote target, a WMI event subscription is created with the JScript payload as an ActiveScriptEventConsumer. The event fires when a RegistryValueChangeEvent occurs for one of the values within the Remote Recon base registry path. Alternative methods for execution exist with Powershell, JScript/VBScript execution w/ cscript.exe, and COM scriptlets.