Red Teaming Tools for cyberattacks

Cyble Research and Intelligence Labs (CRIL) identified that attackers are using Red Teaming Tools for cyberattacks. During the routine threat hunting process, researchers noticed instances of the PowerShell Empire command and control (C&C) infrastructure. 

The PowerShell Empire is a post-exploitation red teaming tool used for creating stagers that connect to C&C servers after an initial compromise through vectors such as phishing emails, exploiting public-facing IT systems, and watering hole attacks, etc. Experts found multiple infections while searching for the PowerShell Empire-related files.

https://i0.wp.com/blog.cyble.com/wp-content/uploads/2022/09/Figure-1-Cyble-PowerShell-Empire-Windows-Red-teaming-PowerShell-Empire-CC-Details.png?resize=816%2C672&ssl=1
PowerShell Empire C&C Details

PowerShell Empire Framework

According to SANS Institute, “Empire’s C&C traffic is asynchronous, encrypted, and designed to blend in with normal network activity”.

EHA

Basically, the framework is based on a client and server architecture. Experts says, to develop the payload and C&C, the PowerShell Empire server and clients should be up and running. The PowerShell Client is used to create a listener and stager for performing the attack.

In this case, the listener is the C&C, and the stager is the payload to be executed on the compromised system. Subsequent to an initial compromise, the victim system will communicate to the C&C and register itself as an agent. After that, using the listener, the attacker can simply manage the compromised system.

https://i0.wp.com/blog.cyble.com/wp-content/uploads/2022/09/Figure-2-Cyble-PowerShell-Empire-Windows-Red-teaming-Empires-Server-and-Client-Interactive-Shells.png?resize=944%2C711&ssl=1
Empire’s Server and Client Interactive Shells

Here, the listener listens to the connection from the victim machine and in return establishes the connection with the stager. Stagers are related to the payload, and after the initial compromise, stagers are dropped and executed on the victim system.

Researchers point out that Empire gives a C&C framework to remotely manage multiple compromised systems at a single point.

https://i0.wp.com/blog.cyble.com/wp-content/uploads/2022/09/Figure-9-Cyble-PowerShell-Empire-Windows-Red-teaming-CC-Communication-from-victim-machine.png?resize=804%2C511&ssl=1
C&C Communication from the victim machine

“The network traffic is encrypted and designed to be mixed with the normal network activity. The agent continuously sends the GET request to receive commands from the C&C for performing other malicious activities”, explains Cyble Research and Intelligence Labs.

Thus, Red teaming tools are critical; hackers can utilize these tools to conduct highly stealthy and dangerous attacks against their targets.

How To Stay Protected?

  • Download and install software only from official app stores like Play Store or the iOS App Store.
  • Use a reputed antivirus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
  • Use strong passwords and enforce multi-factor authentication wherever possible.
  • Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.
  • Be wary of opening any links received via SMS or emails delivered to your phone.
  • Ensure that Google Play Protect is enabled on Android devices.
  • Be careful while enabling any permission.
  • Keep your devices, operating systems, and applications updated.

Therefore, it is essential to regularly check the Mobile/Wi-Fi data usage of applications installed on mobile devices and be aware of the alerts provided by Antiviruses and Android OS.

Download Free SWG – Secure Web Filtering – E-book

Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.