infosecn1nja
/
AggressorScripts
mirror of https://github.com/infosecn1nja/AggressorScripts.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
AggressorScripts/Persistence
History
Harley Lebeau 30008d47fc Added HKCU Persistence method 2017-07-12 09:59:20 -04:00
..
HKCURunKeyPSRegistryPersist.cna Fileless HKCU Registry PowerShell Persistence 2017-07-05 13:43:19 -04:00
Persistence_Menu.cna Added HKCU Persistence method 2017-07-12 09:59:20 -04:00
README.md Update README.md 2017-05-25 07:53:35 -04:00
RegistryPersist.cna Update RegistryPersist.cna 2017-05-20 04:09:10 -04:00
ServiceEXEPersist.cna Update ServiceEXEPersist.cna 2017-05-20 04:09:21 -04:00
StartupGPOPersist.cna Updated notes 2017-05-24 15:50:47 -04:00
UserSchtasksPersist.cna Update UserSchtasksPersist.cna 2017-05-20 04:09:33 -04:00
WMICEventPersist.cna Update WMICEventPersist.cna 2017-05-20 04:09:46 -04:00
WMIEventPersist.cna WMI Event Persistence using PowerShell 2017-05-22 15:41:16 -04:00

README.md

Persistence

Persistence Aggressor Scripts for Cobalt Strike 3.0+

  • Persistence_Menu.cna

    • Includes all scripts into one beacon menu

  • UserSchtasksPersist.cna

    • User Schtasks Persistence that runs as current user for the selected beacon

    • Meant for quick user level persistence upon initial access

    • Thanks to @noone and bluescreenofjeff for assistance

    schtasks

  • ServiceEXEPersist.cna

    • Admin Level Custom Service EXE Persistence

    • Runs as elevated user/SYSTEM for the selected beacon

    service

  • WMICEventPersist.cna

    • Generates a Custom WMI Event using WMIC for SYSTEM Level persistence on selected beacon

    • Very syntax heavy, Test first before using on live targets

    wmic4

  • WMIEventPersist.cna

    • Generates a Custom WMI Event using PowerShell for SYSTEM Level persistence on selected beacon

    • Very syntax heavy, Test first before using on live targets

    wmipersist1

  • StartupGPOPersist.cna

    • Generates a Local GPO Entry in psscripts.ini to call a .ps1 script file for persistence on selected beacon

    • Calls back as SYSTEM

    • Check permissions with GPO Enumeration (Successful GroupPolicy Directory Listing) first before executing

    • Beacon execution will cause winlogon.exe to hang and the end user can't login. Once the new beacon checks in inject into another process and kill the original. Update to come out soon.

    gpo

  • RegistryPersist.cna

    • Creates a Custom Registry Key, Value, Type, and Payload Location based on user input for selected beacon

    registry