Slack and Microsoft Teams Notifications for Empire and Meterpreter Agents
By Russel Van Tuyl
A short time ago, I wrote a Python script that would send notification messages to Slack when a computer was compromised and an Empire or Meterpreter agents was dropped. I spent a little time updating the script and added support for Microsoft Teams notifications. This blog explains how I set up Slack and Microsoft Teams notifications for Empire and Meterpreter agents.
In order to receive notification in Microsoft Teams, you will need to identify or create a channel where you would like the messages posted. While in the channel, click on the “More options” button and then Connectors.
Now add a new “Incoming Webhook” and configure it by providing a name for the connection and an avatar image like in the image below.
Now that the Microsoft Teams webhook is set up, be sure to copy it from the bottom of the connector configuration page. This value needs to be placed in the ShellBot configuration file.
Download the ShellBot application from my GitHub page at https://github.com/Ne0nd0g/shellbot. Next, open the shellbot.conf file and add in the Microsoft Teams webhook to the “teams” section of the configuration file by updating the value of “teamsHook”. Update the remaining values if necessary.
Read my previous blog post on setting up ShellBot for Slack an integration with Metasploit and Empire https://www.swordshield.com/2016/11/slackshellbot/.
When ShellBot is configured, run the shellbot.py script on the host where your Metasploit and Empire listeners are.
Pro Tip: run ShellBot in a GNU Screen session so it will stay running at all times. ShellBot will continually poll Metasploit and Empire every 60 seconds (configurable). Once a new agent is checked in, the Python script will print a message and then post a message to Slack and MS Teams.
This is what ShellBot will display when a new agent checks in:
Here is an example of the new Empire check in on Microsoft Teams:
Here is an example of new Meterpreter check in on Microsoft Teams:
I hope that you find Python script for setting up Slack and Microsoft Teams notifications for Empire and Meterpreter agents useful. Don’t forget this script can be paired with the Multi-Tool Multi-User HTTP Proxy to provide an awesome notification system. Happy hunting.
Russel Van Tuyl is the managing consultant for security assessments at Sword & Shield Enterprise Security. His primary role is conducting network vulnerability assessments and penetration tests but also performs web application assessments, firewall configuration audits, wireless assessments, and social engineering.
He has more than 11 years of experience in the technical field in roles such as database design, field device support, help desk, IT asset management, programming, and information security.