AggressorScripts/Persistence
Harley Lebeau fb0e752ad3
Updated with PowerPick
2018-02-09 12:49:10 -07:00
..
HKCURunKeyPSRegistryPersist.cna Updated with PowerPick 2018-02-09 12:26:06 -07:00
HKLMRunKeyPSRegistryPersist.cna Updated with PowerPick 2018-02-09 12:26:55 -07:00
Persistence_Menu.cna Updated with PowerPick 2018-02-09 12:33:05 -07:00
README.md Update README.md 2017-07-12 10:32:44 -04:00
RegistryPersist.cna Updated with PowerPick 2018-02-09 12:35:02 -07:00
ServiceEXEPersist.cna Updated with PowerPick 2018-02-09 12:42:21 -07:00
StartUpFolderPersist.cna Updated with PowerPick 2018-02-09 12:44:14 -07:00
StartupGPOPersist.cna Updated with PowerPick 2018-02-09 12:45:30 -07:00
UserSchtasksPersist.cna Updated with PowerPick 2018-02-09 12:46:57 -07:00
WMICEventPersist.cna Updated with PowerPick 2018-02-09 12:48:31 -07:00
WMIEventPersist.cna Updated with PowerPick 2018-02-09 12:49:10 -07:00

README.md

Persistence

Persistence Aggressor Scripts for Cobalt Strike 3.0+

  • Persistence_Menu.cna

    • Includes all scripts into one beacon menu
  • UserSchtasksPersist.cna

    • User Schtasks Persistence that runs as current user for the selected beacon

    • Meant for quick user level persistence upon initial access

    • Thanks to @noone and bluescreenofjeff for assistance

    schtasks

  • ServiceEXEPersist.cna

    • Admin Level Custom Service EXE Persistence

    • Runs as elevated user/SYSTEM for the selected beacon

    service

  • WMICEventPersist.cna

    • Generates a Custom WMI Event using WMIC for SYSTEM Level persistence on selected beacon

    • Very syntax heavy, Test first before using on live targets

    wmic4

  • WMIEventPersist.cna

    • Generates a Custom WMI Event using PowerShell for SYSTEM Level persistence on selected beacon

    • Very syntax heavy, Test first before using on live targets

    wmipersist1

  • StartupGPOPersist.cna

    • Generates a Local GPO Entry in psscripts.ini to call a .ps1 script file for persistence on selected beacon

    • Calls back as SYSTEM

    • Check permissions with GPO Enumeration (Successful GroupPolicy Directory Listing) first before executing

    • Beacon execution will cause winlogon.exe to hang and the end user can't login. Once the new beacon checks in inject into another process and kill the original. Update to come out soon.

    gpo

  • RegistryPersist.cna

    • Creates a Custom Registry Key, Value, Type, and Payload Location based on user input for selected beacon

    registry

  • HKCURunKeyPSRegistryPersist.cna

    • Creates two Custom Registry Run Key entries in HKCU

    • The Payload is a base64 encoded powershell payload based off your HTTP/HTTPS listener

    hkcu