Skip to content

Capabilities

Chris Ross edited this page Sep 4, 2017 · 9 revisions

Remote Recon Post-ex Capabilities

Remote Recon maintains some of the more common post-exploitation modules like the ability to take screenshots, keylogging, token impersonation, dll/shellcode injection, and powershell execution. Most of these capabilities are well documented elsewhere, so it isn't necessary to cover all of them in detail here. Lets use the process injection and keylogging modules as examples to briefly cover how commands are tasked to the agent.

All commands and their arguments are stored in the command and args key values respectively. Additional arguments are stored in the run key. Command results are not immediately returned but stored in the registry for retrieval at the user's discretion.

Process Injection

In this example will inject a shellcode wrapper that will stage an Empire implant. I'll skip details of generating the shellcode we need. If you're interested, you should check out this sweet project from @monogas.

When executing the Invoke-ShellcodeInject function, the object returned will contain the ComputerName, command, and argument (ProcessId). Getting the results, only requires the Results switch.

ShellcodeInject

Empire-AgentRcvd

Keylogging

The Get-Keystrokes and the Get-Screenshot functions are executed in a similar fashion. The native library is patched with a keylog or screenshot command, then injected into the target process to load the CLR and load the RemoteReconKS assembly in memory. Data is returned to RemoteReconCore via named pipes. Once we issue the Get-Keystrokes command, we can periodically retrieve the results or continuously poll the agent.

Keylog task

Keylog Results

Building Remote Recon

  1. Home
  2. Dependencies
  3. Build Process

Using Remote Recon

  1. Installation and Execution
  2. Capabilities
Clone this wiki locally