This post is about spawning an Empire session over an already established foothold using reverse port forwarding. Spoiler, it’s all in the custom proxy settings.
Why not run an entirely new session back to the C2 infrastructure? Personally, I spend quite a bit of time running my externally destined traffic through the gauntlet: NGFWs, NIDS, and proxies *cough* check your stager *cough*. Every time you call home the chance for detection increases, especially when introducing different types of C2 network traffic.
Onto the example. Setup the reverse port forward; I used Cobalt Strike, but any old reverse port forwarder could be used, like SSH, meterpreter, and so on.
After establishing a reverse port forward there should be a listening socket at TCP/8443 on WIN10-DM. This will forward traffic from WIN10-DM back to the C2 infrastructure over the existing Cobalt Strike session. However, our C2 infrastructure will not be listening at TCP/8443, we need to start up an Empire listener for that.
The host parameter will be set to the external IP address of the C2 server while the proxy parameter will be set to the internal hostname or IP address of the pivot.
Note, the proxy for the stager has to be set as well or else staging will be performed directly to the C2 infrastructure. For this example, I selected the Windows/DLL stager because it can be injected into an already elevated process with Cobalt Strike using the dllinject command.
After injection, if everything went well, a new Empire session should register using the Cobalt Strike injected process and existing tunnel.
Note, I tried pivoting with Empire using WIN10-DM as the proxy and was unable to spawn a lateral session. In my example, TCP/8443 directly back to the C2 infrastructure was blocked so there might be an issue with the staging of the Empire session. However, looking at the Empire invoke-psexec stager code it appears that the proxy setting was correctly being passed to the generate stager function. Either way, I’ll do a bit more testing on it and let you know if it’s an endpoint or network issue.