Capabilities
Remote Recon maintains some of the more common post-exploitation modules like the ability to take screenshots, keylogging, token impersonation, dll/shellcode injection, and powershell execution. Most of these capabilities are well documented elsewhere, so it isn't necessary to cover all of them in detail here. Lets use the process injection and keylogging modules as examples to briefly cover how commands are tasked to the agent.
All commands and their arguments are stored in the command and args key values respectively. Additional arguments are stored in the run key. Command results are not immediately returned but stored in the registry for retrieval at the user's discretion.
In this example will inject a shellcode wrapper that will stage an Empire implant. I'll skip details of generating the shellcode we need. If you're interested, you should check out this sweet project from @monogas.
When executing the Invoke-ShellcodeInject function, the object returned will contain the ComputerName, command, and argument (ProcessId). Getting the results, only requires the Results switch.
The Get-Keystrokes and the Get-Screenshot functions are executed in a similar fashion. The native library is patched with a keylog or screenshot command, then injected into the target process to load the CLR and load the RemoteReconKS assembly in memory. Data is returned to RemoteReconCore via named pipes. Once we issue the Get-Keystrokes command, we can periodically retrieve the results or continuously poll the agent.
The Invoke-PowerShellCmd function will execute Powershell command via the Runspaces class in the System.Management.Automation namespace. This provides flexibility in how the user may want to complete additional tasks (File transfers, Webcam access, Microphone access, etc.).
Similar to Empire's scriptimport and Cobaltstrike's powershell-import commands, the Import-Script function will hold any powershell script in memory. This allows access to any functions within the script when running the Invoke-PowerShellCmd function.
